RFID skimming

Last updated

RFID skimming is a method to unlawfully obtain someone's payment card information using a RFID reading device.

Contents

How RFID skimming is performed

Modern payment cards have a built in chip that transmits card information wirelessly. This is because it is necessary in order to enable contactless payments, which has become increasingly popular during recent years. [1] Criminals can take advantage of this new technology by using a scanner that wirelessly scans the victim's payment card in the same way that a cash register scans it, when making a contactless payment. These scanners are legal and can be bought in regular electronics stores.

Most modern mobile telephones running Android OS have a built in NFC reader that can be used to unlawfully scan contactless payment cards. A criminal can hide the scanner e.g. inside a glove or a bag, and then place it close to the victim and wirelessly steal the victim's payment card information. [2]

With the wirelessly obtained payment card information, the criminal can use it to make fraudulent purchases online.[ citation needed ] This is called card-not-present fraud.

Methods similar to RFID payment card skimming may also be used for copying other RFID-based proximity cards, such as those used for keycard locks. 125 kHz RFID and other systems relying on a unique identifier number (UID) are vulnerable to this. [3] [4]

Incidence

Card-not-present fraud increased rapidly between 2012 and 2016. [5] In the United Kingdom an increase could be seen in card not present fraud - from 750,200 reported cases in 2012, to 1,437,832 reported cases in 2016. [6] However, there are no statistics available regarding RFID skimming, as it is difficult to determine the method of card fraud. [7]

RFID skimming compared to other types of skimming

In contrast to other types of skimming such as ATM skimming or hacking an online merchant web page, RFID skimming requires little or no technical expertise. In order to execute ATM skimming, the criminal needs to custom build a device, then place that device inside an ATM and later pick up the device after the victims have used it. Hacking online merchant web pages requires substantial computer knowledge.[ citation needed ]

Methods for preventing RFID skimming

Metal foil

Shielding is possible by wrapping the payment card in aluminum foil. However aluminium foil tends to wear out quickly. Informal tests found that the shielding effect was not 100% effective, although the foil did very much reduce the maximum range for reading, from about 1.5 feet (50 cm) to 1–2 inches (3–5 cm). [8]

Permanent disabling of RFID functionality

According to informal reports, RFID functionality can be disabled permanently by cutting internal wires and the use of a microwave oven has also been reported successful. [9] Cutting requires location of the internal wires, followed by cutting, drilling, or heating. Methods that visibly damage the card may lead to it being rejected as a payment method when presented to a retailer in the normal way.

RFID-blocking materials

There are RFID-blocking wallets, purses, sleeves, and cards. Wallets, purses, and sleeves work by acting as a Faraday cage that creates a screen around contactless cards, which stops electromagnetic fields interacting with the cards. [10]

RFID-blocking cards

An RFID blocking card is an RFID-blocking device that operates without a battery by receiving the RFID signal from a card reader or skimmer and it scrambles the RFID signal making it unreadable by any device. Most RFID wallets try to stop the electromagnetic fields interacting with RFID cards whereas RFID Blocking cards use "active jamming technology" to interrupt the communication. [11]

Related Research Articles

<span class="mw-page-title-main">Mobile payment</span> Payment services via a mobile device

Mobile payment, also referred to as mobile money, mobile money transfer and mobile wallet, is any of various payment processing services operated under financial regulations and performed from or via a mobile device. Instead of paying with cash, cheque, or credit card, a consumer can use a payment app on a mobile device to pay for a wide range of services and digital or hard goods. Although the concept of using non-coin-based currency systems has a long history, it is only in the 21st century that the technology to support such systems has become widely available.

<span class="mw-page-title-main">Near-field communication</span> Radio communication established between devices by bringing them into proximity

Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm or less. NFC offers a low-speed connection through a simple setup that can be used for the bootstrapping of capable wireless connections. Like other proximity card technologies, NFC is based on inductive coupling between two electromagnetic coils present on a NFC-enabled device such as a smartphone. NFC communicating in one or both directions uses a frequency of 13.56 MHz in the globally available unlicensed radio frequency ISM band, compliant with the ISO/IEC 18000-3 air interface standard at data rates ranging from 106 to 848 kbit/s.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

<span class="mw-page-title-main">MIFARE</span> Brand of smart and proximity cards

MIFARE is a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards.

<span class="mw-page-title-main">Payment card</span> Card issued by a financial institution that can be used to make a payment

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer with a payment terminal and access automated teller machines (ATMs). Such cards are known by a variety of names, including bank cards, ATM cards, client cards, key cards or cash cards.

A card reader is a data input device that reads data from a card-shaped storage medium and provides the data to a computer. Card readers can acquire data from a card via a number of methods, including: optical scanning of printed text or barcodes or holes on punched cards, electrical signals from connections made or interrupted by a card's punched holes or embedded circuitry, or electronic devices that can read plastic cards embedded with either a magnetic strip, computer chip, RFID chip, or another storage medium.

A contactless smart card is a contactless credential whose dimensions are credit card size. Its embedded integrated circuits can store data and communicate with a terminal via NFC. Commonplace uses include transit tickets, bank cards and passports.

<span class="mw-page-title-main">NETS (company)</span> Singaporean electronic payment service provider

Network for Electronic Transfers, colloquially known as NETS, is a Singaporean electronic payment service provider. Founded in 1986 by a consortium of local banks, it aims to establish the debit network and drive the adoption of electronic payments in Singapore. It is owned by DBS Bank, OCBC Bank and United Overseas Bank (UOB).

<span class="mw-page-title-main">Contactless payment</span> Technology enabling payment without physical contact

Contactless payment systems are credit cards and debit cards, key fobs, smart cards, or other devices, including smartphones and other mobile devices, that use radio-frequency identification (RFID) or near-field communication (NFC) for making secure payments. The embedded integrated circuit chip and antenna enable consumers to wave their card, fob, or handheld device over a reader at the point-of-sale terminal. Contactless payments are made in close physical proximity, unlike other types of mobile payments which use broad-area cellular or Wi-Fi networks and do not involve close physical proximity.

<span class="mw-page-title-main">Payment terminal</span> Device for electronic fund transfers

A payment terminal, also known as a point of sale (POS) terminal, credit card machine, card reader, PIN pad, EFTPOS terminal, is a device which interfaces with payment cards to make electronic funds transfers. The terminal typically consists of a secure keypad for entering PIN, a screen, a means of capturing information from payments cards and a network connection to access the payment network for authorization.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Wireless identity theft, also known as contactless identity theft or RFID identity theft, is a form of identity theft described as "the act of compromising an individual’s personal identifying information using wireless mechanics." Numerous articles have been written about wireless identity theft and broadcast television has produced several investigations of this phenomenon. According to Marc Rotenberg of the Electronic Privacy Information Center, wireless identity theft is a serious issue as the contactless (wireless) card design is inherently flawed, increasing the vulnerability to attacks.

A payment processor is a system that enables financial transactions, commonly employed by a merchant, to handle transactions with customers from various channels such as credit cards and debit cards or bank accounts. They are usually broken down into two types: front-end and back-end.

<span class="mw-page-title-main">Apple Wallet</span> Digital wallet platform by Apple

Apple Wallet is a digital wallet developed by Apple Inc. and included with iOS and watchOS that allows users to store Wallet passes such as coupons, boarding passes, student ID cards, government ID cards, business credentials, resort passes, car keys, home keys, event tickets, public transportation passes, store cards, and – starting with iOS 8.1 – credit cards, and debit cards for use via Apple Pay.

Apple Pay is a mobile payment service by Apple Inc. that allows users to make payments in person, in iOS apps, and on the web. Supported on iPhone, Apple Watch, iPad, Mac, and Vision Pro, Apple Pay digitizes and can replace a credit or debit card chip and PIN transaction at a contactless-capable point-of-sale terminal. It does not require Apple Pay–specific contactless payment terminals; it can work with any merchant that accepts contactless payments. It adds two-factor authentication via Touch ID, Face ID, Optic ID, PIN, or passcode. Devices wirelessly communicate with point of sale systems using near field communication (NFC), with an embedded secure element (eSE) to securely store payment data and perform cryptographic functions, and Apple's Touch ID and Face ID for biometric authentication.

<span class="mw-page-title-main">Samsung Pay</span> Mobile payment and digital wallet service

Samsung Pay is a mobile payment and digital wallet service, operated by the South Korean company Samsung Electronics. It lets users make payments using compatible smartphones and other Samsung-produced devices, accessed using the Samsung Wallet app.

<span class="mw-page-title-main">LG Pay</span> Mobile payment service

LG Pay was a mobile payment and digital wallet service by LG Electronics that let users make payments using compatible phones. The service supported contactless payments using near-field communication (NFC), and also incorporated wireless magnetic communication that allowed contactless payments to be used on payment terminals that only supported magnetic stripe transactions.

<span class="mw-page-title-main">Google Pay (payment method)</span> Mobile payments platform developed by Google

Google Pay is a mobile payment service developed by Google to power in-app, online, and in-person contactless purchases on mobile devices, enabling users to make payments with Android phones, tablets, or watches. Users can authenticate via a PIN, passcode, or biometrics such as 3D face scanning or fingerprint recognition.

<span class="mw-page-title-main">Square (financial services)</span> Financial services provided by Block, Inc.

Square is a point-of-sale system for businesses with physical or online stores. Launched in 2009 by Block, Inc., it enables sellers to accept card payments and manage various business operations. As of 2023, Square leads the U.S. point-of-sale systems market, serving 4 million sellers and processing $210bn annually.

Google Wallet is a digital wallet platform developed by Google. It is available for the Android, Wear OS, and Fitbit OS operating systems, and was announced on May 11, 2022, at the 2022 Google I/O keynote. It began rolling out on Android smartphones on July 18, 2022.

References

  1. "1 billion Visa contactless purchases made in last year". www.visaeurope.com. Retrieved 2019-01-06.
  2. Bachelor, Lisa (2015-07-23). "Contactless card fraud is too easy, says Which?". The Guardian. ISSN   0261-3077 . Retrieved 2019-01-06.
  3. Maxsenti, Mike (23 May 2017). "How to Clone an RFID Key Card for Less Than $11 – And How to Defend Against It". Genea.
  4. Mehl, Bernhard. "Step-by-Step: How to Copy RFID and NFC Access Cards & Key Fobs". www.getkisi.com.
  5. PYMNTS (2017-01-18). "Card-Not-Present Fraud Picking Up In U.S." PYMNTS.com. Retrieved 2019-01-06.
  6. "Financial Fraud Action UK - Fraud the Facts". www.financialfraudaction.org.uk. Retrieved 2019-01-06.
  7. "What is RFID Blocking (and Why You Don't Really Need It)". FinanceBuzz. November 7, 2019.
  8. "Aluminum Foil Does Not Stop RFID". Omniscience is Bliss.
  9. NTT (2013-09-15). "How to Disable 'Contactless Payment' on Your Debit Card". instructables circuits. Retrieved 2020-02-10.
  10. Miczulski, Matt (7 November 2019). "What is RFID Blocking (and Why You Don't Really Need It)". FinanceBuzz.
  11. Kingsley-Hughes, Adrian (20 February 2023). "Testing RFID blocking cards: Do they work? Do you need one?)". ZDNET.