Contactless credit cards, are they secure?

Swerd

Swerd

Audioholic Spartan
Ratings
4,952 11 6
#1
The other day I got a replacement credit card that is contactless. It claims that I can pay by "tap and go":
Contactless credit cards have a chip inside them that emits radio waves. To pay for something with a contactless credit card, you hold the card near (within 3 inches) to a payment terminal (known as an RFID reader) and it picks up the signal, communicates with the card and processes the payment.​

You can tell if your card is contactless by the logo in the lower left side of the card in the photo.
1544989097261.png


More info I found online:
https://www.creditcards.com/credit-card-news/contactless-tap-and-go-cards-us-market.php

Is a contactless credit card vulnerable to pick pocketing by RFID reader? Do I need to carry it in an RFID shielded wallet?
 
TLS Guy

TLS Guy

Audioholic Slumlord
Ratings
7,535 17 25
#2
The other day I got a replacement credit card that is contactless. It claims that I can pay by "tap and go":
Contactless credit cards have a chip inside them that emits radio waves. To pay for something with a contactless credit card, you hold the card near (within 3 inches) to a payment terminal (known as an RFID reader) and it picks up the signal, communicates with the card and processes the payment.​

You can tell if your card is contactless by the logo in the lower left side of the card in the photo.
View attachment 27358

More info I found online:
https://www.creditcards.com/credit-card-news/contactless-tap-and-go-cards-us-market.php

Is a contactless credit card vulnerable to pick pocketing by RFID reader? Do I need to carry it in an RFID shielded wallet?
No idea about security, but I would expect the battery to fail at just the wrong time and sooner than expected. Sounds like gratuitous complexity to me and to be condemned on that count alone.
 
mtrycrafts

mtrycrafts

Audioholic Slumlord
Ratings
2,106 5 6
#3
Is there really a battery in the card or the store reader just sends a weak signal that interacts with the chips design value?
 
Swerd

Swerd

Audioholic Spartan
Ratings
4,952 11 6
#4
Is there really a battery in the card or the store reader just sends a weak signal that interacts with the chips design value?
I wondered about that too. The cards can be read only when within 3" of a reader.

Before I retired, I had a work ID card that I had to keep in an RF shielded ID card holder. It had a similar looking chip to those in credit cards. Because of that, many people I knew at work started getting shielded wallets for their credit cards too. The debate raged whether or not credit cards could be electronically hacked.

I know that US passports can be read by RFID scanners and are vulnerable to hacking. Now that I have this new card, I've begun to wonder about it.
 
Last edited:
ryanosaur

ryanosaur

Audioholic Samurai
Ratings
1,397
#5
I’ve seen wallets that are designed specifically to block the rfid signal from being read by “a bad actor.” But let’s understand what that might entail: a person following close enough that they can use a scanner to read your information. So, a busy airport or such, a very dedicated person, and maybe they get lucky? Not suggesting there isn’t a risk, but if you are concerned in the slightest, shop Amazon for rfid secure wallets. ;)
 
Swerd

Swerd

Audioholic Spartan
Ratings
4,952 11 6
#6
I’ve seen wallets that are designed specifically to block the rfid signal from being read by “a bad actor.” But let’s understand what that might entail: a person following close enough that they can use a scanner to read your information. So, a busy airport or such, a very dedicated person, and maybe they get lucky? Not suggesting there isn’t a risk, but if you are concerned in the slightest, shop Amazon for rfid secure wallets. ;)
In the old days, when all pickpockets worked in the analog realm, they had to perform their "bad acts" in direct contact with a mark. It certainly happened often enough for some of those "bad actors" to make a living at it. Now, even if these cards are "encrypted", I don't think they are really unhackable.

I ask because I'll be traveling in Europe this spring. Apparently these contactless credit cards are more common there than in the US. That means those bad actors have had more opportunity to find successful ways to hack them. The solution to the problem is easy enough – get an RFID shielded wallet big enough for both passport and credit cards. They're cheap. But I still wonder if these contactless credit cards are actually vulnerable or not.
 
ryanosaur

ryanosaur

Audioholic Samurai
Ratings
1,397
#7
In the old days, when all pickpockets worked in the analog realm, they had to perform their "bad acts" in direct contact with a mark. It certainly happened often enough for some of those "bad actors" to make a living at it. Now, even if these cards are "encrypted", I don't think they are really unhackable.

I ask because I'll be traveling in Europe this spring. Apparently these contactless credit cards are more common there than in the US. That means those bad actors have had more opportunity to find successful ways to hack them. The solution to the problem is easy enough – get an RFID shielded wallet big enough for both passport and credit cards. They're cheap. But I still wonder if these contactless credit cards are actually vulnerable or not.
Along those lines... there's a reason I never signed up for paypal account, or set up apple pay... Still just don't trust it. Having my cc# stored by amazon still makes me nervous. ;)
 
BoredSysAdmin

BoredSysAdmin

Audioholic Overlord
Ratings
5,823 22 38
#10
Holheartly I'd recommend this brand for wallets - they will last a lifetime. If you concerned about wireless credit card security, I'd say that your fears are not baseless. Get an RFID blocking wallet.
https://saddlebackleather.com/leather-wallets

p.s: Irv is 100% correct. These chips don't have batteries. They more like shoplifting tags. the power comes from RF transmitter on the RFID readers, like Point of Sale (pos) terminals.
Good news is their operating range is by design very short.
 
