Can New Chip-Enabled Credit Cards Be Hacked Wirelessly? The Trick Radio Ploy
The new chip-enabled credit cards that banks are sending their customers are supposed to make it more difficult for thieves to steal consumers' account information when they're using their plastic at check-out aisles.
And now you're seeing a wave of ads -- television, radio, online -- about criminals exploiting a flaw in credit cards, a security hole that lets them remotely steal personal identity information in a casual walk-by taking advantage of escaping radio waves--while the card remains in wallet or purse.
Well, rest easy -- at least a bit more easily.
There are big problems with certain cards, but radio-frequency ID theft is not a problem with new EMV cards.
The marketers selling are instead taking advantage of confusion that often accompanies the introduction of new credit card technology.
The radio wave challenge
The truth? The computer chips in EMV cards don't send out radio frequency signals at all.
The companies selling wireless-blocking sleeves are actually selling products that will protect consumers against an entirely different technology.
A few years back, credit-card companies were pushing credit cards that allowed users to make wireless payments.
You'd simply wave your card at a reader to make your purchase.
These cards, which are still being issued by some providers, rely on Radio Frequency IDentification, better known by the acronym RFID.
The cards send out an RFID signal that allow contactless transactions to happen.
Early versions of this technology, though, came with big security gaps.
Thieves armed with scanning devices could indeed read your card information by intercepting its RFID signal, stealing your information as long as they were close to you.
Thieves could steal information even if your RFID-emitting card was tucked into your wallet, purse or pocket.
The technology behind these cards has since improved, making them safer.
But more to the point, contactless credit-card payments never really caught on -- even as slick marketers developed special RFIF sleeves and cases to protect consumers.
In fact the Federal Reserve Board estimates there were only 700 million contactless card payment transactions in the United States in 2019, the most recent year in which the Fed keeps such statistics.
That's a tiny fraction of the billions of transactions conducted by non-RFID cards.
According to the Smart Card Alliance, contactless chip cards--a form of "smart cards"-- were first issued in the United States in 2004.
But the Smart Card Alliance does say that most consumers have ignored contactless credit cards.
The reasons are many, but include the fact that most retailers don't have terminals in place that accept such payments and that swiping -- or dipping, now -- a credit card doesn't take much more time than does waving a card at a reader.
The technology involved with EMV cards, though, is not the same. Simply put, the computer chip in your EMV card does not transmit an RFID signal.
That's because these cards don't offer contactless transactions. You can't close a transaction with an EMV card unless you actually dip it into a card reader.
If you want to determine whether any of your credit cards, though, do permit contactless transactions and do emit RFID signals, check for a symbol on its back that looks like radio waves.
It's true that some banks offering EMV cards do also equip these cards with contactless technology.
But EMV cards and RFID-emitting cards are not the same thing, and the vast majority of EMV cards, and credit cards in general, don’t emit RFID signals.
What if you have an RFID card?
If you do have RFID cards in your wallet, you can protect yourself by buying an RFID-blocking sleeve or special wallets or purses that are designed to block the signal from readers.
But even this might be a waste of money. Studies indicate the risk of having your information stolen by a thief armed with a scanner is low.
Most criminals haven't invested in the scanners necessary to pull off this hack, these reports say.
And thieves have to be awfully close to you to intercept your RFID signal.
Consumers shouldn’t really worry about buying card-blocking wallets or purses, even if they are using RFID-enabled credit cards.
According to a story by Slate's senior technology writer Will Oremus, the actual instances of criminals using special scanners to commit what is known as RFID skimming are extremely rare.
Again, it comes down to convenience. It's easier for criminals to use other means to steal your credit-card information.
Oremus points to skimmers that thieves can install on ATM or point-of-sale machines.
These skimmers allow criminals to steal more information from a larger number of cards in a quick amount of time.
Thieves sophisticated enough to be able to master RFID skimming are more likely to use their talents to operate more efficient scams, Oremus said.
Credit-card providers are also now doing a better job of protecting consumers that use RFID cards for contactless transactions, according to Oremus' story.
Today's contactless cards now send a one-time code for each transaction initiated by consumers, according to the story.
This means that a criminal might be able to skim information to make one fraudulent purchase.
But that would be it: The thief would have to intercept a new code the next time this consumer makes a transaction, Oremus said.
It's important to note, too that even if a criminal did intercept your card's RFID signal to make a single fraudulent purchase, you wouldn't be financially responsible for this fraud.
Most credit card providers will erase the fraudulent transaction from your bill.
Instead, criminals prefer to go after easier targets when it comes to credit card fraud. And that’s where online shopping comes in.
Legitimate security concerns
The new EMV cards -- that acronym stands for Europay, MasterCard and Visa, the three companies behind them -- work differently than do the traditional magnetic-strip credit cards with which most consumers are familiar.
Instead of swiping your EMV cards, you "dip" them into a special chip-reading device that retailers are supposed to have installed already, though many have fallen behind on that deadline.
That reader then confirms your information. You close the sale by signing your name, as usual.
The EMV technology is supposed to make it more challenging for criminals to steal your information during in-person point-of-sale transactions, data that these thieves can then use to create counterfeit credit cards to make fraudulent purchases in your name.
The EMV cards, though they are not vulnerable to RFID skimming, are not perfect, something that security experts have been quick to point out.
That's largely because the cards still require a signature instead of individual PINs that consumers create.
If you lose your card and a thief steals it, that criminal can still make purchases with it.
The thief just has to forge your signature, which isn't difficult to do.
Security experts say that a PIN system would be a better defense against criminals because thieves would actually have to know your secret PIN.
This has aggravated some security experts, including Hector Hoyos, chief executive officer at Hoyos Labs.
“We are spending all this money for a system that isn’t as secure as it could be,”
Hoyos has told MyBankTracker.
Randy Vanderhoof, executive director of the Smart Card Alliance, said that while the new EMV cards are an improvement over magnetic-strip cards, they are not foolproof when it comes to security.
"Consumers still have to always know where their cards are," Vanderhoof said in a previous interview. "They still have to check their credit-card statements to make sure there are no unauthorized purchases on there.
Chip cards are much more secure than the magnetic-stripe cards have been. But consumers still have to be smart with their credit cards."
"They still have to check their credit-card statements to make sure there are no unauthorized purchases on there.
Chip cards are much more secure than the magnetic-stripe cards have been. But consumers still have to be smart with their credit cards."
The chip cards also offer no extra protection when you use them to purchase items online.
That's a significant flaw because consumers today are making more purchases through online retailers such as Amazon and eBay.
Other online security worries
If you want to worry about the security of your EMV credit cards, don’t worry about thieves using scanners to remotely steal your credit-card information.
Instead, worry about them accessing your credit-card data from all those online purchases you make.
Jo Lintzen, vice president of business development with security manufacturer Ultimaco, said that most criminals want to work as little as possible when it comes to pulling off their crimes.
With computer-chip cards making it more difficult for thieves to steal card information at check-out counters, and with most card providers abandoning the idea of RFID-fueled contactless credit cards, it makes sense that criminals would focus their efforts on the online world, Lintzen said.
“There will be a shift in online fraud simply because it will now be more difficult to commit other types of credit-card fraud,” Lintzen said. “The bad guys are creative. They will look for other targets, and online credit-card transactions are an obvious target.”
You can protect yourself while shopping online, up to a point.
First, shop only with retailers you know and trust. Secondly, only use your credit cards at online retailers that run sites that are encrypted.
A retail site is encrypted if it features an icon at the top of your browser that looks like a padlock or an unbroken key.
You can also look at the Web address in your browser. If it starts with "https://" and not just "https://", you know that it is encrypted.
Also, only complete online transactions at sites that ask not only for your credit card's account numbers, but also the three- or four-digit security code on your card's back.
This extra bit of information provides another layer of security to online transactions. Don't do business with sites that don't ask for this code.
