While credit or debit cards with RFID embedded chips provide the convenience of contactless payments, it also poses a possible threat: RFID theft. So how can you protect yourself from this risk?
What is RFID Theft?
Before we dive into that, first of all, what exactly am I talking about? To start with, RFID or Radio Frequency Identification is similar to an actual ID or Identification except that the information embedded in the latter can be retrieved via radio waves within a specific distance. This is what makes it possible to just tap a credit or debit card onto an RFID reader to make contactless payments. In the past, there’s a need to insert the card to the reader. RFID had simplified the process.
How does RFID identity theft work?
But with that convenience comes risks. The same wireless signals used to conveniently pay by simply tapping the card onto a reader can be intercepted. Anyone with an RFID reader device can just pass by you and use it to steal the card’s details. This is why RFID theft is also called "wireless identity theft" or "contactless identity theft."
It’s similar to a pickpocket aiming for your wallet without the need to physically pull it out. They can just electronically steal what’s on the wallet (particularly the credit or debit cards) and then use it. This is why some also call it "electronic pickpocketing."
Protection from Related Scams
If you recall the ATM card skimming issue in the past, the idea seems the same but there won’t be a need to reprint the copied data to a blank card in order to use it. In RFID theft, the information is obtained wirelessly and can be used to siphon money, make unauthorized payments, and even use your identity for illegal transactions.
ATM Card and Credit Card Skimming
Credit Card skimming is somewhat similar to ATM skimming.
With the latter, the skimming device is attached to ATMs to capture the card number which will be printed onto blank cards as mentioned above. The skimming device is normally accompanied by a fake keypad to record the pin so the ATM account's savings can be withdrawn using the cloned card and logged pin.
The same process can be done for credit cards (CC). The skimmer will steal data through the magnetic stripe as it stores information needed to make payment transactions using the card, such as the credit card account number, cardholder's name, CC expiration date, and even the CVV.
I'd like to believe that there are fewer instances of ATM skimming these. It can be attributed to increased security measures from banks to avoid scrupulous individuals from sneakily installing skimming devices to ATMs. Nonetheless, it is still better to take precautionary measures, especially when withdrawing money from ATMs in underdeveloped remote areas locally and overseas. To do so, simply inspect the keypad and card slot before using them. Those will jiggle if there are extra devices attached that are not part of the machine.
EMV vs Magnetic Stripe
Most banks have also been upgraded from issuing magnetic stripe cards to EMV chip-enabled ones.
What's the difference? Simply put, the main difference is that mag stripes contain static information about the user, making it easier to transact by simply swiping the card to a reader; the latter will read the card's data to authorize the transaction. EMV chip-powered cards on the other hand are inserted onto a reader to process payments. EMV chips don't send out static information though. They generate a new code to transmit data every time the card is used. In this case, EMV cards seem to be safer.
Both are still subject to possible fraud though such as when the card details are stolen or the card itself is used without permission.
Use Cards at Trusted Merchants
With that thought, be careful when using cards; transact only through trusted merchants both offline and online. Don’t use it in shady stores. When used in brick and mortar shops, keep your eye on the card if possible. Most places process card payments in front of you but in case they don’t, see if you can visually follow where they go without looking too suspiciously paranoid.
Shimmers and E-Shimmers
If skimmers are installed on physical devices, they can be noticed and avoided. Shimmers and e-shimmers on the other hand are not. The former is installed inside the card reader itself while the latter attempts to compromise the actual POS system (much like web hacking) but only within the POS payment system.
So this goes back to transacting only through trusted merchants. You can at least be assured that they keep their POS network and card readers protected.
Cover the CVV
Another technique that works regardless of the card payment feature (magnetic stripe, EMV, and RFID) is simply covering the CVV or that three or four-digit numerical code found at the back of the card. There are stickers sold for this purpose. I've seen some in Lazada. You can also just use masking tape. Some people scratch off the CVV but this is not recommended, or any kind of tampering on the card.
After covering the CVV, do no attempt to remove the tape even if you need to use it. This way, it will be noticeable if someone tried to remove it. Write down the card verification number elsewhere safe or if not, just memorize it.
While the CVV is not even required for physical stores, it's imperative for online transactions. So even if the card number falls into the wrong hands, it's useless without the code.
Bank or Credit Card Fraud Techniques
Most banks and credit card providers regularly warn about tactics used to steal card user's information through their social media pages and email newsletters. Victim blaming is not cool but we do have a responsibility to protect our own money. Ignorance is no excuse. Not to scare but unauthorized transactions are not always refunded by financial institutions. You'll find numerous public posts on social media sites when searching for "credit card fraud," "unauthorized transactions" and similar keywords preceded by the bank or credit card provider. Some were lucky enough to get their money back but others weren't.
