Did TV Station Air Made-Up Story on RFID Credit Card Theft?

A report by a Louisville, Ky., TV station claimed a man had his credit card stolen with an RFID reader, but the incident appears to be a fabrication.
Published: August 31, 2009

I received an e-mail with a link to an October 2008 report by Wave 3, a Louisville, Ky., TV station, in which a man claims to have had his credit card number stolen with an RFID reader. The story was posted this week by The Equifax Store (see Wave 3 Lousville Reports Rfid Hacking Victim). My correspondent wanted to know what I thought, since I’ve repeatedly criticized people for hyping the threat of having your information stolen this way. My response: I think the man fabricated the story and the TV reporter was duped.

In the report, Wave 3 describes “a new form of identity theft” called “radio frequency skimming.” The reporter says he talked to one man who claims he’s a victim of “this new rage.” By “new rage,” the reporter seems to be implying RFID identity theft or stealing credit card numbers with RFID readers. But there’s no documented case of someone having his credit card number stolen and used illegally. There are more reasons why the report is extremely fishy.

The report aired in October 2008, and the credit card was two years old. The first RFID-enabled credit cards started appearing in 2006, so very few people had them then. Moreover, the fact that the victim was identified only as “John” and does not appear clearly visible on camera even though he has no reason to hide his identity also makes this report very dubious.

The man featured in the segment says he was about to get onto a bus and take his seat when a young fellow bumped into him. The reporter says: “That little bump did not seem like a big deal at the time. The man who bumped into him on the bus was carrying a special device that electronically zapped the guy’s credit card information, and within hours, the thief went on a shopping spree.” The reporter says the thief ran up charges of more than $5,000 on a card that victim hadn’t taken out of his wallet in two years.

How many people would go home, check their credit card statement online and, seeing fraudulent transactions, say: “It must have been that guy who bumped into me. He probably had an RFID reader and skimmed the number off my card.” It seems highly unlikely that the victim would check his credit card statement daily, and if the transactions were on his monthly statement, it’s highly unlikely that he would even recall being bumped on a bus, since this happens all the time.

Also, how does the man know that the guy who bumped into him stole his credit card number? Theoretically, it could have been stolen anywhere at any time without his knowledge, so the man’s certainty that it was some guy that bumped into him seems questionable.

And how does the man know that RFID was used to steal his credit card number? How does he know there wasn’t a database breach at his bank or credit card company or any company where he used the card? The victim’s certainty that it was RFID when there’s absolutely no proof raises suspicions.

And how did the thief use the credit card info? Let’s say he skimmed the holder’s name and credit card number. Then, he went to a Web site and ordered $5,000 worth of stuff (he couldn’t have gone into a store since he didn’t have the credit card). Did he have the “security code” on the back of the card? This three-digit number is not usually written to the chip. Without that, he couldn’t have purchased anything online. And even if he did, the victim could have called the Web sites, told him the orders were fraudulent and had the sites report the event to the police. The sites could give the delivery address provided for the purchased items to the police so they could go and pick up the perpetrator.

I think it’s valuable to alert people to the potential for skimming and tell them to be aware of the potential for abuse. But Wave 3 was irresponsible for airing the claims of a man who would not go on the record and for not insisting on some evidence that RFID was involved with the use of his credit card. (I can only hope the TV station wasn’t complicit in the fabrication.) And The Equifax Store, which makes money from selling people access to their credit history, was wrong to post a link to this report without substantiating its accuracy. It seems a lot of people are happy to spread stories that scare consumers about new technologies, especially when they can benefit financially from doing so.