Photo: Professor Bop on flickr
At a recent conference, hacker-turned-consultant Kristen Paget showed how easy it is to read a credit card’s data through clothes and wallets.Using a $50 reader purchased on eBay, Paget quickly captured an RFID-enabled, or contactless credit card’s number, expiration date and CVV code, according to Forbes’s Andy Greenberg.
She then encrypted a blank card with the info using a $300 magnetic device, then treated herself to $15 with the help of Square, a wireless payment tool for iPhones.
The hack is concerning, but don’t freak out and stock up on the steel wallets and credit card condoms just yet, said Javelin’s managing director security and fraud, Phil Blank.
Unlike identity fraud, this is a one-time sort of thing that hackers will get bored with very quickly. Here’s why:
1. Limited spending. RFID cards have spending caps (usually $25 or $50), said Blank, plus they can’t use a card above a certain amount before they ask for the cardholder’s signature. “What are they going to buy, a bunch of mochas?” he said.
2. Missing info. “If you go to an online store to use the card, typically they want your name, address and zip code—info the hacker’s not going to have,” said Blank.
3. One-time use. The novelty of the hack is all in the CVV info, meaning “once it’s used, it can’t be used again,” Blank said.
4. Too much work. “The hacker has to create the hardware, create the scanner, get the cardholder’s info then figure out how to use it,” Blank said. For the seasoned hacker, it’s a waste of time.
Don’t take this to mean you shouldn’t guard your card, however. The clothing hack is commonly used to spur phishing scams, or phony email or social media posts that get victims to fork over their personal info. It can also be used to glean info to sell on boards that specialize in selling and reselling personal data.
Visit your bank or call your lender this week to ask to receive text alert for card not present transactions, so whenever a hacker treats himself to a $5 mocha at your expense, you’ll know to put your card on hold.
Or better yet, don’t carry an RFID card at all, said Blank, and opt for a smart card with a crime-fighting EMV microchip instead. Unlike a regular magnetic strip card which stores all your info, EMV cards can’t be read by identity thieves.
To see six more ways to protect yourself against fraud, click here.