Stopping digital pickpocketing
Credit cards that offer ‘contactless’ payment can leave users vulnerable to identity theft by thieves armed with only a smartphone. JEFF HEINRICH reports.
They’re easy to use. But the information inside? Easy to lose. As more consumers buy things by waving their credit or debit card or cellphone at a payment terminal — no PIN, no signature, no contact — a new frontier has opened up for digital thieves.
With something as simple as a downloaded freeware app, hackers can place their phone near your wallet or phone and get your name and basic card data immediately, without you knowing.
They can then use that data to make online purchases, and even send your banking information to another country via cellphone, where their cronies can rack up more purchases.
New drivers’ licences and passports, as well as gift cards and transit passes, which can be read electronically from further away, are also vulnerable to having their data lifted. Skimming, it’s called. Putting all the information together, a tech-savvy thief can steal your money and your identity and make your life miserable as you scramble for months to restore your good name with the authorities.
Though it’s still early days, this new type of electronic pickpocketing is shaping up to be a major headache — and also a potential boon for companies that specialize in anti-fraud devices.
The phenomenon of “contactless” payments and identification worries consumer groups and privacy regulators. They fear a door is opening to a new kind of digital fraud and snooping.
“When everything is computerized, are we really protected?” asked Dominique Gervais, lawyer for the Quebec consumer rights group Option consommateurs.
“I’m not convinced the technology is all that secure.”
Canada’s Privacy Commissioner is preparing a report on the risks of mobile payment technology. It plans to release the report later this year.
In Germany and New Zealand, as well as Canada, experts have successfully hacked contactless paycards in tests to prove they’re vulnerable. Apps can be downloaded off the Web to do it, too.
Unlike cards with a magnetic stripe on the back or a computer chip visible on the front, the new cards use radio-frequency technology to speed up transactions.
In geekspeak, the technology is called RFID, short for radiofrequency identification technology.
The latest version is called NFC, or near field communication.
A tiny chip and radio antenna are embedded in the card, under the plastic, and work when the card is “waved” in front of a merchant’s RFID (or newer NFC) terminal.
Visa calls it pay Wave (the cards have a wifi symbol on them); MasterCard calls it PayPass.
Either way, it’s quick and contact-free. There’s no signature required, no PIN to punch in.
Limited in Canada to small transactions (under $50), the payment system is a common sight at gas stations, depanneurs and fast-food joints like Tim Hortons and Subway, which take the cards at thousands of outlets nationwide. But that’s not all. Increasingly, Canadians don’t even need a card to make a payment. Some already do it right off their smartphone, just by waving it (and the NFC-enabled SIM card inside) at a terminal.
One flick of the phone, and the transaction is recorded on their Visa or MasterCard account.
CIBC and Rogers rolled out their “Suretap” service last November with Blackberry and Olympic triathlete Simon Whitfield, who made Canada’s first NFC phone transaction at a Tim Hortons in Toronto.
And more of the kind are on their way.
RBC Royal Bank and Interac plan to inaugurate a mobilephone debit service later this year with partners BlackBerry, McDonald’s and payment processor Moneris Solutions. Scotiabank has similar plans. At the same time, RFID tags that can be read at a much greater distance than the shortrange NFC ones are already in widespread use.
They’re part of Quebec’s new Plus drivers’ licence (used to cross into the U.S.) and Canada’s new ePassports. They’re also in some bus-and-metro passes, as well as gift cards, library cards and employees’ access cards.
Amid this abundance, and with NFC continuing where RFID left off, privacy regulators have thrown up a red flag.
In an era of virtual payments and IDs, virtually everyone’s at risk.
“General concerns have been raised about NFC chips, because they are designed to not perform any sort of authentication,” said Scott Hutchinson, the federal watchdog’s spokesperson.
“That is, they do not check to see if the incoming query is valid or legitimate or authorized. The chips will respond to any properly formatted or structured query,” he said in an email from Ottawa.
And that means fraudsters can have a field day.
Noting that use of the new technology is on the rise, the watchdog is urging providers to “implement the strongest measures of privacy protection throughout the (mobile) payments system process.”
Visa, for one, says it’s already done that with its pay Wave cards.
“Because information travels from card to terminal without any contact, there is a remote risk that data can be intercepted,” the company acknowledged in a statement to The Gazette.
“However, we have built in multiple layers of security for every Visa transaction that helps protect against fraud using stolen information,” it continued.
Among the measures: “advanced cryptographic security” that gives each transaction its own code and doesn’t reveal the cardholder’s name nor the three-digit security code on the back of the card.
As well, “all transactions processed by Visa’s global processing network, VisaNet, are analyzed in real-time and scored for its fraud potential,” the company said.
“Visa is able to use a comprehensive view of the global payments system to identify fraud patterns and detect suspicious transactions right at the checkout.” The result? “Visa’s global fraud rates (are) near historic lows — fewer than six pennies for every $100 transacted,” the company said.
To date, it added, “there have been no reports of fraud perpetrated by surreptitiously reading Visa pay Wave cards.”
If you’re worried about the possibility, however, there are solutions.
One is a thin, aluminumlined protective sleeve designed in Montreal that shields cards from skimming. It’s called Identity Block and is made by Strenua Solutions, a startup in St. Henri.
“Everybody’s a potential victim,” said Mark-Oliver Hassoun, who came up with the product last year as a spinoff of KLF Media, the company his business partners founded in 2005.
“As soon as you have a card and an identity, they’re worth stealing,” said Hassoun, who learned that the hard way a decade ago when his Canadian credit card was hacked as he travelled in Europe.
Demonstrating how easy it is, technician Dario Momesso first took a visitor’s Visa card, placed it on the table, put his smartphone over it and waited for it to “lift” the data.
After a few tries, the phone — loaded with NFCProxy, a simple freeware app downloaded off the Web that’s designed to skim cards — displayed the visitor’s name, card number and the card’s expiry date.
By wireless, his technician then transferred the data to another NFC-enabled phone placed next to it, to illustrate how easily data could be sent around the world and be used by other fraudsters.
Then the technician demonstrated how Identity Block works.
He slid the visitor’s Visa card into the protective sleeve, placed his phone over it and tried lifting the data again. Nothing happened. No data was displayed. The card was secure.