RFID (radio frequency identification) is showing up in more and more places and let me express an opinion: RFID is very scary.
I read how affixing RFID tags to warehouse merchandise makes inventory control much easier than it once was. The workmen need only pass by the fronts of storage shelves, scan the affixed RFID tags and account for all of the items there.
That's wonderful.
Then I read how RFID tags are now being included in credit cards and as with the warehouse example, by carrying no more equipment than can be stuffed into a duffel bag, a criminal can walk through a crowd and scan the RFID tags on the credit cards of passers by, thus stealing their credit card information.
That is not wonderful.
In connection with this, in Consumer Reports for August 2006, page 11, the "Your Letters" section, the editor wrote:
"Some data security experts have recommended using foil liners in wallets to block scanning of RFID-enabled payment cards that don't have to be swiped. But extending that type of protection to every item you carry could be cumbersome."
So which is worse, cumbersome or robbed?
A card with RFID will have a symbol on the back of the card that looks like a radiating signal. A dot is shown with small arcs that enlarge as they get further away from the dot. The credit card companies are supposed to give you a card without the RFID if you request one.
One of the TV news shows demonstrated how a suitcase device could read RFID cards. I know this is not one of the best references, but the demonstration was convincing.
Posted by: Ed Mengel | May 10, 2011 at 12:26 PM
Same reason I wear a tin foil hat... ;^)
Seriously though, this is one of those cases where the party with the most to gain or lose has the most control over the deployment of the tech... And I don't mean the end users; I mean the credit card companies. It is up to them to ensure that the RFID info can not be misused.
I think I can relax and let them handle the security issues. If I am ever robbed in this way, I will simply ask them to void it off my bill just as I would any suspicious purchase that I believed to be fraud.
So the real question becomes why do the CC companies want credit cards with RFID chips? Is it just so you can have greater ease of use (swiping a card is already pretty easy) or is it so they can start tracking you and your card even if you don't pull out your wallet?
Posted by: Simon Pereira | May 10, 2011 at 03:06 PM
Simply disable the RFID in the card.
Most cards are opaque, but you can still see a small (1/8 square inch) where the processor is embedded.
Stab it with a knife to kill the processor...
Note that this may also kill any other electronic function.
For example my ABN-AMRO (now Fortis bank) card has given me
*great* security by allowing me to use my ATM PIN and a
challenge number to authenticate me for online banking by using
a small calculator box where you insert the card and which
communicates with the processor to calculate the response to
the ATM PIN and challenge number, so there is a guaranteed
proof that the person logging in is the one with the ATM card
and PIN. I definitely do not want to lose that, it has allowed
me to do my banking safely for more than 10 years already.
NOTE that it is even easier to disable just the RFID on the
Amex Blue or Cash cards, because they are transparent.
I have no camera handy otherwise I could shoot a picture of
how I treated the RFID antenna (7 concentric rectangles) in the
same way as a PCB that needs patching: simply cut into the card
from one side until you have interrupted one or two of the coils,
so they no longer can receive or transmit. Done. The card is not
damaged in any major way, it just looks as if there is a deep
scratch from the back surface, not even visible from the front.
I made sure to cut in an area that did not have numbers (or
magnet strip) on front or back. Good luck killing your cards.
Posted by: Cor van de Water | May 10, 2011 at 06:11 PM
BTW, I just looked through my stack of cards and the only other
card that has a processor onboard is from JPMorgan, it features
the word "BLINK" and a sign of wireless activity consisting of
4 concentric circle segments.
I noticed the same sign on the Amex card that I already neutered.
It may well be that you need to signup for this service, but I am
not taking too many chances right now.
I thought that Amex was the first to offer RFID cards, since I have seen their antenna embedded in my card for many years, but
this 2005 article claims JPMorgan's Chase to be the first:
http://www.rfidjournal.com/article/articleview/1615/1/1/
Posted by: Cor van de Water | May 10, 2011 at 06:25 PM