DIGITAL THEFT

Electronic Pick-pocketing

Learn more about this new type of digital theft.

 

To read more about a particular item simply click on the title to expand it.

Q. Is it true that the information that can be electronically ‘skimmed’ from a contactless credit card or debit card never includes the cardholder’s name?

Sometimes the name is transmitted, but generally not. It matters little however, as the transaction is accepted or declined based on the account number and the expiration date of the card. After that it’s up to the merchant but rarely is a transaction declined on the basis of an apparent inconsistency in the name, even if the gender of the cardholder does not match the gender marked on the card.

Q. Why should I be concerned as long as the three-digit security code printed on the back of the card is never transmitted?

The three-digit security code on the back of your card is never transmitted, but this does not mean that you are not at risk. This security number is not the only security code on a card. The magnetic strip has a different three-digit code. There’s also a dynamic CVV code transmitted from the RFID chip of a contactless card. These codes can be applied to a blank card such as a hotel key card and it will then work as a payment card.

Q. Surely, if each RFID transaction is issued with a different dynamic CVV code, a maximum of only one fraudulent transaction can occur if a cardholder becomes a victim of electronic pickpocketing?

True, but only in part. Even though the dynamic code does change with each transaction, the initial card details read by a card scanner, when copied onto another card like a hotel key card, has been shown to be effective and accepted on subsequent transactions.

Q. Is it true that if multiple contactless credit and debit cards and other RFID-enabled documents are stored one on top of each other in your wallet, the security information on each card or document is jumbled and effectively blocks electronic pickpockets?

This is not true. Contactless terminals in shops have technology built in which is designed to avoid any collision of data between the cards. Each card is primed to wait its turn to be scanned. By contrast, a card skimmer could cycle through all the cards in a wallet in a matter of a second or two.

Q. Is it the case that all security sleeves sold for cards, including simple Tyvek sleeves, are effective in protecting a card inside?

No, this is not true. Card security sleeves have to be made of a special screening material or lined with such a material, and can in any case protect only one or two cards. Security sleeves are first-generation technology and protect only the cards inside

Q. I’ve read that a pair of special ‘card guards’ can protect all the cards in a wallet, if one card guard is placed at the front of the wallet and one at the back. Is this true?

This is only partially true, as the two cards need to be directly aligned with each other. The problem is that the makers of these cards suggest that one pair of card guards should be used for each credit card. If the user wants to avoid illegal scanning or accidental payments when a wallet is held close to a contactless credit card terminal then multiple pairs of card guards would be required. Two cards can only ever create a very slim field of protection, no more than 10mm deep. This form of ‘passive’ protection is not enough for an entire wallet or purse. Two-card anti-skimming security is based on first-generation technology that was first discovered in the 30’s – the principle of creating a ‘Faraday Cage’. There are much more effective and reliable sources of protection now available.

Q. Is it true that only hard metal wallets prevent electronic pickpocketing.

This is false. These wallets will protect your cards, provided they are kept closed. The problem is that as soon as a metal wallet is opened it becomes vulnerable. They also tend to be heavy and bulky.

Q. What other personal identity documents are at risk? Surely not our Passports?

Those who are researching the extent of the current data-skimming threat face a critical dilemma. In the effort to warn the public of the scale of the threat, should one nominate the specific software or the Android apps that allows anyone to turn their phone into an instrument that facilitates data theft? The answer for any news organisation or vendor of protective devices has to be no. Nevertheless, the public need to be made aware that there is at least one free app that can now be downloaded from the Google Play store that can transform any smartphone into a card reader or a passport scanner. The card readers will display the long card number and expiry date of each card, and in the case of most Mastercard payment cards, details of the date and value of all recent card transactions. As far as our passports are concerned, practically all of the personal identity details on a UK passport can now be read within seconds by anyone equipped with an Android device and the right free software.

Q. The Payment Card Industry denies that the problem exists: Richard Koch, head of policy at The UK Cards Association, said: "This is not a new story. Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket.” "Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless - far lower even than overall card fraud.”

What Mr Koch omits to mention is that cardholders may not notice a series of low-value transactions on their statements. A card that has been compromised can of course be blocked, but only if the cardholder reports suspicious debits on their account. By the time the loss is noticed, it may already be too late to avoid fraudulent use of the cardholder’s account. Full compensation will normally be provided, but the process of reimbursement can take many months.

Q. But surely, a thief would have to touch someone’s wallet or purse with a scanner to be able to skim their credit card details?

Sadly, this is no longer true at all. Although traditionally, pickpockets would bump into a victim before reaching into their pocket, modern scanners that are freely available for less than £100 on the internet can scan, read and steal your card details without touching you at all. And these days, the more sophisticated electronic pickpockets tend to use powerful card scanners and signal boosters, with a large antenna concealed in a back-pack, briefcase or satchel. They can then walk through an airport, a train compartment or a busy cafe, scanning and storing the card details of dozens of victims, before returning home to clone hundreds of cards using the secure data they have skimmed. The Electronic engineering and software faculties of several UK universities have endeavoured to estimate the maximum distance at which contactless card details can be read. The consensus appears to be that at between 80cms and 1.5m distance, professional criminals should now be able to steal the details of your contactless payment card.

