By Nikki Junker, Identity Theft Resource Center
On Monday, we entered the public discussion about RFID-enabled credit cards with a brief overview of RFID technology. Today, we want to address concerns as to whether or not RFID cards can be “hi-jacked” by use of an unauthorized RFID scanner, thus making the information available for use for fraudulent purposes. Fortunately, it’s not as straight-forward as it sounds. Here’s a closer look at what RFID technology does and does not permit.
Is it easy to scan RFID-enabled cards?
- Scanners that can “read” RFID-enabled cards are available to merchants and the general public.
- These scanners can interrogate the RFID card and retrieve the information provided by the RFID chip on the card.
- The scanner must be within inches of the card, but otherwise it is a fairly simple process, and can certainly be done without the card owner knowing it has happened.
Could one use the retrieved information for fraudulent purchases?
- The general assumption is that the RFID chip provides the same information that is embedded in the magnetic strip of a traditional credit card. So, if the RFID chip can be read, then the perpetrator has the ability to use that information to make fraudulent purchases. Fortunately, this is NOT the case.
- Most RFID card manufacturers have implemented security features which make it difficult or impossible to use the “hi-jacked” information to make a fraudulent transaction. These features are outlined below.
For contactless payments (RFID), the financial industry uses added security technology, both on the card itself, as well as in the processing network and system to prevent fraud. While implementations differ among issuers, examples of security measures being used include the following:
- Industry standard encryption. At the card level, each contactless card can have its own unique built-in secret “key” that uses standard encryption technology to generate a unique card verification value, cryptogram or authentication code that exclusively identifies each transaction. No two cards share the same key, and the key is never transmitted. Therefore, a transaction cannot take place without the card itself being present.
- Authentication. The issuers verify that the contactless payment transaction has a valid card verification value, authentication code or cryptogram before authorizing the transaction. At the system level, issuers have the ability to automatically detect and reject any attempt to use the same transaction information more than once.
- Confidentiality. The processing of contactless payments does not require the use of the actual cardholder name in the transaction. In fact, best practices being used within the industry do not include the cardholder name in the contactless chip. Thieves will find it very difficult to use a credit card number if they don’t have the corresponding cardholder information.
- Control. Cardholders control both the transaction and the card throughout the transaction. Cardholders do not have to hand over either a card or their account information to a clerk during a contactless transaction.
The RFID issue will continue to need to be monitored, but at this time it appears that both the technology and the companies that are using it can be trusted. So far, while surreptitiously scanning the card for information can be accomplished, getting all the information necessary to commit fraud is not easy.