I just received a new credit card that has an RFID chip in it, but I've heard reports that thieves might be able to steal my account information from it. Should I be worried?
It depends on whom you ask. The new RFID-enabled credit cards and key fobs do have unique security risks -- foremost being the chance that some twerp with a souped-up scanner will read your card information from afar. But I wouldn't go so far as to say that they are less secure, on the balance, than magnetic-stripe credit cards.
Researchers have used off-the-shelf scanners to read account numbers and cardholder names off RFID credit cards. (Illustration by Headcase Design)
Companies such as Chase (which issues the Blink card) and American Express (ExpressPay) claim that RFID chips are built with strong encryption -- 128-bit and Triple-DES (Data Encryption Standard) -- to protect information. Additionally, the chips are supposed to send unique, one-time use codes for each transaction -- codes that do not match the number printed on the card. Chase senior vice president Tom O'Donnell says the combination of unique tokens, switched-on readers and transaction processing is like "tumblers in a lock."
However, a team of researchers at the University of Massachusetts, Amherst, was recently able to construct scanners capable of skimming both the cardholder name and card number from a variety of first-generation RFID credit cards. Then they found a way to transmit that data back to a card reader, tricking it into accepting a "purchase." We spoke with assistant professor Kevin Fu, who worked on the project. He wasn't willing to divulge which credit card issuers were compromised, but he said that many of the supposedly encrypted cards sent card numbers, expiration dates and cardholder names in plain text -- which could be read through the envelopes the cards were mailed in.
Relatively speaking, the risks are low. No one we spoke with had actually heard of RFID "skimming" occurring outside a lab. Any time you remove a card from your wallet, you already are showing your credit card info to anyone within eyeshot, and much of conventional skimming occurs when customers either lose their cards or hand them over in restaurants and stores. There, waiters or cashiers can swipe the card through their own card readers as well as the store's.
According to Fu, however, RFID cards do have a unique vulnerability. "Your card can be read surreptitiously. Unless you were paying attention to the guy behind you with a reader, you'd never know you were being skimmed."
As with most credit card fraud, the risks are borne primarily by the card issuers, which generally will cover all fraudulent charges. However, if the reassurances of the credit card industry aren't enough to calm your nerves, there are other options. You can try the old tinfoil-in-the-wallet trick, or you can get a wallet lined with nickel-impregnated nylon that blocks all RFID transmissions. In our tests, it worked.