S

Spdmn256

Audioholic Intern
Ratings
25 1
#11
Consumers are not responsible for fraudulent charges on credit cards. The credit card company or issuing financial institution is, as long as you report the fraud to them within 60 days of when it appears on your statement. So, the best thing you can do to protect yourself is to read your statement every month (or better yet, monitor your transactions online and sign up for spending alerts if your financial institution offers them) and make sure you recognize every charge on it. And fortunately that is free!
 
mtrycrafts

mtrycrafts

Audioholic Slumlord
Ratings
2,106 5 6
#13
Consumers are not responsible for fraudulent charges on credit cards. The credit card company or issuing financial institution is, as long as you report the fraud to them within 60 days of when it appears on your statement. So, the best thing you can do to protect yourself is to read your statement every month (or better yet, monitor your transactions online and sign up for spending alerts if your financial institution offers them) and make sure you recognize every charge on it. And fortunately that is free!
Understood. But, what a hassle getting a replacement. Last year the restaurant swapped my card with another customer. Noticed the next day or one after, called, sent a new card, and sat in local post office for days.
Then, to change numbers at Amazon, and all other places.
Then a misplacement on the 12th, call 3 hours later when discovered, and still waiting for notification it was sent, if I get one.:mad:
 
BoredSysAdmin

BoredSysAdmin

Audioholic Overlord
Ratings
5,823 22 38
#14
Unless those "bad actors" are able to increase transmitting power but then, perhaps, the issue of multiple responses confusing a reader?
I've heard of these guys able to read RFID from 10ft away, so like I've said if you concerted about it - RFID blocking wallet is cheap insurance, if not from financial loss, like mentioned above, you aren't responsible for it, but for protection vs the hassle of dealing with it.
 
JerryLove

JerryLove

Audioholic Samurai
Ratings
708 2
#15
There are a couple answers.

First a disclaimer: I'm making some significant assumptions about how these are actually functioning. This is based on existing infosec knowledge on both chip-on-card and other contact-less methods; but I don't know that it's true here.

If you are asking if someone can pick up your card number for later use, the answer is likely "no". It's mostly likely token-passing such that the communication between the card and the agency (whether mastercard or something like Equifax) is encrypted and so not useful to intercept.

If you are asking if someone could charge your card with their merchant account by bringing the terminal close enough, it sounds likely (though these are generally hard to anonomize).

I, personally, would certainly prefer if the card required some action by the holder to perform the handshake.

And as TLS already pointed out: They are induction charged. Like the RFID in your toll sticker in your card.
 
Swerd

Swerd

Audioholic Spartan
Ratings
4,952 11 6
#16
I've heard of these guys able to read RFID from 10ft away, so like I've said if you concerted about it - RFID blocking wallet is cheap insurance, if not from financial loss, like mentioned above, you aren't responsible for it, but for protection vs the hassle of dealing with it.
That's exactly what I wondered. With a 10' range RFID reader, they could read lots of cards as people passed by in a busy airport or train station. Why troll with a hook & line when you can use a net?

Yes a shielded wallet is cheap insurance. I ordered a cheap one for $6, made of premium synthetic leather :rolleyes:. Real leather is nice, but not for $99.

Even if these cards have encrypted chips, nothing stays encrypted for long.
Where there's a will,​
There's a way.​
That's what they say,​
At the NSA.​
Thanks everyone for your input.
 
Last edited:
S

Spdmn256

Audioholic Intern
Ratings
25 1
#17
Yes, it’s definitely still an inconvenience to have to file a report and wait for a replacement card so anything that can be done to prevent fraud saves you hassle down the road. Probably just not worth spending too much since you’re really spending money to protect the card issuer, not yourself (though of course those costs get passed on to consumers one way or another in the long run).
 
BoredSysAdmin

BoredSysAdmin

Audioholic Overlord
Ratings
5,823 22 38
#18
fair enough. $99 is kinda pricey for a small wallet. But like I've said Saddleback will last you a lifetime
 
KEW

KEW

Audioholic Warlord
Ratings
5,099 22 9
#19
Consumers are not responsible for fraudulent charges on credit cards. The credit card company or issuing financial institution is, as long as you report the fraud to them within 60 days of when it appears on your statement. So, the best thing you can do to protect yourself is to read your statement every month (or better yet, monitor your transactions online and sign up for spending alerts if your financial institution offers them) and make sure you recognize every charge on it. And fortunately that is free!
For me, this is the most important point!
As long as the credit card companies are liable for it, the technology will be mostly secure and updated as needed to stay (mostly) ahead of the theft curve. There is too much money at stake for them to use a system that is not secure!
That doesn't protect you from the hassle of having false charges against your account, but it does insure effort is being made to keep them secure.
 
Irvrobinson

Irvrobinson

Audioholic Spartan
Ratings
2,805 8 10
#20
That's exactly what I wondered. With a 10' range RFID reader, they could read lots of cards as people passed by in a busy airport or train station. Why troll with a hook & line when you can use a net?

Yes a shielded wallet is cheap insurance. I ordered a cheap one for $6, made of premium synthetic leather :rolleyes:. Real leather is nice, but not for $99.

Even if these cards have encrypted chips, nothing stays encrypted for long.
Where there's a will,​
There's a way.​
That's what they say,​
At the NSA.​
Thanks everyone for your input.
Chip cards are not really in my field of expertise, but I don't believe encryption is part of the transaction. I highly doubt there's enough processing power on the card to encrypt or decrypt data using a secure algorithm. My understanding is that the circuitry is mainly there for the radio functions, and to generate a one-time CVV code for each use. This is a big advantage over a magnetic strip, as once the static magnetic data is captured it can be reused many times until card is cancelled.
 

Latest posts


newsletter
  • RBHsound.com
  • BlueJeansCable.com
  • SVS Sound Subwoofers
  • Experience the Martin Logan Montis