I’ve been researching the issue of RFID skimming. However, I can’t find conclusive sources on the true risk of this issue. Is it possible to read RFID chips on credit cards? If so, what type of information can hackers obtain? And do they need a credit card terminal to process this information? I’ve looked at Web sites from companies selling products for protecting against skimming, but their information is biased because they’re trying to sell a product.
—Jordan, United States
———
Jordan,
To my knowledge, there has never been a case of credit card information being skimmed. Those who raise concerns about the security issues surrounding RFID rarely differentiate what is possible and what is likely. It is possible to read the data from a credit card using an RFID reader based on the same open standard as the transponder in the credit card. Some credit card companies only store a serial number on the transponder and link it to a credit card in a secure back-end system. Others store the same information on the tag that is on the card—namely, the credit card number, the holder’s name and the expiration date.
I believe the threat is very small today, because there is little to be gained by doing this. If you are a criminal armed with an interrogator and you continually brush against people to read their credit card data, you could be caught in the act. Hacking databases online or paying someone for a password, on the other hand, is less risky, because it is easier to hide direct involvement. What’s more, the financial benefit of skimming is miniscule compared to that of hacking a database.
Capturing data from an RFID credit card would allow someone to, say, make a purchase online. But when you reported the fraudulent transaction, you would not be liable for the expenditure, and if the person used their own shipping address, they could be easily found. Additionally, when an item is purchased online, retailers choose different levels of security. In some cases, if the card number doesn’t match the billing address on file, the transaction will not go through. Since the billing address is never stored on the RFID transponder, the criminal would not have this information. Credit card companies also use software systems to detect potentially fraudulent transactions, and will suspend your account if they detect unusual purchasing patterns.
The likelihood that criminals will build or purchase RFID readers and go around skimming data from cards seems very unlikely—at least today—because the payoff is so small. A criminal might spend an entire day to acquire 200 to 300 card numbers—but if a criminal gang were to pay someone working in the IT department at a large online retailer that stores card numbers, or a bank or other financial institution, for a password, it could obtain millions of card numbers. It could then manufacture bogus cards and sell them, or sell the numbers to others who would use them for criminal purposes.
Over time, as these cards proliferate, I would expect we will see some skimming cases, and credit card companies will respond with greater security measures. I hope that answers your question.
Yours,
Mark Roberti, Editor, RFID Journal