What can help steal your credit card info?

Contactless payment cards have radio frequency identification tags in them which can be read from a distance by using a scanner. The same RFID technology ensures the operation of building access cards and transport cards. Therefore, data on all types of contactless cards are not secure.

A number of publications, such as NBC New York and The Sun, have conducted experiments showing that contactless card information can be stolen at close range. To do this, experts simply held a reader disguised as an iPad to the victim’s pocket, wallet, or bag. Now, scammers don’t even need to buy any devices to do this. Google Play has apps that can be used for the same purpose.

If you are in a public place where a lot of people have gathered, the risk of such fraud increases significantly.

What information can be stolen?

As a result of using RFID readers, fraudsters can get access to different types of data, for example, credit card numbers, information about the expiration date of the card. This data is sufficient for resale on the darknet, and after this information is supplemented with other personal information, it could be used for making transactions on a number of sites or opening an account in your name. If a fraudster has received part of your personal data, the chance that they will receive all the information necessary for making a transaction or opening an account increases significantly. At the same time, security experts say that 80% of credit cards are compromised in some way.  Their data was stolen as a result of phishing, skimming, malicious software on websites, fraudulent phone calls, and data violations.

How to protect your cards from skimming and other types of fraud

Of course, credit card companies are trying to improve the technology with encryption, but thieves are also using increasingly advanced technologies that allow them to steal personal information.

Therefore, we recommend that you follow the simplest preventive security measures against RFID skimming:

• Do not store your cards in your pockets or money clip wallets. Only in your wallet, and your wallet is in a zippered bag. The wallet must have a separate slot for each card so that you can see each card in its place.
• Use a special blocking wallet, holder, or blocking card to protect your contactless card from skimming. Do not wrap the cards in foil, it is not intended for shielding.
• If you see someone holding a mobile phone next to your wallet or bag, or acting strangely in the checkout line, step back and ask the store’s staff for help.
• Before using the card anywhere, check for card skimmers.
• Use one card for autopay accounts and the other for everyday purchases. The autopay and everyday strategy helps you save your money and personal data.
• Do not store photos of your cards on your phone, or write their data to your phone.
• Keep cards that you don’t use at home in a safe place. You can also keep a list of all your card numbers, expiration dates, and security codes, as well as contact information in case your cards, are ever stolen.
• Destroy any documents containing your credit card information, including documents containing the last 4 digits.
• Keep track of your account statements. If you see a suspicious purchase, immediately notify the card Issuer.
• Periodically check the personal accounts of the online stores that you use most often (Amazon, Target, etc.). if you find any transactions that were not made by you, contact the seller immediately.
• If someone asks you to provide your card details over the phone on behalf of the card Issuer, do not agree. Call the customer support number on the back of your card and ask the Issuer’s representative what to do in this case.
• Use a credit card instead of a debit card whenever possible. In General, the losses will be less if the thief drains your credit limit, rather than having access to funds from your debit card. If your debit card is compromised, you may lose access to all the money in your current account until the Bank deals with the fraud. This could take several days.
• Periodically change your passwords and update your card pin codes.

Keep your data and funds safe at all times.

‘If you are worried about someone reading your cards, there are several RFID blocking products that can prevent skimming.

The post Can someone steal your credit card info from your pocket? appeared first on RFID Cloaked - Protecting your RFID personal data.

To prevent the theft of data or money, you need to create a shield that protects your contactless cards from being read by RFID scanners.  A shield works by blocking the propagation of electromagnetic waves, which prevents the interaction of an RFID reader with your cards. The RFID reader will not be able to read your cards while they are inside the case with RFID blocking.

What you need to make an RFID blocker

To make an effective RFID blocker, you will need the following materials:

• textile for the front part;
• fabric for lining;
• office supplies (glue, scissors, awl, pen, ruler);
• a thin sheet of RFID blocking material, for example, this material.

To prevent RFID reading, you will need a layer of special material.  We do not recommend using foil, it is not intended for shielding and will not be totally effective, we wrote about this in detail in this article.  As a basis, you can use a cloth that does not crumble and has a margin of safety.  For the outer cover, it is advisable to use a robust material like leatherette. A plastic cover from an office folder would also do.

Stages of manufacturing the cover

1. You need to cut two identical rectangles of leather, plastic or other material 9.5 cm by 7 cm each;
2. Prepare another pair of similar parts from the inner material and RFID blocking material;
3. Put the three layers together and glue them.  Allow the glue to dry;
4. Sew the three layers together at a distance of 1-1,5 mm from the edge on three of the four sides.

