The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
One of the easiest ways for identity thieves to get hold of your credit card info is a process known as skimming: an unscrupulous waiter or cashier takes your card for payment, then secretly swipes it in a small card skimmer device designed to store credit card numbers. The data is subsequently imprinted on a “cloned” card that can be used to make purchases until you discover the fraud.
But as more people use contactless cards — those that allow you to simply wave or tap your card at a special terminal instead of swiping — it raises the possibility that such thieves could now steal your credit card data without the card ever leaving the wallet. Could thieves commit identity theft by simply waving a device near your pocket?
[Credit Check Tool: Monitor your credit score and activity for free with Credit.com]
The limiting factor, he says, is that devices capable of performing such contactless theft are vanishingly rare on the black market compared to traditional pocket skimmers. But that could soon change, as millions of Americans already carry devices in their pockets capable of communicating with the contactless cards: smartphones.
A number of popular models of Android phones now come enabled with near-field communication (NFC) technology intended to allow for mobile payments with platforms like Google Wallet. But the technology intended to allow for mobile payments can also be turned — with quite a bit of tinkering — into a mobile card scanner. At last week’s Defcon hacker conference, the researcher demonstrated the aforementioned Android app of his own devising that allowed him to snatch data from a contactless card using his Nexus S phone, and then use that card data to make a mobile payment with the phone.
[Related Article: 8 Signs Your Identity Has Been Compromised]
Still, there are good reasons why consumers with contactless cards or mobile payment systems shouldn’t panic just yet. The first is that the methodology needed to turn a phone into an over-the-air card-skimmer is still in the proof-of-concept stage. The hack demonstrated at Defcon required a very specific version of the Android operating system that isn’t installed on new phones, and even then it takes multiple tries to actually scan the card. As such, most thieves will opt for traditional pocket skimmers, which require them to temporarily take control of your card but “don’t require as much nerd skills,” says Wisniewski.
Meanwhile, card data loaded onto a mobile payment platform like Google Wallet is even more secure from such methods, as Wisniewski notes that unlike a contactless card, the payment data on your phone can’t be read without you entering a PIN code. As such, your main concern there is losing your phone without having a password lock and a strong PIN in place.
“The biggest risk is that consumers aren’t fully aware of the precautions associated with this technology and aren’t diligent about the general security of their phone,” says Kevin Mahaffey, chief technology officer for mobile security firm Lookout. “This comes down to the normal things like PIN locking their phone.”
The main takeaway, then, is that you have more to fear from shady waiters who disappear with your card for five minutes than you do from hackers poking smartphones at your backside on the subway. Still, if you insist on owning a contactless card and are worried about getting the card data beamed out of your pocket, Mahaffey notes that there are wallets designed to block RFID transmission. Most are relatively inexpensive and are more or less indistinguishable from a normal wallet — a bit of metal is all it takes to disrupt the signal, so it’s not like you need to put your card in a lead case. Still, if you’d rather stick with your trusty leather wallet, it’s easy to come up with a cheap homebrew solution.
[Featured Products: Research and compare Identity theft protection plans at Credit.com]
“The poor man’s method is a [foil] bubble gum wrapper,” says Wisniewski. “Any kind of metal will do.”
And if all else fails, you can take comfort in the fact that most credit cards offer zero liability for fraudulent charges, as long as you spot fraud in a timely manner. So don’t worry too much if you can’t find a bubble gum wrapper.
Image: mcfarlandmo, via Flickr
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams