Undated -- Radio-frequency identification, or RFID, is a technology found in some credit cards that allows for contactless payments.
A small chip inside the card allows the information to be read from a card reader, allowing for fast and convenient shopping. A card just has to be close enough to a reader for the reader to get the information, and doesn't have to be swiped
The cards have different names depending on the company -MasterCard PayPass, Visa payWave, and American Express expresspay, to name a few."I do use it when the places have it, especially when there's five or six people in line and you're in a hurry and you're having to slide it and pin number and all that. You just hit the card and get your receipt and you're out the door," said Michael Conrad, who has an RFID-enabled card.
"I think that's just going to be the standard, or at least that's what the initial thought process was, that card companies were going to imbed these in these cards for the matter of convenience," said Craig Cotten, financial crimes detective with the Guilford County Sheriff's Office.
He said the technology is a potential problem, even though they haven't seen any issues with it here they're aware of.
"It's hard enough as it is now trying to back trace and finding a common denominator where credit cards are being compromised. This would just throw a whole other wrench in that process," said Cotten.
Security Expert Walt Augustinowicz hit the streets with an off-the-shelf card reader he bought online for less than $100 and a computer to show how he could obtain information from RFID cards through people's pockets."You have a SunTrust card in there and that's your account number and expiration date," he said to one person.
"You have a Chase card. Here's the expiration date and your number," he said to another.
Credit card companies said they do have measures in place to protect their contactless cards.
The following are some of the examples of security measures Visa provided:
- Visa payWave cards use advanced cryptographic security where every transaction includes a unique dynamic code, which changes with each transaction.
- Visa payWave cards do not transmit the cardholder's name during a transaction, providing greater privacy than even traditional card payments. Intercepting a Visa payWave transaction results in less sensitive information than when handing a card over to a clerk. Neither the cardholder name nor the three-digit security code on the back of the card are available when the card is read via a contactless reader.
-To protect against fraudulent eCommerce or telephone transactions, merchants use secondary security measures such as asking for the three-digit code imprinted on the back of the card, verifying the billing address associated with account, or an extra layer of password protection such as Verified by Visa. None of this information can be read electronically from the card.
A statement from American Express said expresspay will not reveal identifiable information such as name, address, or other types of information typically required for identity theft, or card account number. Expresspay uses encrypted and unique codes for each transaction. A spokesperson said their card won't reveal an account number on a card reader, but rather an alias number.
A statement from MasterCard said someone wouldn't be able to do anything with an account number and expiration date that might be captured from a card reader. They issued the following points:
- It is difficult to make an Internet or phone purchase, since the merchant should ask for CVC (card verification code) 2 data - the 3 digit code on the back, or zip code verification - to complete any purchase.
- You can't create a phony mag stripe card without CVC1 data in the mag. stripe- You can't create a phony PayPass card without the key that is used to create a dynamic CVC3, which is held securely in the PayPass chip