As featured in The Wall Street Journal, Money Magazine, and more!
     

Newer Credit Cards Are Less Secure

This article was written by in Credit. 12 comments.


Every Tuesday, Smithee presents an article about his own experiences with credit cards and observations about the credit card industry.

A few weeks ago I was the victim of debit card fraud. In my case the system worked very well. The bank’s automatic mechanisms noticed a few big-ticket items being purchased in Chicago, which is quite far from where I live. The first one went through, the second one was held up and I started getting calls from the bank’s fraud detection department.

So, that card number had to be canceled and I got a replacement with a new number within a few days. The money was also refunded, but the surprise came when I noticed the new card had that little “PayPass” logo on it. You know, the thing that’s supposed to let you tap the card against a reader instead of sliding it through the reader? (Think of the time saved!) The old one didn’t have PayPass on it, and I was ambivalent about the technology, having read reports about how it’s not all that much faster.

The bigger problem is that it uses RFID, which is not exactly ready for prime time. To make a long story short, people can easily, and cheaply, extract the data from your card without you knowing. Here’s a video with a demonstration:

Interesting side note: Mythbusters was going to do a show about this, before the idea was quashed.

Published or updated December 30, 2008. If you enjoyed this article, subscribe to the RSS feed or receive daily emails. Follow @ConsumerismComm on Twitter and visit our Facebook page for more updates.

Email Email Print Print
avatar
Points: ♦1,358
Rank: Quarter
About the author

Smithee formerly lived primarily on credit cards and the good will of his friends. He is a newbie to personal finance but quickly learning from his past mistakes. You can follow him on Twitter, where his user name is @SmitheeConsumer. View all articles by .

{ 6 comments… read them below or add one }

avatar Writer's Coin

I read about the whole mythbusters fiasco but in the end, my conclusion was that RFID is just as easy to hack into than any other method. Someone can always look over your shoulder and memorize your card, hack into a database, etc. Either way, it’s how the provider handles it that matters.

I’ve had a couple of incidents and my bank has given me very little grief about it, which I’m happy about. knock on wood

Reply to this comment

avatar Smithee ♦1,358 (Quarter)

@Writer’s Coin: I think I agree with the spirit of your comment, which is that the best advice continues to be “keep a close eye on your statements”, but it seems to me that someone who bumps into me and takes my account details with an $8 device is a larger risk than someone else hacking into a database. That takes some skill, and databases are protected by heavily-fortified networks (or they should be, anyway).

And someone looking over my shoulder is easily combated.

Reply to this comment

avatar Rob

I would refuse any replacement credit cards that use RFID, at least until / if some bulletproof security measures are put into place. If that means that my list of available banks / cards shrinks, so be it. If enough people follow suit, then banks will change their path, and start offering non-RFID containing cards as an option, at least.

Reply to this comment

avatar Itch

My biggest problem w/ RFID credit cards is its passive. You dont have to physically do anything for it to be activated. When it comes to money, I’d like at least one physical action as part of the transaction. Makes me sound technophobic I’m sure, but I’ve conceptualized how hard that would be before. Aren’t gangs in Japan doing something similar already?

But yeah, I got suckered w/ a “want Generation 2 of your card?” Generation 2 of Citi’s Cash back card showed up with RFID. I went back and looked over the information, and didn’t see RFID mentioned. So not thinking it was a big deal, I tried to get a card w/ the same plan but no RFID. Not a single person I talked to could grasp why Id want such a thing. Nor is there a way to turn it off on their side.

Worse yet was the fact I’d have to back to my old “plan” if I wanted a card w/o RFID. Jumping around like that would _great_ on my credit score I’m sure.

So I went shopping.

http://www.difrwear.com/

Forget where I heard of them, but it works well. It shields both my company badge and my credit card. The wallet is nice enough. Kinda hard to get your drivers license out of the sleeve, but otherwise does what it needs. And no noticeable weight.

Reply to this comment

avatar David C

You can always ask the credit card company to send a new card without an RFID tag (well, at least for now). My first Chase Freedom card has a tag in it, so I just emailed Chase for a tag free card that arrived in a week.

Reply to this comment

avatar Tom

Regarding RFID:

Preventing accidental readings — if you put the device in a metal lined container (eg, put tinfoil in the back of your billfold if you don’t go to http://www.difrwear.com/ like itch above) then nothing, no matter how sensitive, will read the RFID

Screwing with those attempting readings — keep the card with other devices that have RFID (front door fob, work security pass, bus pass in my case)

Preventing any readings — the chip is actually quite fragile … take a pointed object (kitchen knife will do if you don’t have a centre punch) and a blunt object (hammer or shoe) and punch a hole in it. You can test success by attempting to pay with it.

Personally, I use it and like it. The device is convenient, I have no miss-reading/reswipe issues. And the bank guarantees against fraudulent use — I maintain the only decent defence against fraud remains following up on statements.

Cheer

Reply to this comment

Leave a Comment

Connect with Facebook

Note: Use your name or a unique handle, not the name of a website or business. No deep links or business URLs are allowed. Spam, including promotional linking to a company website, will be deleted. By submitting your comment you are agreeing to these terms and conditions.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Previous post:

Next post: