Scanners May 'Pickpocket' Cards
A new type of cybercrime could be aimed at credit-card holders, but officials say proving it is next to impossible.
What has some people concerned is the addition of radio-frequency identification technology microchips to a growing number of consumer credit cards. The technology, known as RFID, is widely used in security badges and toll-pay systems.
Marketed as a time-saver, the radio chips allow users to tap or wave their cards in front of scanners to pay for gas or buy a cup of coffee without having to swipe the card or hand it to a cashier. Experts say more than 100 million RFID-enabled cards are in use in the United States.However, security expert Walt Augustinowicz says that that convenience comes at the price of making electronic pickpocketing possible. Augustinowicz said scammers can buy portable RFID readers and a battery pack for less than $100 on the Internet and then connect them to a laptop. The reader can pick up the information being broadcast from the cards, such as account numbers and expiration dates, from several inches away.
The thieves then move through crowded locations, lifting unsuspecting victims' credit-card information out of their wallets and purses without having to lay a finger on them.
But is it happening? The U.S. Secret Service, which handles financial-access-device fraud, has no open investigations of electronic pickpocketing and does not know of any, said national spokesman Robert Novy. Federal Bureau of Investigation agents in Columbus and Cincinnati said they know of no cases in Ohio.
Augustinowicz said he thinks the thefts are taking place under the radar of law enforcement because it would be impossible to prove that's how the criminals got the numbers without catching them in the act. A video of Augustinowicz demonstrating how the theft works went viral, garnering millions of hits on a television news site.
Westerville Police detective Ted Smith called the video alarming. Smith, who specializes in fraud and counterfeit-check cases, said it is an example of criminals' abusing new technology faster than law enforcement can catch up.
Although he doesn't know of any cases where it has been proved that information was stolen by a remote card reader, Smith has had plenty of cases where the victims still have their cards but don't know how their information was stolen.
"Looking back, now I have to wonder if this is how it was done," he said. "It opens a whole new can of worms."
Not everyone is convinced. Jay Foley, executive director of the nonprofit Identity Theft Resource Center in San Diego, said there has never been any evidence that crooks are using the scanners.
He's also concerned that an outspoken critic of the technology is marketing products designed to protect consumers from electronic snooping. Augustinowicz owns a company that produces secure credit-card sleeves and shielded wallets that prevent electronic theft.
"I have a problem with anyone ringing the alarm bell with one hand while selling a product with the other," Foley said. "I don't particularly like people using identity theft to terrorize people into buying things."
He said consumers are better served by scrutinizing their bank and credit-card statements each month, keeping a tight rein on who has access to their card and checking their credit reports annually.
If people are worried, they can ask their credit-card company to give them non-RFID cards, or wrap their cards in aluminum foil, Foley said. It shields cards as well as a protective sleeve.
Credit-card companies also have questioned the ability of thieves to use data gained through electronic pickpocketing. MasterCard said in a statement that its RFID-enabled cards have additional safety features, such as randomly generated codes that accompany all wireless transactions. It also should not be possible for someone to purchase something off the Internet without either the cardholder's security code or address.
Representatives for VISA also said its cards have additional safety features to prevent this type of crime.
Both companies say their fraud-protection policies don't hold customers liable for fraudulent purchases.
But Augustinowicz said he's been able to take numbers off a card remotely and load the information onto the magnetic strip of a fake card. He then used the fake to make purchases at a store to prove his point.
He also has used lifted card numbers to buy products online and have them shipped to the address of a foreclosed home, he said.
"You can absolutely get around the safeguards," Augustinowicz said. "The risk is real."