As a result, you should get a reliable case.  By the way, scammers can scan the credit card style keys for cars as well. This case works great with those too!

‘If you do not have enough time to make your own RFID blocking card holder, you can simply buy an RFID card blocking wallet or RFID blocking card to protect your important information from NFC technologies. After all, it is better to prevent unauthorised card scanning than to regret not protecting yourself.

Products from the article

RFID blocking wallet

RFID blocking card

The post How do you make an RFID blocker? appeared first on RFID Cloaked - Protecting your RFID personal data.

Whether you are shopping for groceries or paying for petrol, you can use contactless payments. COVID-19 has increased the desire to minimise contact. We use this even more often than before. Whilst contactless payments are quick and convenient, there is a niggling voice in the back of your mind. “Are contactless cards safe?”

What are contactless payments?

What are contactless payments? How does financial information get from your credit card to the reader?

Contactless payments can be a concept that is hard to comprehend. When we don’t fully understand something, it can make us feel vulnerable. So, how do contactless payments actually work?

RFID or NFC

Your contactless credit card has a chip within it, as well as a tiny antenna. The card reader makes connection to the card, with radio waves, much like you tune a radio to your favourite station. If you don’t tune it right or are too far away you can’t listen to it. The difference is that when the card reader sends radio waves, the credit card uses some of the energy it receives to power the chip. So that the credit card can talk back to the reader. This process is known as Radio Frequency Identification (RFID) or Near Field Communication (NFC) or contactless for short!

Your card details are transferred to the card reader, which picks up the signal emitted from your card to process your payment. You can make contactless payments for purchases under £45 (in the UK). There is usually no such limit if you use contactless with your smartphone as an extra layer of security is required, such as fingerprint ID or PIN.

If you lost your debit card or contactless card was stolen, someone could use it to make small payments. Although the number of contactless payments that can be made in one day is limited. If your contactless card goes missing you should freeze it, or report it immediately to avoid contactless fraud.

Security concerns

You can’t open a newspaper, read a magazine, or watch the news without seeing a story about contactless card fraud, fraud purchase on credit card. Or you can hear the news that personal details being stolen or credit card data being hacked. It seems like it is getting harder and harder to keep our sensitive information safe. How exactly can we keep the information of our credit cards safe, if they are emitting radio waves for anyone to intercept?

Unfortunately, contactless card fraud is on the rise. Whilst not at the levels of credit card fraud generally, the believed losses to contactless card fraud were £5.6 million in the UK in 2017 and already more than £20.6 million in 2019. The United States leads as the most credit fraud prone country with 38.6% of reported card fraud losses in 2018. The United States accounted for $9.47 billion in fraud losses in 2018.

It can occur by a criminal getting close to you, and reading your card’s details through a radio frequency identification reader concealed within their clothing.

With contactless card fraud on the rise, you may be considering using your smartphone to make payments. This opens up additional concerns. Expensive phones brought into the open in a busy environment provides an opportunity for thieves. Furthermore, if you drop your smartphone whilst juggling shopping, a purchase for just a few pounds, may cost you hundreds.

So, what can you do to make safe and secure payment? In fact, safe card payment can be implemented quite simply.

Minimising contactless card security risks

Whilst the threat of theft of your card information may seem pretty concerning, there is no cause for paranoia. However, there is a way that you can minimise contactless card security fraud risk.

RFID card protector

The rise in the use of contactless cards has resulted in some developments from accessory brands to keep your information safe. One such brand is RFID-Cloaked, who have created a range of products which prevents both bank cards and security passes from being read by a wide range of radio frequencies.

RFIDsecur RFID Blocking Card will protect at the same time RFID cards with 13.56Mhz and 125khz frequency chips.

RFID blocking credit card protector made of ultra-thin material which is suitable for different types of contactless cards – bank cards, id cards, access cards etc.

‘If you are interested in any of the RFID blocking card protectors, take a look at our online-shop.

Edited in may 2020

The post Contactless card security risk. Can contactless payments be risk free? appeared first on RFID Cloaked - Protecting your RFID personal data.

Are there any downsides of mobile contactless payment?

