RFID skimming

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

RFID skimming is a method to unlawfully obtain someones payment card information.

How RFID skimming is performed[edit]

Modern payment cards have a built in chip that transmits the cards' information wirelessly. This is because it is necessary in order to enable contactless payments, which has become increasingly popular during recent years.[1] Criminals can take advantage of this new technology by using a scanner that wirelessly scans the victim's payment card in the same way that a cash register scans it, when making a contactless payment. These scanners are legal and can be bought in regular electronics stores.[2] Most modern mobile phones running Android OS have a built in NFC reader that can be used to unlawfully scan contactless payment cards.[3] A criminal can hide the scanner e.g. inside a glove or a bag, and then place himself close to the victim and wirelessly steal the victim's payment card information.[4] With the wirelessly obtained payment card information, the criminal can use it to make fraudulent purchases online.[5] This is called Card Not Present fraud.

RFID skimming compared to other types of skimming[edit]

In contrast to other types of skimming such as ATM skimming or hacking a online merchants web page, RFID skimming requires little or no technical expertise. In order to execute ATM skimming, the criminal needs to custom build a device, then place that device inside an ATM machine and later pick up the device after the victims have used it. Hacking online merchants web pages requires substantial computer knowledge.

Incidence[edit]

Card not present fraud has increased rapidly between 2012-2016.[6] In example the United Kingdom saw an increase from 750,200 reported cases in 2012 to 1,437,832 reported cases 2016.[7]

Since it is not possible to know which method the criminal used to obtain the victim's payment card information there are no statistics on the distribution between different types of skimming.

Currently there is 92 million contactless cards currently in use. Card skimming is a larger problem than most people realise, CNBC have reported that skimming has cost people over $2 billion globally. In the UK contactless has been around for some time, and in the first half of 2016 almost $7m was stolen in the UK alone.[8]

Myths[edit]

A common myth that is often mentioned by card issuers is that a criminal can only steal the maximum amount that is allowed for contactless purchases. This sum is usually between $30-$50 and is different for each country. This has been proven wrong in a test by British consumer magazine Which?. In the test they successfully used wirelessly obtained payment card information to make an online purchase of over £3,000.[9]

Methods for preventing RFID skimming[edit]

Shielding[edit]

Shielding attempts to block radio signals from reaching the payment card by enclosing it within a container made of material that blocks electromagnetic signals in the RFID spectrum by acting as a Faraday cage.[10]

Metal foil[edit]

Shielding is possible by wrapping the payment card in aluminum foil,[11] which can be configured as a sleeve permitting a card to be slid out. However aluminium foil tends to wear out quickly. Informal tests found that the shielding effect was not 100% effective, though it did very much reduce the maximum range for reading, from about 1.5 feet (50 cm) to 1–2 inches (3–5 cm).[12]

Permanent disabling of RFID functionality[edit]

RFID functionality can be disabled permanently by cutting internal wires; use of a microwave oven has also been reported successful, according to informal reports.[13] Cutting requires location of the internal wires, followed by cutting, drilling, or heating. Methods that visibly damage the card may lead to its being rejected as a payment method when presented to a retailer in the normal way.

Temporary blocking RFID functionality[edit]

A new technology which has not been widely deployed, a blocking card is a credit card-sized security device intended to be kept close to vulnerable cards. It works by detuning the RFID signal of nearby cards, and thus allows them to be stored in a non-shielded container. When removed from the proximity of the blocking card for legitimate uses they function normally. The efficacy of some of these passive blocking cards has been challenged. There is also an active card on the market that electronically jams the frequency these RFID cards & ePassports communicate over. This active jamming creates an electronic jamming field that protects the cards located in the field from being compromised.[14]

Electronic jamming of the RFID signal[edit]

Contactless payment cards, ePassports, many hotel room keys and building entry keys all communicate over a radio frequency, the most common frequency used for these types of RFID/NFC enabled items is the frequency 13.56Mhz. There is a card-sized electronic jammer on the market with its patented jamming technology that electronically jams the frequency (13.56Mhz) these payment cards, ePassports and others communicate over, when placed in your wallet or purse when the jamming card detects an interrogation of your RFID/NFC enabled payment cards. For example, it instantly powers up using its own battery source to actively jam the RFID frequency denying any interrogation of your cards data. This active jammer creates an electronic jamming field up to 15cm from the front and the same from the rear of the jamming card that protects the cards that fall within its jamming proximity.[14]

References[edit]

  1. ^ Europe, Visa. "1 billion Visa contactless purchases made in last year". www.visaeurope.com. Retrieved 2018-08-28.
  2. ^ "KKmoon RFID 13.56MHz Proximity Smart IC Card Reader: Amazon.co.uk: Electronics". www.amazon.co.uk. Retrieved 2018-08-28.
  3. ^ "EMV Card Reader - Apps on Google Play". play.google.com. Retrieved 2018-08-28.
  4. ^ Bachelor, Lisa (2015-07-23). "Contactless card fraud is too easy, says Which?". the Guardian. Retrieved 2018-08-28.
  5. ^ "Card not present transaction", Wikipedia, 2018-08-04, retrieved 2018-08-28
  6. ^ "Card-Not-Present Fraud Picking Up In U.S. | PYMNTS.com". www.pymnts.com. Retrieved 2018-08-28.
  7. ^ "Financial Fraud Action UK - Fraud the Facts". www.financialfraudaction.org.uk. Retrieved 2018-08-28.
  8. ^ "RFID Blocking Wallet do they work". Product Review Lad. Retrieved 2018-12-11.
  9. ^ "Contactless card fraud is too easy, says Which?".
  10. ^ Lee, Joel. "What Are RFID-Blocking Wallets & Which Should You Buy?". MakeUseOf. Retrieved 4 September 2017.
  11. ^ "Can Aluminum Shield RFID Chips?". RFID Shield. Archived from the original on March 30, 2014.
  12. ^ "Aluminum Foil Does Not Stop RFID". Omniscience is Bliss.
  13. ^ Instructables Web site:How to Disable 'Contactless Payment' on Your Debit Card
  14. ^ a b Armourcard jammer