In the past six months, I was victim of bank-card fraud twice.
The first time it happened, I had been traveling abroad in the weeks that preceded the fraud. I had booked a hotel in a possibly-not-so-safe website before my trip, and, admittedly, may not have kept my belongings with me at all times while abroad. The person who proceeded to take large chunks of money from my account could have gained access to my Visa debit card details, either before or during my trip, without much effort.
The latest fraudulent transaction was more puzzling. It was a low-value one-off payment — that could easily have escaped my attention — that happened after a couple of months of scarce card use at home.
Shortly after I told a friend about the later transaction, she sent me this video about RFID and electronic pickpocketing. I wondered if I had been a victim of this — easily gone unnoticed — form of fraud.
RFID or radio frequency identification is like a high-tech version of the bar code. It is a form of automatic identification technology that uses a radio-frequency link to transfer information between a tag and an electronic terminal. The tag is attached to an object (a card or a DVD box, for example) and the information stored in it can be read when the tag is placed near a RFID terminal. A familiar UK example is the Transport for London “Oyster Card”, which uses RFID to register check in and check out locations of tube travels. RFID tags are also widely used in library books, passports and in animal identification.
The technology has advantages over the standard bar codes, which transfer data optically. For example, the amount of data that can be stored in RFID tags is superior to that of bar codes and the technology offers the possibility of scanning various products at the same time. In some supermarkets, such as Tesco in the UK, the technology is used to monitor stock. Products such as DVDs and CDs are equipped with RFID tags while readers are built into the store’s shelves. When a product is running low, or when a DVD or CD is misplaced, stockroom staff is alerted.
Despite the advantages, the technology is not without its problems. One of the issues with RFID is its price: tags and readers are expensive. This is a reason why RFID has been used on selected objects only and not on cheap products such cereal boxes or candy bars. However, recently-developed technology, including a tag that “uses ink laced with carbon nanotubes to print electronics on paper or plastics” (as described on Wired in March this year), could drive down the cost of RFID implementation. As a result, this tagging method may soon be of even more widespread use than at present.
This widespread use of RFID tagging raises yet another, more important, issue: that of privacy — or lack thereof. According to a UK Parliament 2004 briefing on RFID, amongst the main concerns raised by civil liberties groups are the “use of the data by a third party” and “the ability to track individuals”.
The latter is now a reality. For example, RFID tags are used in some UK and US maternities and schools to track babies and young children. The chips used in both maternity wristbands and children’s clothes are “active” meaning that they have a battery capable of sending a radio signal at regular intervals, so that parents and teachers can know where RFID-tagged babies and kids are. (“Passive” tags, used on cards and supermarket products, do not have their own power supply and are only activated by the radio waves of a RFID reader.)
While tagging children is useful to avoid kidnaps, it raises privacy issues. The concern seems particularly understandable in cases where surveillance is not justified by a real threat, as noted in this month-old Guardian article. The piece explains how a scheme to identify young children electronically caused outcry in France as “trade unions, councils and civil liberties groups were indignant at the invasion of privacy.”
The use of data by a third party, and the security threat associated to it, may also be a real problem already. A case in point is precisely that of bank cards, which are increasingly equipped with RFID tags.
Banks such as Barclays call the technology “contactless”, a way of using your RFID-equipped debit card to make low-value purchases. It is a form of payment where money is taken out of your account simply by placing your card near a RFID reader, without the need to insert a pin or hand the card to the merchant. If your card is like mine, it will have the “contactless” symbol (similar to the wireless “waves” icon) on it to let you know that it has a RFID tag so you can use it for this type of payments.
While Barclays “quick” and “easy” adjectives may be appropriate to characterise this form of payment, it is less certain that “secure” can be added to the list. The bank claims that the technology is as reliable as that used in Chip and PIN transactions. Ironically, researchers at the University of Cambridge have proved earlier this year that “Chip and PIN is broken.”
In fact, the video I linked to earlier does seem to indicate that RFID-related fraud can be a real threat. It shows that it is reasonably easy and cheap to buy a “contactless” reader that, if placed close enough to your card, could extract information such as the card number and expiry date from it.
This CBC News piece also describes ways through which RFID-equipped bank cards can be hacked. In addition, it quotes a cyber-security expert, Pablos Holman, who draws attention to the fact that no bank card security method is 100% fraud-proof. In Holman’s words, “What people don’t understand is the credit-card industry isn’t trying to make cards secure . . . They just have a risk-management problem where they try to control the amount of fraud on their system.”
Indeed, I find that the best way to fight fraud is simply to monitor my statements to make sure I detect odd charges to my cards because “fraud can occur even after taking the best precautions”. The quote is from a eHow page which gives a few tips to keep your card RFID safe. The website presents another option, one that you might prefer, which consists in wrapping your “contactless” cards in aluminum foil — apparently it blocks RFID transmission.
Alternatively, you could “Think Geek” and buy one of these RFID blocking wallets. Definitely “more comfortable than aluminum foil in your pants.”