It kills your battery life

Anyone, who has a smartphone which they use day in and day out, will know about the fundamental limitations of battery life. This is a problem when using power hungry apps and anything on your phone which uses processing power like 4G. We are also all familiar with that sinking realisation that your battery is not going to last the day (or night). For this reason, it is unlikely in the near future, that your phone will ever be the sole method of payment you have with you. Who wants the dilemma of having to decide whether to use their remaining battery power to pay for a round of drinks or call a cab at the end of the evening.

Lest we forget! – it’s actually a phone…

Sometimes you will even want to use it as one! Imagine rushing into a shop, phone pressed to your ear as you fumble around for a card or cash to pay for a coffee or a newspaper. If you need to use the phone to pay, do you hang up your call, to open your payment app and complete your transaction? Perhaps not, but it is begging to look a little less convenient when you want to use your phone for its primary purpose!

It’s a really expensive mobile phone Wallet!

When you consider the cost of your mobile phone and the extent to which you put it at risk, making small payments with it really doesn’t make a lot of sense! Many mobile phones cost several hundreds of pounds and we are now in the era of the £1,000 mobile phone. Because of the ever increasing value and desirability of handsets, we are also in the era of increased mobile phone theft with, snatch theft becoming a problem in some major cities like London. The Metropolitan Police have issued advice for guarding against handset theft and it mostly involves “keeping your phone out of sight and not using your phone in busy public places.” The examples they give are stations, concert venues and shopping centres – all the places where being able to make quick, convenient payments may be of benefit.

Aside from the risk of having your handset stolen, you also run the risk of dropping or damaging your phone if you have to keep taking it in and out of your pocket to make payments.

 Mobile payments: our conclusion

For the time being at least, we still prefer not to use a phone handset to routinely make payments. Contactless cards, whilst having some vulnerabilities in terms of security, make much more sense as a lower risk quick and easy payment method.

There are many solutions for protecting contactless cards and reducing contactless payment risks, however, we consider that RFID contactless blocking cards are the one of the most effective.

‘Want to know more about RFID cards protection? We have prepared a detailed description of this technology.

Updated in June 2020

The post Are mobile payments secure? A cashless future appeared first on RFID Cloaked - Protecting your RFID personal data.

Contactless cards (radio frequency identification cards) use radio frequency identification technology (RFID) to transmit personal information to card readers. Some people are nervous about fraudsters grabbing their data and so opt for card holders that block RFID signals. Others argue this risk has been exaggerated. That no special card RFID protector and other tech are needed to protect the cards.

Here are three considerations for those who are still undecided about whether to invest in an RFID blocking wallet, a purse with RFID protection or RFID blocking card sleeve.

Your personal risk profile

Banking and financial trade association UK Finance notes there have been no verified reports of fraudsters taking money from somebody’s contactless card in the UK by bumping in to them using an RFID bank card reader – a technique known as ‘skimming’. Moreover, most cards have security measures that ensure payments are fully-traceable and legal safeguards. These measures help victims recoup stolen money. Even so, skimming of RFID credit cards is technically possible and the press has reported alleged cases. Albeit often related to travel abroad. So taking precautions and buying RFID blocking card wallet tech may be prudent – but it really depends on what risk you perceive.

Sharpen up your look. How to protect your data

A common recommendation to those who are nervous about skimmers is to simply encase their contactless cards in tinfoil or kitchen foil rather than buy RFID protection. While this may work, most people will agree tinfoil is not a stylish addition to a wallet. Indeed, one of the customised RFID blocking card sleeves on the market will certainly give you a better-looking wallet. While ensuring you do not have to unwrap your cards like leftovers in the fridge. So, it may be better to invest in proper RFID blocking technology that looks good and allays your worries about data theft. Rather than just making do with a substitute.

RFID blocking wallet: making modern living easier

The first generation of RFID blocking wallets often forced people to remove their cards from the holders. Separate them from metal objects or other contactless cards before paying. All of this made other aspects of life, such as swiping in and out of the London underground tube stations, more inconvenient. The new generation of RFID card holder wallets however, has been designed with solving the inconvenience of contactless in mind. The best designs allow users to keep cards in an anti scan wallet while paying, making RFID contactless payment much easier.

Do you decide to buy RFID blocking technology? We recommend using wallets and contactless blocking cards from RFID Cloaked company with RFIDSecur technology.

You can place RFID blocking cards alongside your contactless bank card, in your wallet, purse or ID holder, guaranteeing protection against theft of your information or unauthorised payments while still allowing you – and only you – full use of your cards. They also come in a range of stylish designs.

