The idea of Credit Card fraud through the new generation of “contactless” cards isn’t new. It was even in a NCIS episode last year. Here’s a news story that was done on the problem. Chris Paget presented a talk at Shmoocon 2012 titled “Credit Card Fraud: The Contactless Generation.” The hook that got me into the talk was finding out if any of the common countermeasures are effective.
Credit Card companies are quietly deploying new cards that have a RFID chip to allow for contactless payment at terminals that can take such. When it is talked about, Credit Card companies present it as more secure and similar to the pin and chip system used in Europe. The issue is that it is actually less secure.
The card is ready to respond to any reader whether in the grocery store or while walking down the street. A bad guy could have a reader and “clone” your card with you being completely unaware. With previous card thefts, a bunch of people would have a fraudulent charge, and an investigator would notice that all of the cards were used at a specific company. It was easy to find a credit card skimmer installed at the location to collect card data. If the bad guy is collecting data from people who walk by on the street, a virtual pickpocket if you will, there isn’t a way to determine the malicious source.
We’ve all ordered items on line and had to provide the CVV number off the back of the credit card. The credit card actually has three CVV codes. One encoded in the magstripe, one you can read off the back and a variable number given when the contactless payment is used. If I made a contactless payment at the store, and the number were harvested they wouldn’t be able to reuse that CVV. The issue is that a bad guy with his own reader could ask my card multiple times for a CVV. He can then attempt as many transactions as he collected numbers. If I made a charge before the attacker attempted to use the stolen credentials, the other numbers are not valid. It is like trying to use the wrong securID token. You’ll get locked out.
While CVV offers some protection, the bad guy will likely be able to get single transactions performed against a wide number of victims. Many if not most people don’t monitor their credit cards activity so there is a likelihood of success.
So what can you do about it?
Accepting the risk is always one way to deal with it. American credit card laws make it pretty easy to dispute charges. If occurences are rare than this could be a rational choice.
Protective sleeves, tin foil, and passively shielded wallets have been a proposed solution. This is generally laughed at by anyone not going to Defcon because it seems like overkill or paranoia. Hopefully this report on Chris’ talk will convince you it isn’t paranoia. Unfortunately Chris’ research shows that a determined attacker most likely wouldn’t be working with a low powered receiver like you’d find in a store. Those are designed to read cards from two to four inches away. An attacker would be using a higher powered right from up to 25-30 feet away. He tested the various common shields and found them lacking. Some might be ok against specific wavelengths. But they sounded like a waste of time and money.
Chris’ company is working on GuardBunny, an active shield to protect against this sort of thing. Until then you can microwave your card to kill the RFID chip and still have it work with the traditional swipe method. 3 seconds kills the chip, 5 seconds sets it on fire. Given the wide range of Microwave power, I’d recommend not doing that.
I think for now, I’ll stick to aluminum foil when on trips to hacker cons, while their the card stays in the safe away from the convention floor.