Cyberthreats are everywhere, especially when you venture out of your home. You could be mugged walking down the street, but then again chances are that you will not be, especially if you are careful. But could you be cyber-mugged?
What if you were walking down the street, using public transport, or out shopping, and someone could steal money from you without even touching you or physically taking your wallet?
What if every time you got your new credit card out to pay for something, someone added an extra charge to your card for something you never bought?
Today many banks insist on giving their customers contactless cards. They work by using RFID — that Radio-Frequency Identification. According to Wikipedia, “Radio-frequency identification (RFID) is the wireless use of electromagnetic fields to transfer data, for the purposes of automatically identifying and tracking tags attached to objects” (https://en.wikipedia.org/wiki/Radio-frequency_identification).
So contactless cards are useful for paying for things with. You can easily identify them as they have a small logo on them that looks like several curved lines getting bigger. This means the card has an RFID chip embedded within it. This makes paying for things a time-saver — yes, you can save perhaps 3 seconds of your life by waving your card at a contactless card reader instead of inserting the card and entering a PIN (Personal Identification Number). Is it really worth it, you might wonder? At present in the United Kingdom, contactless cards can only be used for payments up to and including £30. In the USA the limit is only $25, and in the Eurozone it is generally €25, except for Ireland where it is only €15. The lower the limit the less chance of paying for something accidentally.
But what if you have a contactless card and you go to pay for something, and have maybe more than one credit or debit card? Perhaps you have one contactless debit card and a non-contactless old-fashioned credit credit, and you want to pay with the credit card. Then, as you get your card out and keep holding your wallet as you put the card into the card reader, the contactless card reader sends out a small radio signal and detects your contactless debit card. As the transaction is only, e.g. £15 or $15, it automatically takes payment from the debit card, even though you never intended to pay wit this.
Do you think that could not happen? I have seen it happen to someone once in a shop. A woman wanted to pay with one card but the card terminal read her contactless card and made the payment.
Now in London on public transport, operated by Transport for London (TfL), we have Oystercards. These work in the same way as the contactless payment cards, they have a small RFID chip inside and the whole network has yellow card readers at station entrances, interchanges, and on buses where people enter. In fact, if you get on a bus, you can no longer pay by cash — you have to use an Oystercard, a paper ticket (yes, they do still exist) or a contactless credit/debit card. Various cities around the world, including at many locations in the USA, now use a contactless card system to allow passengers to pay and board quickly.
At stations in London they have started making announcements to remind people to keep their contactless cards separate from each other, so that when they go to the ticket barriers and use their Oystercard or contactless card, they use only one card and keep the others well away from the yellow card readers, otherwise they could pay with the wrong card or even pay twice. Or, if they are coming out of a station, pay with the wrong card, and then both cards get charged a penalty fare. The first one because you did not complete the journey, the second, because you came out of a station without touching in anywhere with that card.
Even worse than all this though is the fact that there are hackers out there with wireless devices that can scan for contactless cards in their immediate vicinity. If you have a wireless card of some sort, the scanner will send out a radio signal, the card’s chip catches the radio signal and sends back a signal. Note that the chips have no power, no battery inside, and they cannot send out signals by themselves — they just respond to signals they receive. It’s a bit like radar where a signal is sent out to detect an aeroplane and the radio signal bounces off a plane and gets directed back to the radar base. Without the radar signal, no plane would be detected.
So hackers can go around with ever-more sophisticated equipment and find lots of contactless payment cards or Oystercards which will respond with various information. The criminal hackers can then take that data and use it to make their own payments online or with a cloned contactless card, and the cardholder loses out. As it all happens so fast, and without any physical stealing of a card, the cardholder is left none the wiser until they either check their account online (or on a paper statement) or they get a call from the card issuer wondering if the cardholder had made such unusual transactions lately.
So what is the solution, If any? What can you do to protect yourself from this?
If you have a bank card, and you have the option of contactless or not, having a card without contactless is a more secure option. You might only need the contactless option if you are going to use it on the London Underground or elsewhere on the TfL network to pay for your journey, but in shops using chip and PIN is far more secure and not at all difficult when it comes to paying for things (so long as your remember your PIN). If you travel in London and have an Oystercard then that will always be vulnerable, but you could instead stick to paper tickets.
But in this ever-increasingly high-tech world it is getting harder to not use contactless cards of some sort. And a lot of large employers are now giving their employees cards with RFID chips in so that they can control access to their premises securely.
The answer is to use a kind of faraday cage. This is a term for any kind of secure encasing, usually around a room or building, that blocks all radio signals. But a small faraday cage would work just as well for cards, all it needs to be is a small metallic wallet of some kind that you put the card in and the metal blocks the radio signals.
You can use a small container that is just big enough to put one card in, but we are going to need more and more of those today as more and more of our cards get RFID chipped. Or you can use a wallet that is designed to block RFID by being lined with radio-blocking material — a small faraday cage you can put in your pocket.
An RFID-Blocking Wallet
SekureTravel now sells such RFID blocking wallets. You can buy them at Amazon.com at this link.
Although there are plenty of leather wallets around at the moment that claim to be “RFID-blocking” we got hold of one and tested it and found it to be lacking — it did not block any radio signals at all. There are plenty of similar products on Amazon, if you read the reviews you will see that others have found that leather “RFID-blocking” wallets do not often block RF signals and may leave your contactless cards vulnerable.
The metal RFID-blocking wallet design is the only sure way to block radio signals. This has been tested and found to work well in blocking RF, due to its metal case which keeps all contactless cards inside safe. The other advantage to these wallets is that they are also waterproof and will keep your cards dry inside.
SekureTravel’s RFID blocking wallets are on sale, in conjunction with Global Stuff Shop. (Photo of wallet © David A. King 2015)
Main image at top of page © anyaberkut / Dollar Photo Club