Electronic pickpockets: fact or fantasy?
- — 08 March, 2013 17:13
As wireless payment transactions grow in popularity, so, too, has the shadow of the electronic pickpocket.
These "e-dips" can putatively snatch credit card information from unwary consumers just by being in close proximity.
How much of that scenario is probable and how much paranoia?
"I wouldn't say it's never been done or it's impossible, but right now it's an academic exercise at best," said Sean Brady, identity and data protection director at RSA, in Bedford, Mass. RSA is the security division of EMC.
With existing technology, nicking information from a smart payment card requires more effort than most petty thieves are willing to make, according to Brady. "The level of investment and will to do it -- compared to other forms of attack, which are much easier -- is low right now," he said.
Moreover, a smart card attack is more likely to focus on the device that reads the card than the card itself. That can be done with a device similar to an ATM skimmer.
An ATM skimmer is placed over the card reading slot in an ATM and is made to look as if it's part of the device. When a bank card is used, the skimmer captures the account number and a built-in camera captures the PIN associated with the card as it's entered into the ATM.
"With that information, fraudsters can create fake debit cards," Brady said.
A phony point-of-sale terminal attack is more likely to work on a mobile payment than a smart card, he noted.
Many mobile payments use a wireless technology called NFC, or Near Field Communication. Smart cards use RFID, or Radio Frequency Identification, for wireless communication.
Because RFID is "always on," some payment experts say it's more vulnerable to attack than NFC, which can be turned off in a phone. That's not necessarily the case, according to Brady.
"A smart card is nearly impossible to attack because it has a chip on it that's creating a cryptographic assertion that is extremely difficult to hack or compromise," he said.
That means that when a smart card is used in a wireless transaction, its chip transfers, in addition to an account number and expiration date, a unique security code randomly generated for each transaction.
"If a card number and security code were copied and reused, the transaction would be rejected as a duplicate," Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J. said. "All smart cards have dynamic data as a means of providing an additional layer of security compared to non-smart cards."
If electronic pickpockets exist, they don't appear to have shown up in the fraud reporting system yet.
"There's been no reported incidences of smart card fraud related to electronic pickpocketing since this technology has been introduced into the U.S. market in 2005," he said. "We're over eight years into using this technology, over 75 million of these contactless payment cards have been issued and there have been no confirmed cases that anyone has experienced any type of payment fraud with these cards."
Vanderhoof claimed the e-dip scenario is being driven by a company trying to sell protective sleeves for cards. "It's trying to profit off of people's fears that they somehow are being put in danger by using these types of credit cards," he said. "Those claims have been totally unfounded."
One maker of protective sleeves for contactless payment cards is Identity Stronghold.
Walt Augustinowicz, Identity Stronghold's founder, has appeared in a number of TV news reports in recent years demonstrating how he can bump into a person and grab their credit card with a card reading device. Although a credit card number and expiration date can be snatched, that information isn't likely to be very useful since the security code needed to complete a transaction is missing.
Read more about data protection in CSOonline's Data Protection section.
MORE IN Open Source Security