Television news is basically designed to scare people into watching. “Your credit-card information is at risk—tune in at 11 PM.” While all technologies can be hacked, RFID-enabled credit cards are safer than magnetic-stripe cards. Here are a few facts left out of the news report in that video:
• Every time you hand over your magstripe credit card to a gas-station attendant, waiter or store clerk, that card can be cloned.
• The security problem exposed in the clip did NOT involve the RFID card, but rather the magstripe technology.
• The purchase was successful because it was a low-value purchase not requiring a card verification value (CVV). The RFID reader did not capture a CVV, so any purchase requiring a CVV would have failed.
• The RFID cards have a dynamic CVV, so if the gentleman in the video had cloned the RFID card to another RFID card, it could be used only once, and never again.
• If all magstripe technology were removed from the world, he would have been able to pay for an item once with a captured electronic CVV, but never again, since as the terminal tried to write a new CVV to the RFID chip, the cryptographic keys would not have matched.
• The CVV printed on the RFID card and the dynamic electronic CVV are different, so if you were to make an online purchase requiring a CVV—as most do—then the system would know you were using an electronic CVV instead of the printed CVV, and the purchase would be immediately flagged as fraudulent.
• Credit-card companies use software to detect fraudulent purchases as another layer of protection, so unusual purchases made using stolen cards might be blocked.
• A consumer is not responsible for fraudulent charges, so the risk of using RFID cards falls on the credit-card companies, not shoppers.
• The person in the video was unable to capture any physical address information. Many purchases, including filling up at a gas station, now require a zip code. Those purchases would not go through unless someone could guess the proper zip code.
I have no doubt that RFID cards are more secure than magstripe cards. It’s equally true that criminals might find ways to abuse the technology—but since no fraud of this kind has ever been documented, and since credit-card companies believe it to be more secure than magstripe cards, I see no reason to lose any sleep over this video.
—Mark Roberti, Founder and Editor, RFID Journal
Where Can I Find an RFID Systems Integrator? »