Chip ahoy! Are RFID credit cards secure?
Ask any of the estimated 9 million Americans who become victims of identity theft each year: getting billed for someone else's credit card charges stinks.
Enter the "radio frequency identification" (RFID) credit card. Designed to provide extra layers of security against identity theft, an RFID card transmits credit card information through radio waves from a chip embedded in the card.. (The cards also have a magnetic stripe on the back so you can swipe it in the traditional way.)
If you're using a card with an RFID chip, and your merchant has a compatible card reader, you don't have to swipe your card when making a transaction. You merely hold your card within one to four inches of the card scanner. This practice raises questions as to how safe the technology is and whether you should protect your RFID card with a special wallet or card sleeve. Here's the skinny on RFID credit cards.
Benefits of the RFID card
Available through credit card companies including Visa, MasterCard, and American Express, RFID cards eliminate certain security hazards posed by traditional cards, but could make you vulnerable to others. According to Denis G. Kelly, author of "The Official Identity Theft Prevention Handbook" and chairman of the Identity Ambassador Commission in Seattle, the security benefits of the RFID cards are threefold: limited card exposure, data encryption and new authentication codes.
A side benefit: RFID cards also help speed the checkout process. "RFID technology tends to cut the overall transaction time (of a credit card purchase) in half," says Kelly.
Because the technology doesn't require card holders to physically remove the card from their wallet, Kelly adds that RFID can eliminate the need for waiters, retail clerks, and all other salespeople to handle your card. That creepy guy lurking behind you at the grocery store? He won't get a chance to see your credit card info because you'll never have to take your card out.
Does RFID make it easier to steal?
The new technology causes some to worry that it's now easier to steal RFID credit card information. Because your RFID card allows you to transact without pulling out the card itself, critics argue that identity thieves could swipe your credit information simply by placing an RFID scanner nearby.
Jay Foley, executive director of the Identity Theft Resource Center in San Diego, is quick to admit that thieves could get your card info remotely through a scanner, but adds that they probably wouldn't be able to use it. Unlike magnetic stripe cards, RFID credit cards encrypt a card holder's information. To access a consumer's account, thieves not only have to scan the card, they also have to break the card issuer's encryption.
RFID cards also create a new authentication code for each transaction. If an identity thief nabs info by physically skimming a traditional credit card, he or she can use that information as many times as they like, racking up purchase after purchase until the card gets reported. If all they have is the information from your RFID chip, they can only make one purchase with that authentication code.
"If someone captures your (RFID) card (electronically), the most they can use it is one transaction," Foley explains.
But of course, the encryption and authentication code only helps you if your card information is swiped remotely from an unauthorized scanner. If a thief physically nabs your RFID card, they can still use the magnetic stripe all over town until you alert the authorities.
Reports of RFID hacking
There's no doubt that limiting who handles your credit card and the number of purchases thieves can make on stolen accounts will significantly increase card security, but questions remain as to the reliability of RFID credit card encryption.
According to a University of Massachusetts, Amherst, study published in 2007, researchers purchased a commercial RFID scanner over the Internet and accessed sensitive information on 20 different first-generation RFID cards issued in 2006.
One year later, a University of Virginia graduate student successfully hacked RFID encryption found in rechargeable bus and subway cards issued by the Massachusetts Bay Transportation Authority.
It's worth noting that to date, there's never been a major RFID credit card breach outside of a lab, but that's not stopping retailers from selling aluminum-lined wallets and card sleeves designed to disrupt unwanted radio waves from reaching your cards.
Protecting your RFID credit card
The first step to protecting yourself from RFID identity theft is simply knowing if you have an RFID-enabled credit card. You can find out by calling your credit card company, reading your card agreement or checking your card for the presence of an RFID chip or RFID logo, which looks like a series of expanding ripples or waves.
Consumers concerned about the security of their RFID card can purchase an RFID-blocking wallet or credit card shield, though both Kelly and Foley insist that such protection products aren't absolutely necessary at this point.
"If it's that big a concern to you," says Kelly, "I probably recommend not using an RFID card."