Smartphone app that allows credit card skimming ‘real risk’ to consumers: experts
TORONTO – A smartphone app, which allows the user to read credit card information through wallets and purses, is cause for concern amongst consumers that carry credit cards with radio-frequency identification (RFID) technology, according to experts.
The free app, available on the Samsung Galaxy S3 through the Google Play store, allows the phone to read the RFID chip on a credit card, picking up the cardholder’s name, credit card number and expiry date, according to a CBC investigation.
RFID chip technology is used in many credit cards, most commonly used for tap-to-pay systems like MasterCard’s PayPass or Visa payWave.
The technology stores information including the card number, the cardholder’s name and the expiry date. It does not include the three digit security number on the back of the card – usually used when a larger purchase is being made on the card.
Major credit card companies have stated that RFID technology is safe, however the technology is not encrypted – unlike the chip on the front of the card that physically plugs in to debit or credit machines.
RFID technology serves the same purpose as the magnetic strip on a credit card, but works wirelessly, making it more susceptible to high-tech theft.
“The units that you tap your card on are set on very low ranges, so you only have to get within a few inches of the device for it to read your card. But there is nothing inherent in the technology that says it has to be within three to four inches – if you turn the power up you can push it out to 10 or 15 feet,” said David Skillicorn, professor at the school of computing at Queens University.
“That’s where the trouble starts – because now you don’t have to be very close to the credit card or the passport in order to read the information on it.”
The CBC investigation into the application revealed that credit card information could be read through wallets, pockets and purses using the phones near field communication (NFC) antenna.
Theoretically, this means that someone using the app could gain access to your credit card information by just standing near you.
“The new piece here is that instead of having to buy a slightly elusive piece of hardware from some sort of mail-order place, you can now just download the app to your phone and piggy back on its Bluetooth capabilities,” Skillicorn told Global News.
Skillicorn said that one of the risks associated with this type of technology is identity theft. He notes that because RFID technology does not provide the three digit security code on the back of the card, a thief would not be able to make a substantial purchase.
“You can steal small amounts of money, yes, but you can steal identify – and that’s the real risk. You could phone up MasterCard or Visa and when they ask you to enter your card number, you can change the address listed on the account and other personal details – but you can’t go a buy a $5000 TV with that information,” said Skillicorn.
But Gordon Agnew, associate professor at the University of Waterloo who specializes in cryptography and data security, disagrees.
Agnew argues that because the RFID technology is moving into debit cards now, the financial risk is much higher.
“Most credit card companies say you are not liable for fraudulent use of your card, but a lot of debit cards are coming out with RFID technology and those cards are liable depending on the bank,” said Agnew.
What can consumers do to protect themselves?
The risk of these apps is limited to the Android platform right now.
Near field communication is not yet available on the iPhone and BlackBerry is “too secure” to adopt the technology, according to Agnew.
“The first line of defense is keep it protected,” said Agnew.
“You can check to see if the card is RFID enabled – if there is a pie shaped symbol, made up of four or more lines, on the card then this means your card has the technology.”
If your card is RFID enabled, Skillicorn suggests wrapping the credit card in tin foil – the standard line of defense against RFID skimming attacks. The aluminum blocks signals from accessing the card.
Alternatively, those with RFID enabled cards can get a metal, or metallic lined wallet – often sold at travel stores.
© Shaw Media, 2013