How Secure Are RFID Credit Cards?

Identity theft group is impressed, so far

Credit cards are becoming more sophisticated objects. This level of sophistication makes transactions easier, but safeguards are important to protect users, according to the Identity Theft Resource Center.

The biggest recent change in credit cards is the embedded Radio Frequency Identification (RFID) chip, enabling what the industry calls "contactless payments."

Contactless cards

In 2005 JP Morgan Chase led the way by introducing their RF Credit Card and coined the term "Blink" technology.  These "contactless" cards could be simply waved in front of a special reader or swiped through a traditional terminal.

An RFID Credit Card is a standard credit card with a Radio Frequency Microprocessor embedded in it.  At its most basic level it is nothing more than a "Read Only" Chip with your personal credit card information embedded in it, which can be read by an RFID Enabled Point of Sale Terminal.

The apparent benefits of RFID credit card transactions are convenience, speed and the elimination of employee contact with the card.  To minimize accidental reading of these cards, they are designed to be read at a distance of one to four inches from the reader.

Hijacked?

Even so, there is some concern as to whether RFID cards can be "hi-jacked" by use of an unauthorized RFID scanner, and then the information used for fraudulent purposes.  It is important to note that there are two parts to this process:  Scanning the card to retrieve the information, and then being able to use the retrieved information to make a fraudulent financial transaction.

The implication in recent media articles is that it is easy to "hi-jack" the RFID information, and that it is easy to then use this information to make fraudulent purchases.  ITRC said it requested information from a variety of technical resources to review this assertion, including information provided by the card manufacturers.  ITRC says its investigation is still underway, but has already established a few facts:

Ability to scan RFID enabled cards

  • Scanners that can "read" the RFID cards are available to merchants and the general public
  • These scanners can interrogate the RFID card, and retrieve the information provided by the RFID chip on the card
  • This is a fairly simple process, and can certainly be done without the card owner knowing that it has been done.

Ability to use the retrieved information for fraudulent purchases

  • The assumption is that the RFID chip provides the same information that is embedded in the magnetic strip, which is the traditional method of swiping a credit card.  So, if the RFID chip can be read, then the perpetrator has the ability to use that information to make fraudulent purchases.
  • ITRC's investigation so far has indicated that some RFID card manufacturers have implemented security features which make it difficult or impossible to use the "hi-jacked" information to make a fraudulent transaction.

ITRC also directly requested information from card issuers, and received information from Discover, MasterCard, Visa, and American Express.

According to Discover

“Contactless payments are secure. Unlike RFID, which can operate at ranges up to 25 feet, contactless payment devices are designed with RF enabled technology that operates at very short ranges - less than 2-4 inches - so that the consumer needs to make a deliberate effort to initiate the payment transaction. For contactless payments, Discover uses added security technology both on the contactless device as well as in the processing network and system to prevent fraud, and with Discover's 0% fraud liability, Discover cardholders have the added protection of never being held liable for any fraudulent activity on their cards.

“Importantly, the Discover Zip contactless card has a unique security feature in that the verification value changes each time you use it -- so that any skimmed data could not be reused.”

According to Visa

“To authorize a payment, you must wave your Visa Micro Tag directly within 1-2 inches of a secure reader at an authorized merchant, and it must be properly oriented. Each time you use the Visa Micro Tag, a unique transaction code is generated, which must be verified through the reader before the transaction can be completed.

“Visa payWave also generates a unique digital watermark for every transaction to prevent unauthorized transactions. Active cardholder participation is required to perform a transaction, as the card or Visa Micro Tag must be within 1-2 inches of the secure reader that accepts Visa payWave payments and must be correctly oriented to be processed.”

According to MasterCard

“Due to a microchip that's embedded inside the PayPass card and because of its advanced encryption technology, it is extremely difficult to copy a PayPass chip and create a functioning counterfeit version of that card.

“In addition, it is unlikely that the details from the PayPass chip could be read and then copied onto the magnetic stripe of a counterfeit card. This is because only a minimal amount of information would be accessible - and not the same information that would be used on a magnetic stripe to conduct payment transactions at the point of sale.

“A PayPass card only sends the account number and the expiration date of the card to a reader, along with a dynamic, one-time-only number that uniquely and securely identifies each specific transaction. PayPass cards do not send the CVC2 code (the three-digit code on the back of the card) or any billing address or zip code information. Importantly, the PayPass chip doesn't even have your name on it.

“For a purchase to be authenticated and authorized via phone or online, typically several pieces of information must be presented - such as the personal account number (the number on the front of the card), expiration date, the CVC2 code (that three-digit number on the back of a card), and the cardholder's billing address. The chip on a PayPass card does not send the CVC2 code or any billing address or zip code information. It doesn't even have your name on it.”

According to American Express

"Expresspay" will NOT reveal your personally identifiable information such as name, address, or other types of information typically required for identity theft, or Card account number. "expresspay" uses encrypted and unique codes for each transaction.  As with all American Express products, Cardmembers are not responsible for any fraudulent/ unauthorized charges on their Cards."

Conclusion

"We will continue to monitor RFID card issues, but at this time we believe in both the technology and the companies that are using it," ITRC said in a statement. "It is apparent so far that although scanning the card can be done, getting all the necessary information useful to commit fraud is probably not easy."

Take a Financial Relief Quiz. Get matched with an Authorized Partner.