Q. Surely, the lack of arrests for electronic pickpocketing proves that this is not a major issue in the USA and Canada

The reverse is in fact true. The lack of arrests for card skimming is proof only that this is a crime that is very difficult to detect. Electronic pickpockets are almost impossible to catch and even more difficult to prosecute.

Digital card fraud is one of the fastest growing crimes in the country. In the USA, it is estimated that a payment card is illegally ‘skimmed’ for its security data every two seconds. Which Magazine identified the fact that contactless card fraud is “too easy” in the UK as recently as July 2015. Their researchers used cheap, widely-available card scanners purchased from a mainstream website to see if they could steal or ‘skim’ key details from Contactless cards. They tested 10 different credit and debit cards provided by volunteers and were able to use the scanners to read crucial data that was meant to be hidden. They then went on an internet shopping spree, successfully placing orders for items including a £3,000 television set.

Q. Is it true that I could protect my contactless cards and personal identity documents simply by wrapping each one in thick metal foil?

Yes, but every contactless card you own would need to be wrapped in metal foil, removed from its foil before use, and then re-wrapped in the foil after use. This removes the main advantage that contactless credit and debit cards are meant to offer – that of convenience in use.

Q. I’ve heard that there are now special battery-powered cards, designed to be placed in your wallet or purse, which actively jam the signal from your RFID Contactless cards and shield them from any electronic pickpocket. Do they work?

Yes, they do. The problem though is that they are very expensive, and because they need to be switched on all the time for the protective shield to be effective, battery usage is constant. With a battery-powered jamming device, there’s no easy way of telling when the battery has run out, leaving your cards unprotected.

Q. Is there any easier way of protecting all the RFID cards in my wallet, and how can I protect against identity theft if I am carrying my EU biometric passport in my pocket? Surely these electronic pickpockets could clone my identity?

Yes, your e-passport is vulnerable to being scanned at a distance. And yes, there is now a new easy, low-cost solution that offers complete protection against electronic pickpockets. It’s a device called RFIDGuard Active. It out-performs any RFID wallet or blocking card pair. It looks just like a regular credit card, but its patented technology amplifies the power of any incoming radio signal emitted by an electronic pickpocket’s card scanner or a retailer’s card terminal, and uses it to create a deep scan-blocking ‘E-Field’ around all of your data. The depth of the area protected is 90mm. That’s 3½ inches deep, so a single RFIDGuard Active card placed in a purse or a passport holder will protect not only your passport, but all of your contactless RFID credit and debit cards as well.

Best of all, it has an LED light that glows whenever it senses the presence of any RFID scanner, legal or illegal, so you know when your cards are being actively protected from a RFID scanning device. It offers complete protection from contactless card ‘skimmers’ and peace of mind too. Once the device is in your wallet or purse, you know that you are protected from having your cards or your passport ‘skimmed’ and that it’s impossible for a retailer’s terminal to debit any other contactless payment card that remains in your wallet.

Q. By focusing on the relatively small amount of “fraud on contactless cards” (i.e. fraud involving unauthorised contactless payments), could the payment card industry be seeking to play down the problem and divert our attention from the real issue - namely that contactless credit cards have made it much easier for criminals to obtain card details which are then being used to commit fraud through conventional card-fraud channels?

The real issue surely, is that Contactless cards are now providing criminal card ‘skimmers’ with easier access to a cardholder’s long card number and expiry date than ever before. In the case of most Mastercard contactless cards, the date and value of recent transactions can also be captured, all using a simple mobile phone app. All of these details can then be sold on to others and armed with these skimmed card details, criminals can deploy simple ‘brute force’ hacking methods to obtain the 3-digit payment code for use online. Alternatively, a card can be created with a magnetic stripe that is identical – ready for use in countries where chip and pin has yet to be introduced.

Figures published by Financial Fraud Action UK for 2015 show an 18% increase in the value of card losses on UK-issued cards. Card-not-present transactions now account for 70% of all credit card fraud. There are now over 100 million contactless debit and credit cards in circulation in the UK (30th June 2016), and contactless debit cards account for more than half of all debit cards in circulation, an increase of roughly 50% on the previous year. The value of contactless payments in the UK rose to £1.8 billion in May 2016, some 263% higher than in the same month in 2015. With more and more contactless cards being issued, there is an urgent need for consumers to be made aware of the need to protect their cards from professional card skimmers and digital pickpockets.

Q. What documents do I have that may need to be protected?

  • Credit Cards
  • Debit Cards
  • Charge Cards
  • Transit Card
  • Hotel Key Card
  • Office Key Card
  • Membership Cards
  • Passport