Don't panic: Thieves aren't stealing your bank card info via 'radiowaves'

Should South Africans be investing in special “RFID blocking” wallets and purses to stop criminals stealing their bank card details via “radiowaves”‚ just by standing next to them?

If you’ve watching one of the scare videos doing the rounds‚ showing a staged scenario of a man stealing people’s credit card details by getting close to them in a shopping centre‚ and then going on an online spending spree with them‚ you may think a radio-wave blocking wallet is as essential as a tracking device on a new car.

“Watch closely; this woman is about to be ripped off!” viewers are told. “In a matter of seconds‚ this thief effortlessly manages to pick-pocket four unsuspecting shoppers‚ without ever laying a finger on their purses and wallets.

“Hidden inside his case is a credit card reader‚ just like the one used in taxis‚ drugstores‚ fast food chains - but in the blink of an eye‚ criminals could pick up your credit card information.”

South African banks have been issuing RFID (Radio Frequency ID) credit and debit cards for some time; they can be identified by a WiFi-type symbol on them.

The technology enables consumers to pay by so-called Tap and Go: instead of having to insert the card into the point-of-sale (POS) machine and key in a PIN‚ the card is briefly placed on a reader and the purchase is done.

But fear not‚ hands-free pickpocketing isn’t happening in the real world‚ says Roger Grimes of San Fransisco-based technology digital publication InfoWorld.

“They (the RFID-blocking wallet makers) have yet to produce evidence of a single real-world RFID crime‚” Grimes said. “Year after year‚ nothing…”

Tap and Go is the norm in Australia‚ New Zealand‚ the UK and the EU.

Contacted for comment‚ Mastercard said most‚ if not all‚ contactless-card fraud cases reported around the world involved a thief stealing or finding a physical card and using it at the point of sale.

“Contactless technology was developed by Mastercard with the mindset of never sacrificing security for convenience‚” the company said.

Is contactless-card technology safe?

But many South Africans are understandably alarmed by the prospect of someone being able to go on a wild Tap and Go spending spree with their cards‚ not to mention the possibility of hidden readers picking up their card details and using them to commit fraud.

Many local supermarket tellers don’t mention the tap and go functionality to customers because so many have refused to use it.

Mastercard says there are three reasons people should feel safe with contactless-card technology:

• Contactless payments require different information than those made over the phone or online. The cardholder’s name‚ three-digit security code on the back of the card‚ and billing information are never transmitted. When a contactless transaction takes place‚ the card or device sends the reader a dynamic one-time-only code to uniquely and securely identify each transaction.
• Working in partnership with banks‚ retailers and payment service providers‚ Mastercard uses robust fraud detection systems and artificial intelligence to spot suspicious activity and stop fraud in its tracks.
• Cardholders can rest assured that if their card is compromised‚ they are protected with a global zero-liability policy. That means they are not held liable for unauthorised fraudulent transactions.

Mastercard says it would be extremely difficult for a fraudster to copy the advanced encryption technology used to generate the dynamic one-time-only code and create a functioning counterfeit version of a contactless card. “So the thrust of (Grimes’) article is spot on‚” a spokesman said.

While smartphone applications that enable the phone to read some of the data from a contactless enabled card or device do exist‚ they can only read the account number and expiration date‚ Mastercard said.

“These cards have not been targeted by criminals‚" an Absa spokesman said.

"It is true that someone could possibly tap your card for low-value transactions and not be asked to enter the PIN‚ but to mitigate this risk‚ there is a series of security measures built into the contactless process.

"For example‚ not every transaction will go through without asking for a PIN. At any given time some transactions will ask for a PIN‚ making it very difficult for a fraudster to use the card with any level of confidence."

Cloning

Cloning a contactless card was also very difficult‚ Absa said‚ as this would involve cloning the card's chip and internationally there was no known instance of a chip being successfully cloned and used fraudulently.

As for reports claiming that contactless cards could be remotely "read" by someone close to you‚ the bank said tests had shown that the data that can be retrieved in that way is not sufficient to be used in fraudulent transactions. “The chip cryptograms are just too strong.”

So don’t be frightened into thinking you need to invest in expensive RFID-blocking wallets or sleeves.

RFID-blocking products are widely available in South Africa‚ but they are essentially a solution to a non-existent or‚ at best‚ unlikely problem.

One Cape Town leather-wallet maker says on its website: “Your contactless card identity can be stolen electronically from your wallet or purse‚ allowing your card to be cloned in a matter of seconds. Protect yourself from electronic pickpocketing. RFID-blocking wallets and purses will increase the security of your RFID-embedded cards.”

Even if that were the case‚ Grimes says‚ you could block all RFID waves with a few sheets of aluminium foil.