Does Your Wallet Need a Tinfoil Hat?
Recently, a friend forwarded to me a Houston TV station’s story about “electronic pickpocketing.” In it, reporters say they watched a security expert steal credit card numbers from 39 victims in less than 15 minutes, simply by walking past them. But is this a real problem? Read on...
Is Electronic Pickpocketing a Big Problem?
In the TV story, Chris Gilpin of the National Crime Stop Program explained to Local 2’s reporters that contactless “chipped cards” used to pay for things by simply waving the card near a reader can actually be read up to 25 feet away.
He claims that electronic pickpocketers can buy card readers for “under $100” and soup them up to communicate with chipped cards at such distances. Gilpin says there are 250 million chipped cards in the U. S., and they’re all at risk.
To protect your cards from “wallet hackers” you can buy the $15 “Signal Vault,” which looks much like a credit card and fits in a card’s slot in your wallet. Local 2 provides no details on how it works. It just so happens the Signal Vault is sold by Gilpin’s company. Alternatively, the ingenious TV journalists add, you can use an aluminum wallet or “simply wrap your credit cards in aluminum foil.”
Stories like this one make me weep for the state of journalism. This story was first done by Memphis TV station, WREG, in December 2010, and by several other gullible outlets since. It’s old news about technology that isn’t used in chipped cards anymore. The credulity of these reporters and producers must be willful; nobody could be this dumb naturally. Let’s look at what Local 2 overlooked:
The numbers that Local 2’s reporters saw may or may not have been actual credit card numbers. Only the last four digits are actually shown on the computer screen attached to Gilpin's scanner. The reporters didn’t ask anyone, “Excuse me, is this your credit card number?” Nor did they volunteer to have it tested on their own wallets.
Old Technology, Old News
Radio-frequency ID (RFID) chips can, indeed, be read over distances of several feet. This capability is useful in inventory control, package handling, shoplifting prevention, passport screening, and similar applications. It’s not desirable in a payment card for the very reasons highlighted by Mr. Gilpin. And that's why this technology is being (or has already been) phased out.
A Snopes article on contactless cards that have embedded RFID chips says: "The data streams emitted by contactless cards don't include such information as PINs and CVV (Card Verification Value) security codes — or, in newer cards, customer names — and without those pieces of information a card skimmer should not be able to utilize the stolen card numbers to print up counterfeit cards or engage in Card Not Present (CNP) transactions." And further, "Although RFID-enabled cards may have originally transmitted their information in plain text, newer contactless cards are adding encryption to the data streams and thus cannot be read directly by ordinary card readers. Card skimming generally works when the victim is carrying only a single contactless card; otherwise, the transmissions from multiple cards can create a jumbled, unintelligible stream."
So even if you have one of those older RFID-based cards, the information gleaned by a card-skimming, electronic pickpocketing hacker would not contain your name, address, PIN number or security (CVV) code. And without those bits, the credit card number is little more than a string of 16 digits.
And finally, “National Crime Stop” is an awkward name for a company. I wouldn’t choose it unless I wanted to be confused with “Crimestoppers,” a respected national brand. A bit of Googling shows that the National Crime Stop Program is a 4-person firm in South Florida that runs identity theft seminars, and sells the Signal Vault. Staff members are said to have taken various trainings, but specifics are vague. Their website has not been updated in over two years. I'm not trying to discredit these guys. But I am dismayed that so many journalists have so little inclination to do even a smidgen of their own research, or even ask intelligent questions.
What About the New EMV Cards?
Modern chipped cards (also called EMV cards) and their readers adhere to one of two global standards. The most widely used standard, ISO/IEC 14443, limits the radio communication range to 10 cm – about 4 inches. The alternate standard, ISO/IEC 15693, specifies a range of up to 50 cm – 1.6 feet.
It’s possible to build a “souped up” transceiver that could read these very short-range cards at up to 25 feet, but it would be about the size of a suitcase.
And even if a “wallet surfer” could read a chipped card, the information he gleaned would be of no use to him. The number transmitted by a chipped card is not the actual account number embossed on the card’s face. It’s a dummy number that is accepted by a payment processor only after an encrypted verification transaction is completed. No PIN or CVV numbers are transmitted.
The newest cards don’t even transmit the cardholder’s name. So forget about cloning physical cards or conducting “card not present” online transactions using data stolen by “wallet hacking.”
If you are concerned about “wallet hacking,” contact your card issuer(s) and make sure you have the latest, greatest security features in your card(s). Order new cards if necessary.
Or you can buy 2-inch wide aluminum duct tape for about $4 at Home Depot. Leave the paper backing on and slip a piece into each of the card slots in your regular wallet. Oh, and don't forget to wear your tinfoil hat when you leave home. Evil hackers may be trying to read your thoughts.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 15 May 2015
|For Fun: Buy Bob a Snickers.|
What is Tesla Powerwall?
The Top Twenty
A Secret Radio Inside Your Phone?
There's more reader feedback... See all 37 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Does Your Wallet Need a Tinfoil Hat? (Posted: 15 May 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved