Monday, March 19, 2012

My rant on overhyped RFID Credit Card Hacking

My Uncle sent me a link to this video that has been going around lately, and I thought I would post my little rant about this kind of hyped up information. I'm not saying that it doesn't happen, just that it isn't as prevalent as they want you to believe. It is happening, and technology is always evolving...on both sides of the fence. Remember the person in the video and the interviews all over the internet, is trying to sell you his wallets and Credit Card sleeves. And the news sites are trying to sell you their version of the news. It's always good to have more information. As they say....The More You Know...

It's always good to protect your cards, whether they have RFID or not. To be honest, I'm more worried about the waiter/waitress copying my card when they take it out of site at a restaurant than I am about someone grabbing my card through the air. :-) More on my opinion after the video... (Have I used ... enough yet? ;-)

I've been watching this technology for a while now, and while it may seem easy to grab your card info, it is not as easy to use it as they are making it look. Plus, the security behind the cards is always evolving. The first generation of cards sent your whole name and everything along with the date, more recent cards send just enough for the current payment to process. The second piece of security, is every "transaction" that is sent via RFID has it's own unique CVV code that is only good for that transaction. (CVV is the 3 digit code on the back of your card that you need for some transactions). Because this code is unique to the transaction, any thieves have a limited amount of time to make a purchase, depending on how often you use your card; and can only use it for one transaction. And if they don't use it before you make a purchase, the code of your next transaction will be out of order and the alert your Credit Card company that something is amiss. The list of codes are unique to the card, similar to the SecureID tokens many banks use to protect internal transactions and the Government uses for security access.

This my understanding from what I have read over the last couple of months on the subject from trusted sources in the Information Security Industry, but I have not been able to test it myself. Even so, my wife bought me one of those secure wallets that is supposed to block RFID signals, and I have been able to confirm this, as my bus pass will not scan through it, And I carry all of my IDs with RFID chips in them in special containers. I don't currently have any of the RFID Credit Cars, though not because I have said no to them. As in many things, vigilance is the key and always a good idea. If you suspect fraud, report it. Remember, even though you are not liable for fraudulent transactions, these companies have to pay for them somehow, and it comes from higher fees from both the credit cards companies and the stores we buy from that have had a chargeback because someone else bought something from them using stolen credentials.

One of my favorite places for information: