RFID technology – aka Tap and Go, Paypass etc – and preventable fraud

RFID technology allows a chip on your credit/debit card to wirelessly communicate with a payment device at the supermarket, petrol station, McDonalds etc, and make a payment without you having to enter a PIN.

The point of this technology is supposed to be two-fold: on the one hand it’s supposed to fix security problems with cards that rely on a signature – because too many retailers don’t actually check the signature. RFID is also meant to make paying for smallish items more convenient for consumers – just wave the card in the air and hey presto, all done.

cat burglar picBy smallish transactions, we’re talking about items up to $100. The idea here is that if your RFID card is stolen, there will be a limit on how much the thief can get away with. Unfortunately, there is no limit on how many times you [or the thief] can use the RFID card in a day.

So what are the ramifications? Well, let’s say your card is stolen in the morning and it has $500 on it. You realise it is stolen at lunch time when you try to pay for your sandwich. You ring the bank, but between breakfast and lunch, the thief has used your stolen card 5 times for a total of… you guessed it, $500.00.

Now the banks say they have algorithms in place to alert them to unusual transactions, and maybe they do, but it will still be up to you to go through the hassle of proving that you did not make any of those transactions. In the meantime, you’ve lost $500. If that was all you had for food etc for that week then you’re in trouble because your money will not be refunded straight away..

Now to be honest, you will have the same hassles any time your card is stolen, that’s just how modern life goes. But what if you don’t know your card has been stolen, because it’s still sitting right there in your wallet?

This is where things get sticky. The credit card companies say it’s not possible to steal your card information without stealing the actual card. The banks, [who have no say in what tech. goes on credit/debit cards] say the same thing, and people like me who don’t believe the assurances are labeled as wackos, dinosaurs or conspiracy theorists.

But seeing is believing. In this first video you will see  how easy, and cheap, it is to steal card and account information. The truly scary part, however, is how easy it is to then clone that information.

The next video shows one of the presenters of the well-known Mythbusters TV show talking about how a proposed segment on RFID technology was gagged by the legal representatives of all the major players – i.e. Mastercard, Visa, etc.

If these two videos have made you concerned, you can find lots more information out on the net, some for, some against the technology, but one thing is consistent throughout – you can’t opt out of it.

I suspect the manufacturers did not put an opt out function on the RFID card technology because:

1) it would cost more to produce, or

2) they were worried too many people would opt out.

Either way, the banks have no say in the matter. If they want to offer their customers credit card facilities, they have to take what the credit card companies give them, and that is RFID technology..

This means no amount of complaints to the banks will do a speck of good. I know because I spent almost two, very frustrating hours on the phone to the Bendigo Bank yesterday. I was trying to work out what was going on, and why I couldn’t just say no. Then I tried to complain. Then I realised that even the Bendigo Bank didn’t give a shit because there was nothing they could do about it. I was told to get an ordinary cashcard if I was so worried.

Apparently these cashcards are debits cards issued by the banks themselves. They can be used at supermarkets, ATMs and all EFTPOS terminals, but they CANNOT be used for, say, online transactions. So if you buy stuff on Ebay you can’t use your cashcard. The same thing applies to PayPal. 😦

By this point I was grinding my teeth and yelling at the customer service representative. Think small, grey-haired terrier biting at the ankles of a giant. Yup.

But I would not be writing this post if I did not have a solution, of sorts.

Solution 1

Get a cashcard for all normal, local transactions and keep it in your wallet. Take all the money out of the RFID card and keep the card in a safe place at home. When you need to use it for an online transaction, transfer some money into the card via internet banking.

Doable? Yes. Convenient? Hah

Solution 2

Use your MyKi card to disrupt the RFID card. I found this info. on the internet and haven’t had a chance to try it out yet, but apparently whatever is on the MyKi card messes with the RFID on the credit/debit cards. I’ve also read that you can buy a wallet that stops the wireless transmission. Or you can wrap your card in tin foil. Oh wait, maybe it’s your head that’s meant to be wrapped in tin foil.