‘If you are interested in any of the RFID blocking card protectors, take a look at our online-shop.

Updated in June 2020

The post Three reasons why it might be time to get an RFID blocking wallet appeared first on RFID Cloaked - Protecting your RFID personal data.

Biometric and passcode logins should protect the user from unintentionally making any sort of payments. Safe from criminals and those trying to access your accounts. Therefore your bank details and cash should be secure.

Unfortunately this doesn’t seem to be the case, smartphones are only as good as the programmers and developers who code the systems for the phone and bank companies. Any holes in these system can lead hackers and criminals to take control of these systems and in essence have full access to your data and information stored in the modern devices.

Is pay by phone safe? Google Pay and Apple Pay: is your data safe?

Day to day we are hearing stories in the news about international companies and even national security agencies being hacked. Criminals having access to databases, passwords emails and login details. Smartphones are no different in many respects. The weakest links are always the humans that build the operating systems and applications.

Keeping up with the latest security implementations and best practises seems to be too much for many companies. A badly coded authorised login is implemented on almost all internet connected devices, from a universally used websites. It allows access to information stored within the app. If that app is hotel books with stored card information, in theory criminals could book rooms in your name. What if via the app they get access to all your card details? The risks are all still there. Even once the loophole has been closed as criminals are always looking for ways to gain people’s confidence. They can gain access to accounts or use in email phishing attacks to further attack computers or users devices.

What can you do to protect your data?

It is quite simple to ensure data protection security. Data protection and data security are provided by the following steps:

• You have to use unique passwords for all websites and logins.
• You have to keep device and computer security and operating system up-to-date.

Where possible

• Use encrypted data sites.
• Two factor authentication (another layer of protection like Google authenticator. Even if your password is stolen, your data is safe and encrypted without this second key).
• Only login to websites using HTTPS.

Never

• Use email links to login to websites, unless you are completely sure it is from the right website.

‘Do you want to learn more about the risks of using contactless payments? For more information, see the article.

Updated in June 2020

The post Is it safe to pay with Google Pay and Apple Pay? appeared first on RFID Cloaked - Protecting your RFID personal data.

These types of convenient payment cards do not need the users to input or authorise the transaction with a pin. Users are unable to stop this happening without already having bought RFID protection or shielding (RFID shield wallet or RFID shield card).

What you should do when an accidental RFID contactless payment happens

• Make a note of the date, time and location of the accidental contactless payment or transaction takes place. Keep any used tickets and receipts incase the service refuses to refund.
• Find your nearest member of staff or information point. Ask for information about disputing the contactless transaction error. Not all members of staff may know what to do, if this happens ask for complaints or a general enquiries telephone number and contact them.
• Are you using a travel service in London like the bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and National Rail and have an online account? Login and check to see if you have been incorrectly charged. Note the transaction and register the dispute with Transport for London online. Or alternatively contact them by telephone 0343 222 1234 (call charges apply).
• If you are using Oyster travel card pay-as-you-go it is harder to prove ownership of the card when the transaction happened. So it is important you dispute the payment as soon as it happens with a member of staff.
• If you are unable to resolve the issue with the retailer or travel service, contact your bank with full details of the contactless payment and why you dispute the contactless payment giving full information. The bank can look into accidental payments on your behalf with the retailer/service.

How to prevent accidental contactless payments using RFID cards

• Most RFID contactless payment terminals work at short ranges. So keep your purse and wallets at least 20cm (8 inches) away from the terminal. Hacked or altered terminals and specialist readers can read up to 1.5m or further.
• Banks can send out VISA / MasterCards without contactless payment RFID chip included. Contact your bank and ask for one if you really do have concerns, but you will lose the convenience contactless payment brings.
• It is possible to render your bank card unable to use contactless payments by drilling through the chip inside the card. This is not recommended as you could damage the card so it is completely unusable, if you do this you will have to order another card from your bank and that could take time.
• A Faraday cage can block accidental contactless payments, and RFID payment cards. Conductive material such as aluminium foil, conductive paint, wire mesh, or any of a number of materials can block radio frequencies. Different materials are better and worse at blocking different frequencies. And the Faraday cage has to completely enclose the cards. So, no leaks or gaps, will mean no radio waves can get in or out, blocking the RFID signal. This method takes out the convenience out of contactless payment, it can work, but it’s not so easy to use.
• Purchase a good quality RFID blocking cards, wallets and purses. It must protect/shield 13.56 Mhz RF frequency. All RFID contactless payment cards use this international standard. If you have security cards or keyless passes these typically use RFID 125 khz. These are usually premium products and cost a bit more than a normal leather wallet or purse.

