Tuesday, March 10, 2015

Chip & Pin & a Tin Foil Wallet

   I've been talking a lot about ID Fraud lately and was recently asked this question:
"A question came up at home – and that is about use of credit card wallets that protect from rogue scanners. Are they necessary? Will they be more or less necessary when newer cards with embedded microchips are more prevalent?

I thought this might be an interesting topic for your blog."
   Thanks for the great question and idea to put this in a blog post!

   So, by credit card wallet I’m assuming that you mean some kind faraday cage or lead lined case that blocks electronic signals, as opposed to a credit card wallet like Google Wallet, Apple Pay or SoftCard.

   When it comes to old-school mag stripe cards… have you noticed how you sometimes have to reinsert or re-swipe the card in the reader, and even then it doesn’t always read?  Mag stripe is definitely a direct-physical-contact medium.  Other than vendor breaches or stolen (physical) wallets, the typical way someone can steal your mag-stripe card data is via some kind of skimmer.  There are very low profile skimmers that can be inserted into ATMs or gas pumps to grab your card data while you’re trying to do a legit transaction.  There are also hand-held or desktop units that an “evil waiter” can use to grab your card data when they take your card at a restaurant.  There are no reliable remote ways to read magnetic data off a card.  So, a lead wallet won’t help here at all.  It’s the same way you can’t read the contents of a hard drive just by being near it.

   Next is RFIDs.  That stands for Radio Frequency IDentification and, as the name implies, they do transmit data.  These are the chips in the tap & pay cards.  There are transmission-blocking wallets for RFID passports and things like that which transmit data.  So anything with RFID or a transmitter can be remotely read (at various distances).

   The new cards coming out will be chip & "something".  Currently in Europe they use chip & pin.  This is expensive to implement and requires replacing all the mag stripe readers with much costlier readers.  The chip is a microchip that computes a value and provides a 1-time-use code for a transaction.  Note that it does not use your credit card number.  In addition to that single use code, the person also needs to put in their numerical PIN.  So, even if the card was stolen, or the code could be remotely read, it couldn’t be used for a transaction without the PIN, and the code couldn't be reused.

   The US is actually considering chip & signature.  Among the reasons is that the cost will be lower even though the readers still need to be replaced.  (though, because of the marketing power of Apple and Apple Pay, many merchants have already upgraded readers).  The chip works the same way, but the 2nd part of the verification is the physical signature.  Not particularly strong but better than nothing.

   Now… neither of these new card types solves a particularly important case… Card Not Present.  This is when you buy something over the phone or internet.  So there’s no card reader nor person to look at your signature, and you don’t want to give some random merchant your PIN.

   There are a number of potential solutions in the works.  Verified-By-VISA or MasterCard SecureCode are examples of tools available now, even for mag stripe cards.  Basically, you choose one of these at online checkout; then you’re transferred to the VISA or MasterCard site; you authenticate there; the VISA or MasterCard site generates an acceptance code that get sent back to the merchant and you’re all set.

   So, chip & signature cards and readers will help deal with some of the credit card fraud we have, but we still need a standardized solution for Card Not Present (CNP).

   Now with that background, back to your initial question… remote reading of a magnetic stripe, chip & PIN or chip & signature card is not a major threat.  However, cards that use RFID, or any tap and pay technology, could be read remotely.

   You'd be far better off taking the precautions I listed in my previous ID Fraud articles including:

  • regularly viewing your credit report
  • watching your bills
  • shredding unneeded documents that have personal info
  • carrying only the minimum cards you need
  • using care online

   Thanks again for the great question!  If anyone has questions or ideas for things I should write about in the future, please let me know.

No comments:

Post a Comment