Comments on: New credit card scam?

Question: New credit card scam?

Listener — Sat, 24 Feb 2007 19:41:52 -0800

Device to steal numbers from your cards in your pocket?

A store clerk just mentioned to me that there's a new credit card scam where "they" can read your card numbers with a device, while the cards are in your pocket. I think she is mistaken or this is a nouveau urban legend. Can anyone confirm her claim?

By: Violet Hour

Violet Hour — Sat, 24 Feb 2007 19:48:43 -0800

I think she's just watching too much CSI:NY. That idea was used there recently.

By: -t

-t — Sat, 24 Feb 2007 19:50:57 -0800

I don't know if it's an actual problem yet, but I imagine it will be soon enough.

By: mediareport

mediareport — Sat, 24 Feb 2007 20:06:59 -0800

It's not fiction and it's not really new; it's called credit card skimming, where shady clerks/waiters/etc. run your card through portable readers and store the numbers for later use:

One of the ways that a thief can obtain your data offline is through the use of a "skimming" device. These small magnetic stripe readers can be easily purchased online for $300-$800...In the legitimate business world, these devices are used to swipe membership cars at gyms or take credit card orders away from the office. Technology has advanced so that these credit card readers can now be as small as a disposable lighter. They can also be hooked up directly to a Blackberry in order to email the credit card data instantly.

Most commonly, skimmers are used by waiters or retailers who have a convenient second to swipe your card when you hand it over. The can also be placed over an ATM or a gas station pump reader to capture card information. Once the skimming device is full, the thief downloads the stolen credit card information on to their computer and makes purchases using the data. In some cases, the skimmer data is sold to identity theft rings that actually produce and sell fake credit cards with your information.

By: Drop Daedalus

Drop Daedalus — Sat, 24 Feb 2007 20:13:17 -0800

It's called skimming, and the type of skimming you're talking about only works on RFID-chipped cards. The main place I have heard of this happening is Tokyo (probably also crowded places elsewhere in Asia where Japanese tourists congregate). You can buy card holders and covers that block skimmers.

If you Google "skimming," you will mostly get results related to ATM scams which use different technology to accomplish the same result. Googling "skimming Japan" or "skimming RFID" gets results for the scam you're talking about. This blog, RFID in Japan, contains several entries about anti-skimming measures.

Here'sone about skimming concerns in the US.

By: mediareport

mediareport — Sat, 24 Feb 2007 20:15:43 -0800

Oops, sorry, missed the reading while still in your pocket thing. Major credit card companies have denied that skimming RFID cards will be a problem, but last month Popular Mechanics ran this piece about researchers who did indeed get the name and card number info remotely:

However, a team of researchers at the University of Massachusetts, Amherst, was recently able to construct scanners capable of skimming both the cardholder name and card number from a variety of first-generation RFID credit cards. Then they found a way to transmit that data back to a card reader, tricking it into accepting a "purchase." We spoke with assistant professor Kevin Fu, who worked on the project. He wasn't willing to divulge which credit card issuers were compromised, but he said that many of the supposedly encrypted cards sent card numbers, expiration dates and cardholder names in plain text — which could be read through the envelopes the cards were mailed in.

Relatively speaking, the risks are low. No one we spoke with had actually heard of RFID "skimming" occurring outside a lab.

Do a search for 'rfid fraud credit card' and you'll find a lot about this.

By: Violet Hour

Violet Hour — Sat, 24 Feb 2007 20:16:24 -0800

Yeah, but credit card skimming requires that the theif actually swipe your card (or that you yourself swipe it in a device placed over a legitimate one). It doesn't work if the card is in your wallet or purse.

The link -t provided is more what the OP is asking about.

By: Violet Hour

Violet Hour — Sat, 24 Feb 2007 20:22:22 -0800

(Sorry! Posted too soon!)

By: chrisbucks

chrisbucks — Sat, 24 Feb 2007 20:23:53 -0800

I can only imagine this being possible if you have an RFID enabled card. Of course you can always buy an RF-ID blocking wallet to fix this...

By: VegaValmont

VegaValmont — Sat, 24 Feb 2007 21:43:39 -0800

You've already got an answer, but yeah I've heard of this. It's not a problem for me seeing as how I never carry cards. I'd recommend that to others, but I understand it's not an option for everyone.

By: LobsterMitten

LobsterMitten — Sat, 24 Feb 2007 23:12:45 -0800

Tagging along, does anyone know what the cheapest-while-still-effective RFID shield is? Suppose one has an RFID-chipped credit card or passport; will just wrapping it in tinfoil work?

By: plinth

plinth — Sun, 25 Feb 2007 06:31:35 -0800

I just want to point out that retrieving a user's name and CC # from an RFID card is criminal on the part of the issuer. While it is possible to store that kind of data on an RFID chip, it's far more secure to put a unique ID on the chip that when combined with a PIN and an authorized reader unique ID can be used to retrieve that information.

I worked on RFID technology in 1999 (before the moon was yanked out of the Earth's orbit), and security was one of our prime concerns. Our take on skimming was to make sure that information was not useful without much more context that was not available on the card. Putting the unique ID on readers as well was the capper.

The company tanked and I'm frankly surprised that first generation cards have clear skimmable information on them, considering some of the requirements from prospective companies we talked to.

By: joannemerriam

joannemerriam — Sun, 25 Feb 2007 07:55:26 -0800

How do you know if a card has RFID technology on it? My green card certainly looks as though it does - it's got this brass-coloured microfiche film-looking stuff on the back - but that might require swiping through a machine, I don't know. Should I get some sort of metal sleeve to keep it in, and if so, what metal?

Leaving it at home is not an option as technically I am required to carry it at all times.

By: timelord

timelord — Sun, 25 Feb 2007 10:07:33 -0800

Maybe they were talking about this scam. It's not the same as skimming, it actually involves swiping the card (so no reading from your wallet). But I don't think it's very widespread, either.

By: timelord

timelord — Sun, 25 Feb 2007 10:16:00 -0800

I'm not sure AMEX green cards have implemented any sort of RFID...but take a look at this blue card. If it's got that chip w/ that rectangular loop, then it has RFID tech.

Visa and Mastercard also have similar technology, but as far as I can tell there's no standard name for it, usually the issuing bank decides how to market it. For example there's Chase Blink.The card should have some sort of chip on it.

In any case...your card provider should be the one to let you know if they've issued you one of these cards. AFIK the vast majority of cards in the U.S. do not have this technology.

By: timelord

timelord — Sun, 25 Feb 2007 10:18:11 -0800

Oops, to clarify, when I say "that rectangular loop" I'm referring to the circuit-looking thing (it's an antenna), not the blue square in the middle.

By: joannemerriam

joannemerriam — Sun, 25 Feb 2007 13:03:40 -0800

Timelord, sorry, I wasn't clear. I wasn't talking about an Amex, but my US government issued permanent resident card.

By: Listener

Listener — Sun, 25 Feb 2007 13:34:08 -0800

Yeah, I found about the skimming with pocket device when I googled (definitely not what she was talking about, but what I thought she might be confused about) but I couldn't find RFID, so thanks for the vocab. I will call my card company to get details on my situation.

By: timelord

timelord — Wed, 28 Feb 2007 13:56:52 -0800

Joannemerriam, it's indeed possible about your U.S. green card. I wasn't aware they were doing it, but I found this article which seems to imply that they may be using RFID technologies.

Of course you can't completely rely on visual indicators. It's easy enough these days to make a card with the antenna/microchip stuff embedded inside. There's an illustration here (it's in Japanese, but hopefully the pictures speaks for itself).