Can Contactless Credit Cards Be Hacked? 5 Tips to Stay Secure

Although RFID (Radio Frequency Identification) is still a tough sell to a many people, millions of contactless credit cards have been issued over the past year. Issuing banks are increasingly making RFID cards the default replacement card, and banks aren't required to tell cardholders that the new cards are RFID-enabled. Some contactless cards have visible microchips, but others don't, so it may be difficult to know if you own an RFID card.

The lack of knowledge about what type of credit card you have in your possession is just one part of the security problem. Other issues, like a misunderstanding about how these cards operate, create yet more reasons why you need to become proactive about your credit card security. One way to become more secure is to learn about what makes this technology "hackable".

Can Contactless Cards Be Hacked?

The only difference between a contactless credit card and a regular credit card is the way that your card's information is transmitted at the point of transaction. Instead of using the traditional magnetic stripe (magstripe), the contactless credit card uses a "tag". The tag consists of a semiconductor ship or set of chips and an antenna that relays radio frequency signals into and out of the chip. This passive RFID technology creates a fear factor for most people who don't understand how it works. In some cases, however, this fear is reasonable.

The problems behind this technology as utilized in credit cards lie in three distinct areas:

1. The information contained on that chip.
2. Whether that chip is secure or insecure.
3. The radio frequencies and data transfer standard used to activate that chip.

The information contained on your contactless credit card may contain the same information that can be found within the magstripe in your traditional credit card. This information varies from issuer to issuer, but in essence your contactless card's chip will include your name, address, card number, and card security code. It may also include or be tapped into information about your birth date, social security number, and any other bits and bytes that you would deem highly sensitive and personal. Even at their tiny size, the chips contained in contactless credit cards can contain megabytes of memory.

As with any technology, issues often are addressed in "second-generation" products. Contactless cards are no exception. In first-generation issue, some cards were "open" to name and credit card number theft, but the security code couldn't be stolen. However, retailers often allow purchases without that security code, so the fact that a thief wouldn't have that code becomes moot.

Second-generation cards, like the Visa Contactless card, no longer send the cardholder's name, but it can still send the card number to malicious scanners. The argument as to why this security measure is better is that the card number would be difficult to use without the cardholder's name.

The chips used for contactless credit cards are, by most accounts, secure. A chip's memory can be altered as in a read/write program, and these "dynamic" chips are supposedly encrypted in credit cards. This means that the chip will contain some fixed information that can be programmed on the chip only once, like your personal information. Then, the chip may also contain a sophisticated processor that executes cryptographic elements that protect static data.

The chip contains an antenna that allows that chip to communicate with a reader through a radio frequency (RF). This is where the mystery lies for many folks, as this information often sounds as cryptic as the security issue. But, an understanding about this technology is critical in your quest to protect your identity and your privacy.

RFID credit cards rely on a reader to supply energy to its chip through the reader's RF field. The chip picks up the reader's energy, powers up, receives commands and/or data, processes it, and communicates back with the reader. This communication prevents identity theft from readers from a distance, but a malicious scanning device could still be able to read any card that can be read by a legitimate reader. The common RF used to activate the tags and readers for credit cards is at a higher frequency than the ones used in tagging animals or in many supply-chain management systems. The frequency chosen by most credit card companies is the 13.56MHz frequency with data transfer rates of ISO 14443.

The reader's 13.56MHz frequency seems very low, especially when compared with items such as current mobile phone systems that operate at ultra high frequencies between 800 and 1800 MHz. But, in reality, the 13.56 MHz frequency is mid-range with an operating distance that would depend upon the tag size and the reader type. Proximity can be close to one meter, or 3.28 feet.

The ISO 14443 standard for transfer rates was chosen to modify the 13.56MHz frequency. The ISO 14443, put simply, is a four-part international standard [PDF link] that was created for contactless smart cards that operate at the 13.56MHz frequency in close range with a reader antenna. It has a generally accepted read/write range of up to 10 cm, or four inches. ISO 14443 accepts authentication mechanisms such as encryption.

The transfer rate is also affected by certain materials placed between a reader and the chip. If metal is placed between a reader and a tag, the RF will be deflected. This is why thin sheets of metal are placed in biometric passports, to protect your information when the passport is closed. This response to metal is also the reason behind a new market for metal sleeves that claim to protect your biometric passport and your contactless credit cards from theft.

But while metal currently can create noise between the card and the reader and while it can also detune both reader and tag antennas, it's also possible to bypass this problem with the right frequency and data transfer standard. The ability to bypass metals to maintain "conversation" between the tag and a reader continues to evolve. So, eventually, this will be one problem that won't be resolved simply by wrapping your credit card in aluminum foil.

With that said, it's time to offer some tips on how to protect your contactless credit card and its information. When Texas Instruments, an industry leader in RFID technology and the world's largest integrated manufacturer of RFID tags, warns [PDF link] that the consequence of a successful compromise in the use of the tags is "large to enormous," it's time to take matters into your own hands. Below are five tips that should help you on your way to being more secure with your contactless credit cards.

Five Tips for RFID Card Security

1. Take a pro-active role with your financial tools. Unlike the card's passive technology, you need to take a proactive stance to protect your information. Call your credit card company and ask them if your current card is a "contactless" card or a traditional card. If they've issued you a contactless card, you have one of two choices: 1) Ask for a traditional card, because you refuse to use the RFID technology, or; 2) Ask the company about the finer points to their system. If you go the second route, then…
2. Ask the credit card company about their RF and ISO. If the numbers match those shown above, great. If not, ask why and demand detailed information. The bank may be using more advanced technology that may surpass the information above (yes, the technology is moving that quickly). Beyond this, if the bank states that the information on your card is "static," then destroy that card. The information on that chip must be "dynamic" to enable encryption on data transmissions. If your chip is dynamic, then…
3. Ask the credit card company about its encryption methods. The encryption on contactless credit cards can contain from 32 to 128 bits for security. The fact that this encryption is enabled on a dynamic card allows the reader to alter certain information from transaction to transaction, and this is a good thing. But, even these encrypted cards can be compromised. So what do you do about that problem?...
4. Ask about the credit card company's fraud detection and any other prevention measures. Unfortunately, credit card information ― even that contained in traditional credit cards ― is open to theft. As recently as last year over forty million credit cards were exposed to potential fraud due to a security breach that occurred at a third-party processor for payment card transactions. And, that's just one story about credit card hacks. Perhaps the question here isn't about credit card security so much as it is about how you can protect yourself against your credit card company. So be diligent about your records and transactions. Make sure that what you do corresponds with your credit card statements.
5. Be careful where you shop. As any technology grows, its capabilities to cover security issues probably will remain just one step behind the hackers. Retailers failed to keep up with security issues in a safety measure led by Visa in 2005. So, at times the credit card company isn't to blame. You also need to be careful about where you shop online or at your local brick-and-mortar. The one question you might ask that retailer: "Do you use the card's ID code (or other measure) to finalize transactions?" If the answer is a resounding, "yes," then your transactions may be safer at these stores than ones that go without that extra security measure. The Smart Card has forced some retailers to understand the obligations they have to consumers, so this new technology may make your transactions safer.

Technology by itself is neutral. It's the people who handle that technology that need to be questioned. So, begin by questioning whether you own a contactless credit card and go from there. If you want to know the worst fears that people harbor about this technology, you can visit CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) so you know which questions to ask about your cards.

On the other hand, you may realize that this technology isn't going to disappear and that it may become a more secure method for transactions than traditional credit cards. You can frequent the non-profit multi-industry association, Smart Card Alliance, to learn how this industry plans to secure your information and your privacy now and in the future for your peace of mind.