This post comes from Matt Brownell at partner site Credit.com.
A researcher recently demonstrated an Android phone app that reportedly can steal credit card data through your pocket. So you might be wondering if you need to take steps to defend yourself.
One of the easiest ways for identity thieves to get hold of your credit card information is a process known as skimming: An unscrupulous waiter or cashier takes your card for payment, then secretly swipes it in a small card skimmer device designed to store credit card numbers. The data is subsequently imprinted on a “cloned” card that can be used to make purchases until you discover the fraud.
But as more people use contactless cards — those that allow you to simply wave or tap your card at a special terminal instead of swiping — it raises the possibility that such thieves could now steal your credit card data without the card ever leaving the wallet. Could thieves commit identity theft by simply waving a device near your pocket?
“They’d have to be within 4 centimeters of your card, so if it’s a woman with her card in her purse, they’re not going to be able to do it,” says Chester Wisniewski, a security researcher with Sophos. “But if it’s a man with a wallet and I bump your bum with a (device), I’d be able to pick it up.”
He points to a number of situations where this would be possible — standing in an elevator, for instance, or on a crowded train car. The data pulled from the card’s radio frequency identification or RFID chip could then be used to clone a card for use at retail locations (though not on e-commerce sites, which require the CVV code from the back of the card).
The limiting factor, he says, is that devices capable of performing such contactless theft are rare on the black market compared with traditional pocket skimmers. But that could soon change, as millions of Americans already carry devices in their pockets capable of communicating with the contactless cards: smartphones. (Post continues below.)
A number of popular models of Android phones now come enabled with near field communication technology intended to allow for mobile payments with platforms like Google Wallet. But the technology intended to allow for mobile payments can also be turned — with quite a bit of tinkering — into a mobile card scanner. At the recent Defcon hacker conference, the researcher demonstrated the aforementioned Android app of his own devising that allowed him to snatch data from a contactless card using his Nexus S phone, and then use that card data to make a mobile payment with the phone.
Still, there are good reasons why consumers with contactless cards or mobile payment systems shouldn’t panic just yet. The first is that the methodology needed to turn a phone into an over-the-air card skimmer is still in the proof-of-concept stage.
The hack demonstrated at Defcon required a very specific version of the Android operating system that isn’t installed on new phones, and even then, it takes multiple tries to actually scan the card. As such, most thieves will opt for traditional pocket skimmers, which require them to temporarily take control of your card but “don’t require as much nerd skills,” says Wisniewski.
Meanwhile, card data loaded onto a mobile payment platform like Google Wallet is even more secure from such methods. As Wisniewski notes, unlike a contactless card, the payment data on your phone can’t be read without you entering a PIN code. As such, your main concern there is losing your phone without having a password lock and a strong PIN in place.
“The biggest risk is that consumers aren’t fully aware of the precautions associated with this technology and aren’t diligent about the general security of their phone,” says Kevin Mahaffey, the chief technology officer for mobile security firm Lookout. “This comes down to the normal things like PIN locking their phone.”
The main takeaway, then, is that you have more to fear from shady waiters who disappear with your card for five minutes than you do from hackers poking smartphones at your backside on the subway. Still, if you insist on owning a contactless card and are worried about getting the card data beamed out of your pocket, Mahaffey says there are wallets designed to block RFID transmission. Most are relatively inexpensive and are more or less indistinguishable from a normal wallet. A bit of metal is all it takes to disrupt the signal, so it’s not like you need to put your card in a lead case. Still, if you’d rather stick with your trusty leather wallet, it’s easy to come up with a cheap homebrew solution.
“The poor man’s method is a (foil) bubble gum wrapper,” says Wisniewski. “Any kind of metal will do.”
And if all else fails, you can take comfort in the fact that most credit cards offer zero liability for fraudulent charges, as long as you spot fraud in a timely manner. So don’t worry too much if you can’t find a bubble gum wrapper.
More on Credit.com and MSN Money:
- Why shredding your documents isn’t enough
- 8 signs you’ve been hacked
- 5 reasons to monitor your credit
- Find a better credit card
- Will Google Wallet take off now?
- New credit cards make travel harder