-cough-

If the MyKi solution works, you won’t have to worry about being scanned, and scammed, while you travel to work on a crowded train/tram/bus, or wait in line at a supermarket or airport. Of course you will still be a bit exposed when you actually take the card out to use it [via swipe or tap] but at least it would be safer.

The Daughter and I intend to order cashcards on Monday because we can’t afford to lose any money, period. We will also trial the MyKi card solution, and I’ll update you on the results.

In the meantime, if you love the convenience of Tap and Go then at least please be cautious enough not to keep too much money on the card at any one time. It’s just not worth the risk.

Meeks

Advertisements

About acflory

I am the kind of person who always has to know why things are the way they are so my interests range from genetics and biology to politics and what makes people tick. For fun I play online mmorpgs, read, listen to a music, dance when I get the chance and landscape my rather large block. Work is writing. When a story I am working on is going well I'm on cloud nine. On bad days I go out and dig big holes... View all posts by acflory

11 responses to “RFID technology – aka Tap and Go, Paypass etc – and preventable fraud

  • George Panayiotou

    My bank issued me a card with NFC as well and it’s not an opt in thing. And i hate that. A friend and I are now wanting to pass our cards through an X-Ray machine to see if the card has two separate chips, or a single one. If they are two separate, we’ll just pass a needle through it. If not, we’ll dress our wallets with copper sheets to make a sort of Faraday cage.

    Like

  • EllaDee

    It’s an awful exercise to consider that there are opportunistic people, and how widespread they are, whose main occupation is to exploit technology for the own gain, and I think possibly an element of element boosting for some… beating the defences.
    The site I found – http://cardshield.com.au/pages/frontpage – says Opal card the Sydney version and Victoria’s myki ( I googled it, I wondered what myki was) etc all use RFID technology and their cardshield product (at a reasonable $4.99) blocks electronic signals from RFID readers from reaching the chip and antenna embedded in RFID enabled smartcards.

    Like

    • acflory

      Hmm… I have a feeling I’ve answered this but it’s not showing as read. Ah well, if this is a duplicate – apologies!

      Thanks for your reserach. I had a look at that site but for some reason I couldn’t get my Paypal to come up so haven’t bought any yet. I’ll have to make do with foil in my wallet for a bit longer. If anyone ever steals this wallet they’re going to wonder what kind of nut job I am. 😀

      Like

  • davidprosser

    Thank you for this timely warning. I was actually told about this problem a couple of months ago but because I use my card to draw cash from a machine and then use that cash to pay for all my purchases it was unlikely to bother me too much.This obviously is only a good solution if you’re not buying over the phone or net.
    I was told at that time that aluminium will prevent someone scanning your card and so purchased online a small credit card case which is no worse to carry than a normal leather one.They’re not expensive and can look quite smart as they come in a range of colours. It’s not going to help though if you do use your card to swipe a payment as it’s always possible someone outside will clone it as has happened with other credit cards in the past.
    My advice if you’re worried is to buy one of the aluminium cases but always to withdraw cash from a cash point and use that to pay for purchases if you can. Larger purchases of course mean you’ll have no choice but to swipe unless you buy online and use paypal tp pay.
    xxx Massive Hugs xxx

    Like

    • acflory

      Oh so you can get those cases? That’s fantastic news, David. Thank you. I’ll order a couple for the Daughter and me. Unfortunately I’ve gotten into the habit of using my card a lot as I rarely carry much cash around on me. That’s one reason I’m also going to go with the lower tech cashcard as well.

      There are always options I suppose, but I’m still smarting about not being able to opt out entirely.:/

      Like

  • anne54

    Yay! Something positive to come out of MyKi!!! On the sensible side….it is very scary. There seem to be just so many ways that our identities and money can be skimmed and scammed away from us.Thanks for the heads up Meeks.

    Like

    • acflory

      lol – yes, the /only/ positive thing. And re the RFID, I keep thinking back to the days when we all thought our Windows computers were safe, until we had those world wide hacks and the security was finally tightened up. History has a habit of repeating itself, or maybe we do. 😉

      Like

Don't be shy!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: