New RFID Credit Cards Pose Security Problem

BY Beth Williams

Most newly issued credit cards pose major fraud and privacy concerns because of how they’re designed to be scanned through the air, some cyber-security experts warn.

“Contactless” MasterCards and Visa cards have been available in Canada for several years, but they’ve only recently reached the bulk of consumers as the country’s biggest banks adopt them.

The credit cards have an embedded computer chip called a radio frequency identification, or RFID, tag. When waved near a payment terminal in a store, the chip supplies the card’s number and expiry date through radio waves, avoiding the need to swipe or insert the card or have a cashier handle it.

And that’s the first problem, U.S. cyber-security expert Pablos Holman says.

Anyone can buy an RFID credit card reader online, where second-hand units sometimes sell for under $10, and start scanning cards in public — without cardholders knowing.

“It’s not encrypted, which is not what we were expecting,” said Holman, who has gone on U.S. TV newscasts to demonstrate the security gap. “It’s really easy to read. … Now you can get a generic RFID reader and use open-source programs available on the web and read cards.”

Video Demonstration of RFID Credit Card Theft