Skip to content
Search
Search
  1. Money
 

Hands-Free Pickpocketing

With electronic readers, thieves can swipe the secrets from your smart-chip credit card

by Sid Kirchheimer, AARP Bulletin

En español | If you're among some 140 million Americans who carry credit or debit cards imbedded with "smart chips," some of your personal data could be stolen by anyone with a device selling on the Internet for as little as $30.

Without requiring a physical swipe, the device can collect account numbers, expiration dates and other information from cards that contain RFID — radio frequency identification — chips.

Related

The chips transmit data a short distance through the air when activated by an external electromagnetic signal, making it possible for you to pay for something just by waving your card in front of a sensor.

But this also means that a scammer could walk through a crowd waving a small reader device near people's pockets and handbags to read the plastic inside without actually handling it. The reader then transfers the data to the thief's laptop computer.

So far, there's no proof that RFID skimming has been used in identity theft, reports the Identity Theft Resource Center. But that doesn't necessarily mean it hasn't happened — in many cases, it's impossible to know how a particular victim's information was stolen.

Does your card have such a chip? It probably does if you can do transactions without a swipe. If you want to be certain, call the toll-free number on the back of your card and ask.

In addition to credit and debit cards, the technology is found in security-entrance passes and passports, transit fare cards and automatic checkout at libraries. It's used in antishoplifting gates at store exits — if an alarm sounds when someone walks out with an unpaid-for item, it means that an RFID chip in the item hasn't been removed or deactivated by a cashier.

Although RFID isn't new, "electronic pickpocketing" concerns resurfaced recently following a news report by Memphis TV station WREG.

For that report, security specialist Walt Augustinowicz used a reader device to scan 26 wallets and purses of passersby on a crowded street (his company, ID Stronghold, sells products that protect against RFID snooping). Nearly 20 percent had cards with RFID chips.

In some cases, he was able to get the full account number and other crucial data; in others, he got only a portion. But it can be enough to make fraud possible, Augustinowicz says.

pickpocket

Anne Polsky

RFID isn't a wide-open door for crooks. The reader devices cannot glean personal identification numbers or CVV codes, those three digits on the backs of cards (or four digits on the front of American Express cards). In newer smart-chip plastic, the cardholder's name is also unreadable this way. And without that information, counterfeit cards can't be produced or online purchases made.

The primary danger comes if you carry a single card that contains an older RFID chip — it can send out a clear signal to an illicit reader device. But if you have a wallet full of plastic, multiple transmissions can be jumbled and unintelligible to the scammer.

It's easy to protect yourself. Just place smart-chip cards in RFID-protective card sleeves, which cost a few dollars.

Firms such as IDStronghold and RFID Shield sell them, as well as online retailers. Or cut two pieces of cardboard the size of a credit card and wrap each with aluminum foil, suggests the Better Business Bureau. Then place the chip-containing card between the foil-wrapped pieces to block data transmission.

Sid Kirchheimer is the author of Scam-Proof Your Life, published by AARP Books/Sterling. Have a look at our Scam Alert archive for past warnings about the con artists who too often seek to part Americans from their hard-earned money.