9 On Your Side Investigates
Watch out for the modern pickpocket
Thieves are getting a hold of your credit card information without ever touching your wallet.
Have you looked at your credit or debit card lately? Your plastic may be transmitting your banking information to thieves and you may not even know it.
Reporter: Tammy Vo
TUCSON (KGUN9-TV) – More credit card companies are now sending their customers credit cards equipped with an RFID chip, known as a Radio Frequency Identification chip. The credit card companies say that it's a convenience but critics are convinced that it's a pretty sneaky way to pickpocket.
"What we've done here, anyone can do. I was stunned. I thought - there has to be more encryption that that" said Walt Augustinowicz. He is a credit protection specialist and founder of Identity Stronghold. What he pulled off at the Tucson International Airport was pretty unbelievable. Augustinowicz says that he has found out how easy it is for theives to crack card numbers. Online, he bought a contactless card reader for less than a hundred bucks. Wirelessly, it was able to read the information on that tiny RFID chip.
"I just plugged it in, waived my card in front of it and out came my name, my credit card number and my expiration date in the clear, totally unencrypted" said Augustinowicz. To take it a step further, he was even able to read a card by getting it close to a cell phone and disguising the technology as a tic tac toe game. Augustinowicz says that he's no hacker. He calls it, thinking like the bad guys.
"But we've opened a whole new door. Now, your card can be in your wallet, and someone can get close to you in a crowd, walk by you and actually scan the data right through your pants pocket or your purse and walk away with the information" said Augustinowicz. He adds, airports are a prime target because most travelers have credit or debit cards.
Traveler Ernie Rein showed KGU 9 his stack of credit cards and explained how he was robbed once before. "That is scary. I live in New Jersey and after two days somebody had gotten the card somehow and I was buying beauty supplies in Brooklyn and Puerto Rico" said Rein. It didn't take long before Augustinowicz read nearly all his card numbers, with Rein's permission.
What do the big credit card companies have to say? Those who responded to KGUN 9 said
that the cards are safe and that security is a top priority. Smart Card Alliance, a group representing several card companies told KGUN 9 that security doesn't depend on a card number alone, and that it's deep, layered and network. Meaning, things like the three digit code on back of a card can't be retrieved through those card readers.
But Augustinowicz says, the code isn't always important when making a purchase because not all retailers ask for it. Randy Vanderhoof from the Smart Card Alliance responded to that idea by saying, "If a merchant does not follow the security guidelines for cards not present during transactions, then the merchant is liable for such transactions while the consumer is not liable".
To prove his point, Augustinowicz even cloned a card number to a hotel room key and swiped it in a store to make a purchase. But Smart Card Alliance still maintains that there are layers of security in the payment system to prevent this.
KGUN 9 Reporter, Tammy Vo, also found an online document that shows that Visa filed for a patent on a shielding device that would protect these kinds of credit cards. In it, a Visa employee writes, "It is entirely possible that a contactless reader may be used for surreptitious interrogation"... and that this is "a major concern for consumers and businesses". If it's such a concern, then why did Visa install the chips in their cards in the first place? A Visa spokesperson said in an email:
"What the patent filings show is that this is not a new issue, but one that we carefully studied as contactless cards were first being developed and commercialized. Given the nature of contactless cards, where information can be read with radio waves, we saw that it might be possible for cards to be surreptitiously read, such as when they are initially mailed to a consumer and the envelope may be exposed to unauthorized people for a length of time. We advise issuers to use a shield when mailing contactless cards as a best practice. But we do not think a sleeve for cards in a wallet is necessary for a number of reasons" said Matthew Flegal.
The credit card companies say that RFID chips in credit cards are safe, but critics like Augustinowicz disagree. So, what's a consumer to do? Augustinowicz gave TIA travelers protective sleeves which stop the chips from being read. He said that you can also wrap your cards in tin foil.
But travelers like Ernie Rein are still upset. "I think it's ridiculous. I think every credit card company should tell you about this. Either change the numbers so they cant be scanned or give you these protective folders. It's stupid."
The Smart Card Alliance also says that criminals are not wasting their time with this type of fraud because they can't profit from it. The Arizona Attorney General's Office says that they are trying their best to keep on top of any fraud associated with these cards, however, because it's extremely difficult for law enforcement to track this kind of activity, the Attorney General's office says that victims and banks will likely never know their cards have been skimmed.