A Lesson in Card Cloning
Check your wallet
You might not know it, but as of October 2015, your credit and debit cards will contain a tiny computer chip (radio frequency identification or RFID) and a radio antenna to transmit account information from your card—even when you’re not shopping.
The cards are vulnerable to being skimmed without ever leaving your pocket. The information communicated from your card to a card reader can be enough to create a counterfeit card that can be successfully used to make an unauthorized purchase, as Consumer Reports observed in a recent demonstration by Recursion Ventures, a security research and consulting company in New York City.
The basic equipment needed for that form of fraud is readily available for electronic pick-pocketers. An electronic reader can be purchased online for less than $100 and can be connected to a laptop to store your skimmed information. When Chris Paget, whose title at Recursion is chief hacker, used such a reader to scan a Chase debit card he’d recently received, the card’s account number, expiration date, and security data immediately appeared on the computer screen. Two credit cards still inside the mailing envelope revealed the same type of account data.
Making a counterfeit
From a few inches away, the account data can be read even if the card is inside a wallet or purse. By transferring the skimmed card data onto a blank magnetic-stripe card, Paget produced a counterfeit card that he then used to make a purchase that was successfully processed.
Chase spokesman Paul Hartwick says the security codes on its contactless cards are designed to change with every transaction, as they are with most RFID-enabled cards, so that even if a card is counterfeited, it would work for only one fraudulent transaction.
“If I put a reader next to a turnstile at Grand Central Terminal at rush hour, I could probably capture data from 5,000 cards in an evening, and what you’re getting from each one is enough to initiate a transaction,” says Mark Rasch, a former Justice Department computer-crime prosecutor who serves as director of cybersecurity and privacy consulting at CSC, a business technology firm.
Playbook for a crook
1. The Setup
Thief connects a battery-powered card reader to a netbook in briefcase, which conceals the devices.
2. The swipe
Crook carries briefcase close to consumer’s purse or pocket, where contactless cards might be carried.
3. The display
Card information obtained in step 2 is displayed on a computer attached to a magstripe-writing device.
4. The clone
A blank magstripe card is put through the device to make a counterfeit card.
How do you protect yourself? Easy, wrap your credit cards in aluminum foil. Want a more stylish look? Get a pack of Elk and Bear Handpicked credit card protectors sold exclusively on Amazon.com