So what are these bank or credit card fraud techniques? There are numerous known tactics, some of which are as follows:
Fake Login Screens
Links to the bank login screen are sent via email, in what is known as email phishing.
After clicking the link, a legit looking website is displayed, but upon careful inspection, you'll notice that the URL looks different from the official website link. It may look similar but there is a variation such as an underscore, a hyphen or dash, and misspelled words.
Because financial institutions need utmost security, all of them use HTTPS extensions instead of the usual HTTP. Fake bank websites will not bother acquiring an HTTPS extension.
The email address used is also different from that of the banks. Most banks will use the format (department name here)@official website address, like help@bankname.com for example.
So upon entering your login details, nothing happens but the fake site has already logged your credentials by then and will soon attempt to login to the real bank website.
Since there are mobile users, the same process can be replicated via SMS phishing. The fake bank login link will be sent to mobile phone number via text.
Social Engineering
While the previous mostly applied to the technical side or technology of things, social engineering touches on emotions - the human side, by attempting to gain the user’s trust.
One way is by pretending to be a part of a legit organization, especially something that the potential victim is part of or at least aware of such as their TelCo or bank. Some send SMS, email, or direct messages through messaging platforms online but the fastest way is through phone calls.
Calling makes it easier as most would-be victims fall prey to how the caller sounds believable enough over the phone. Some of the known spiels include:
*You winning a promo but you will need to pay money to claim it.
*Free upgrade such as for phone SIM cards (older models to faster types like 5G), higher phone plan or credit limit, Internet speed boost, and more.
While some institutions do get in touch with their clients for legitimate business purposes, it’s better to just contact them directly through their customer service hotline. If not, watch out for red flags during the phone conversation and hang up immediately if you notice anything suspicious.
One major giveaway is that they’re able to mention details about you (i.e. name, address, etc.) to make it seem like they are indeed working for the organization they are pretending to represent.
But since they don’t know other information, they will attempt to make you provide it such as your credit card’s CVV or the remaining numbers in your credit card, which they don’t see in full if they only gain access to it through a merchant you’ve used before.
Speaking of your details, don't just provide them everywhere because there are merchants that sell customer information to third party vendors.
Raffle Promos and Giveaways
Tempting raffle promos and giveaways are often used to lure unsuspecting victims into providing their personal information and even financial details.
Like social engineering, they’ll attempt to gain trust by using known institutions and personalities that are imitated to attract an audience. There are plenty of these on Facebook alone. Apart from the old adage, "if it's too good to be true, it probably isn't," you can also find out if the supposed promo is legit by checking the sponsor page or group. In most cases, official pages often come with the verified (checkmark symbol) beside the page name. The number of fans (likes, subscribers, members) is also often higher compared with fake pages.
How to Block RFID Signals
Now going back to RFID, there are ways to protect yourself from possible identity theft by blocking signals when you’re not using the RFID-enabled device.
The easiest way is to simply cover the item with aluminum foil. I tested this on a department store POS payment processor. The friendly cashier was kind enough to oblige since there was no one else behind the line after me so there was no queue to disturb. The tap to pay device can’t seem to read the data while the card is covered with aluminum foil. It worked just fine after the foil was removed. So the foil blocked the RFID signals from being transmitted properly.
Aluminum foil, copper, and other metals that are electrically conductive can absorb radio waves (like RFID), hence, they can interfere or even prevent transmission.
There are products designed for this purpose too. They are also made of aluminum, copper, nickel alloy, and other metals. These products will prevent RFIDs from being scanned as the scanner (or whoever is using it) pass you by.
RFID readers (including those which are legitimately used by merchants) transmit signals to trigger the microchip in a card to power up and send data back to the reader. In other words. the reader communicates with the chip. If an RFID blocking product is used, the signal sent by the reader will not reach the chip; hence, it will not transmit data.
Where to Find RFID Blocking Products
The most common RFID blocking product is probably the card case for debit or credit cards. There are also anti-RFID theft covers for access control cards, passports, and car keys. I’ve seen wallets too.
You’ll find them on most shopping sites like Shopee. I found mine through Lazada. Just make a quick search for “RFID blocking” on your preferred store to the products.
⬆️ This black one is more sturdy than the silver other one below ⬇️
Like the aluminum foil, I also tested the RFID card case on a department store cashier. Same as the foil, a negative beep sound is heard signifying that the POS reader is unable to detect the card while it's inside the case. It works just fine after removing the RFID case.
Sadly, I only tried to learn all about these after becoming a victim of credit card fraud. I hope you don't go through the same experience. Protect yourself from RFID theft as well as other related scams by simply using RFID blocking products to cover your cards (or other RFID-powered items) when they're not in use.
Post a Comment