Electronic pickpockets: fact or fantasy?

"E-dips" can putatively snatch credit card information from unwary consumers just by being in close proximity?

As wireless payment transactions grow in popularity, so, too, has the shadow of the electronic pickpocket.

These "e-dips" can putatively snatch credit card information from unwary consumers just by being in close proximity.

How much of that scenario is probable and how much paranoia?

"I wouldn't say it's never been done or it's impossible, but right now it's an academic exercise at best," said Sean Brady, identity and data protection director at RSA, in Bedford, Mass. RSA is the security division of EMC.

With existing technology, nicking information from a smart payment card requires more effort than most petty thieves are willing to make, according to Brady. "The level of investment and will to do it -- compared to other forms of attack, which are much easier -- is low right now," he said.

Moreover, a smart card attack is more likely to focus on the device that reads the card than the card itself. That can be done with a device similar to an ATM skimmer.

An ATM skimmer is placed over the card reading slot in an ATM and is made to look as if it's part of the device. When a bank card is used, the skimmer captures the account number and a built-in camera captures the PIN associated with the card as it's entered into the ATM.

"With that information, fraudsters can create fake debit cards," Brady said.

A phony point-of-sale terminal attack is more likely to work on a mobile payment than a smart card, he noted.

Many mobile payments use a wireless technology called NFC, or Near Field Communication. Smart cards use RFID, or Radio Frequency Identification, for wireless communication.

[See also: Android NFC hack enables travelers to ride US subways for free, researchers say]

Because RFID is "always on," some payment experts say it's more vulnerable to attack than NFC, which can be turned off in a phone. That's not necessarily the case, according to Brady.

"A smart card is nearly impossible to attack because it has a chip on it that's creating a cryptographic assertion that is extremely difficult to hack or compromise," he said.

That means that when a smart card is used in a wireless transaction, its chip transfers, in addition to an account number and expiration date, a unique security code randomly generated for each transaction.

"If a card number and security code were copied and reused, the transaction would be rejected as a duplicate," Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J. said. "All smart cards have dynamic data as a means of providing an additional layer of security compared to non-smart cards."

If electronic pickpockets exist, they don't appear to have shown up in the fraud reporting system yet.

"There's been no reported incidences of smart card fraud related to electronic pickpocketing since this technology has been introduced into the U.S. market in 2005," he said. "We're over eight years into using this technology, over 75 million of these contactless payment cards have been issued and there have been no confirmed cases that anyone has experienced any type of payment fraud with these cards."

Vanderhoof claimed the e-dip scenario is being driven by a company trying to sell protective sleeves for cards. "It's trying to profit off of people's fears that they somehow are being put in danger by using these types of credit cards," he said. "Those claims have been totally unfounded."

One maker of protective sleeves for contactless payment cards is Identity Stronghold.

Walt Augustinowicz, Identity Stronghold's founder, has appeared in a number of TV news reports in recent years demonstrating how he can bump into a person and grab their credit card with a card reading device. Although a credit card number and expiration date can be snatched, that information isn't likely to be very useful since the security code needed to complete a transaction is missing.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsNetworkingRFIDsmart cardNear Field Communications (NFC)wirelesssoftwaredata protectione-dips

More about BradyEMC CorporationNFCRSASmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place