Search All Traveloscopy Sites


Wednesday, July 27, 2016

The Cyber Pickpocket you’ll never see coming: RFID card security for travellers



It’s the call no one wants to get. It’s the first week of your month-long holiday. Your credit card has been skimmed and the bank is cancelling your card. Okay, most banks will guarantee the money and you won’t lose, but you can end up spending the rest of your holiday trying to obtain a new card.

"Oh, no!"
I was lucky. It was a short trip and I was home before my bank called telling me my card had been compromised and that they were cancelling it. As it turned out, all my travelling companions had fallen victim, most likely at the same time by the same perpetrator. We got off lightly.

Racking our brains, we all tried to figure out which store we’d been to that may have stolen our credit card details. My bank was not being at all helpful, just telling me that it was some time during my trip to Fiji the week prior.

Now fast forward to a travel expo I attended today and I meet Mike Casey of Travel Guard who is displaying an array of wallets, passport holders and document folios touting a big ‘digital security’ sign.

Yes, I knew about the RFID (Radio-frequency identification) technology being rapidly introduced into our bank cards, passports and even hotel keycards. Yes, I knew there were concerns about the security of this technology. And yes, I knew there were consumer countermeasures available for folks like me.

Wallets full of cards and data
What I did not know was just how darned easy it is to actually acquire the data from people’s cards without them even knowing.

“Watch this,” says Mike as he grabs an old bank card and his smartphone. “All I need to do is pass the phone next to your card and … voila … I have all your data, card number, expiry date, everything.”

The phone is equipped with a readily and legally available card reader downloaded from Google Play Store. Of course, to convert that data into something useful, some more kit is required but the ease of that was demonstrated to guests at a recent hacker conference in Washington. Security researcher, Kristin Paget, used about $350 in equipment to wirelessly read a volunteer’s RFID-enabled credit card and then encode its key data onto a blank card. Then, in the next minute, she used that newly encoded card to make a payment to herself.

When I related my Fiji experience to Mike, he was certain that we’d fallen victim to a skimming racket that likely captured data from all our cards and everyone else’s around us. In such an instance, Mike believes a hacker used simple, hobby store components to build an enhanced RFID scanner with sufficient range to capture data at a distance outside one’s normal ‘personal space.’

Cards displaying the payWave logo contain RFID technology
“Hackers are building these longer range devices into backpacks and suitcases, then lurking at places like airports and shopping malls and literally scooping heaps of data,” says Mike.

This disconcerting practice is supported by police reports.

"If I had one of those [devices] in my pocket, satchel or briefcase, and you were standing next to me on a train and your wallet was in your back pocket and I moved near enough to activate the signal on the RFID, well then I've got your details," said Detective Inspector Brian Hay, from Queensland Police's fraud and cybercrime squad.

Travel Guard RFID blocking card
The expert credit-security company, Veda, analysed frauds on Australian banks and credit providers, finding an overall rise of 27 per cent and a 103 per cent spike in identity theft in 2014.

There are other shortcomings and vulnerabilities in the whole RFID system that I will leave you, the reader, to determine for yourself with a few minutes of Google research.

So, having been (most likely) the victim of RFID data theft myself, I would advocate the purchase of what Mike was selling, namely a range of Travel Guard security wallets and blocking cards. I now have one in my pocket.

There are others who would argue that the risk of RFID data theft is so low that the fear is generated so that vendors of blocking technology can keep selling their stuff. The reader will need to make that decision for themselves, but after travelling for years through airports and hotels all around the world, they finally got me and I’m not taking the risk anymore.

For details and purchasing information, visit: www.travelguard.net.au




No comments:

The Expeditionist

The Expeditionist
Venturing to the world's special places