‘Do you want to learn more about contactless card protection? Read about this method of card protection.

How to get your money back

If you believe you have been a victim of contactless card fraud always, contact your bank immediately and to quote the Payment Services Regulations. These say that you must be refunded immediately if you are a victim of fraud.

If the bank can show that you were careless with your card and PIN or password, you will be liable for a maximum of £50, although many banks and building societies will waive this.

If that doesn’t work, then you can complain to the Financial Ombudsman.

Edited in June 2020

The post Accidental RFID contactless payments, what should you do in this case? appeared first on RFID Cloaked - Protecting your RFID personal data.

The following is an interpretation of the Payment Card Industry Data Security Standard version 3.2 (PCI DSS 3.2) against the data readily accessible from a contactless card.

It suggests that your card data is at risk, that this risk is identified as a concern for the PCI (Payment Card Industry) such that they list it as a key concern. Yet contactless cards offer no protection of this data and the PCI does not seem to address this.

All the different data types stored on a bank card including chip, PAN, Cardholder name expiration date magnetic strip

Activities that put data at risk

A survey by Forrester Consulting of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk.

• 81% store payment card numbers.
• 73% store payment card expiration dates.
• 71% store payment card verification codes.
• 57% store customer data on the payment card magnetic strip.
• 16% store other personal data.

Source: The State of PCI Compliance (commissioned by RSA/ EMC)

What are the PCI CONCERNS and it’s role?

The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the front of a payment card.

What does PCI Data Security Standard (PCI DSS) do? Cardholder data protection

Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally or transmitted over an internal or public network to a remote server or service provider.

Paragraph 3.3 of PCI DSS 3.2 states that Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

Paragraph 3.4 states that Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. (See PCI DSS Glossary for the definition of strong cryptography).

But by comparison, the riskiest behavior is using contactless cards with RFID chips and the contactless payment favoured by banks as the alternative to cash. Why? Simply because all contactless payment cards natively and openly reveal basic information that should be protected, the PAN, and other data. With a mobile phone application, currently available to download, it is very simple to access (without the cardholder’s knowledge or permission) the data from contactless cards.

What data can be found reading a credit card?

I want to show you the results of reading the card from one phone application. In the App, the card number is revealed in full, but in line with PCI guidelines, only the first six and last four digits are revealed here.

• Track 1
  • Expiry date: 1 Nov 2017
  • PAN Card number : 540463******8991
  • Format : B
  • Service: International interchange
  • Normal
  • No restrictions
  • None

• Track 2
  • Expiry date: 1 Nov 2017
  • PAN Card number : 540463******8991
  • Service: International interchange
  • Normal
  • No restrictions
  • None
• AID : A0 00 ** ** ** 10 10
  • Label: MasterCard
  • Priority: 1
  • Pin try left: 3 Time(s)

Not only this, but it is also possible to view the recent transaction log of the card.

Data that can be read with unauthorized access from your bank card

According to PCI DSS 3.2, none of this information should be accessible, transmissible, recordable or stored and yet all of it is. So when it comes to risky behaviour should not the guide address and highlight this as follows: 100% of contactless cards reveal PAN and other sensitive customer data in breach of PCI DSS 3.2 when accessed.

What about Governance?

It is said that “all five payment card brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization”. And “PCI DSS applies to All entities involved in payment card processing including merchants, processors, acquirers, issuers and service providers”.

So one must surely ask where’s the excuse for this seemingly non-compliance with DSS 3.2? How can a merchant be held accountable to DSS 3.2 when the governing members appear not to be? Ask yourself as a card user, are you fully satisfied that your contactless payment card is truly secure, that your data is not of use to fraudsters? 

And what does this lack of security ultimately benefit? It would seem only the ease and speed of use of contactless transactions perhaps to ensure contactless payment uptake? Complying with PCI DSS Standards, is that not the primary concern?

‘We have written many articles about security issues with contactless cards. You can read about this in our blog

The post PCI DSS 3-2 Contactless data exposure – Surely not poor Governance appeared first on RFID Cloaked - Protecting your RFID personal data.