What can help steal your credit card info?

Contactless payment cards have radio frequency identification tags in them which can be read from a distance by using a scanner. The same RFID technology ensures the operation of building access cards and transport cards. Therefore, data on all types of contactless cards are not secure.

A number of publications, such as NBC New York and The Sun, have conducted experiments showing that contactless card information can be stolen at close range. To do this, experts simply held a reader disguised as an iPad to the victim’s pocket, wallet, or bag. Now, scammers don’t even need to buy any devices to do this. Google Play has apps that can be used for the same purpose.

If you are in a public place where a lot of people have gathered, the risk of such fraud increases significantly.

What information can be stolen?

As a result of using RFID readers, fraudsters can get access to different types of data, for example, credit card numbers, information about the expiration date of the card. This data is sufficient for resale on the darknet, and after this information is supplemented with other personal information, it could be used for making transactions on a number of sites or opening an account in your name. If a fraudster has received part of your personal data, the chance that they will receive all the information necessary for making a transaction or opening an account increases significantly. At the same time, security experts say that 80% of credit cards are compromised in some way.  Their data was stolen as a result of phishing, skimming, malicious software on websites, fraudulent phone calls, and data violations.

How to protect your cards from skimming and other types of fraud

Of course, credit card companies are trying to improve the technology with encryption, but thieves are also using increasingly advanced technologies that allow them to steal personal information.

Therefore, we recommend that you follow the simplest preventive security measures against RFID skimming:

• Do not store your cards in your pockets or money clip wallets. Only in your wallet, and your wallet is in a zippered bag. The wallet must have a separate slot for each card so that you can see each card in its place.
• Use a special blocking wallet, holder, or blocking card to protect your contactless card from skimming. Do not wrap the cards in foil, it is not intended for shielding.
• If you see someone holding a mobile phone next to your wallet or bag, or acting strangely in the checkout line, step back and ask the store’s staff for help.
• Before using the card anywhere, check for card skimmers.
• Use one card for autopay accounts and the other for everyday purchases. The autopay and everyday strategy helps you save your money and personal data.
• Do not store photos of your cards on your phone, or write their data to your phone.
• Keep cards that you don’t use at home in a safe place. You can also keep a list of all your card numbers, expiration dates, and security codes, as well as contact information in case your cards, are ever stolen.
• Destroy any documents containing your credit card information, including documents containing the last 4 digits.
• Keep track of your account statements. If you see a suspicious purchase, immediately notify the card Issuer.
• Periodically check the personal accounts of the online stores that you use most often (Amazon, Target, etc.). if you find any transactions that were not made by you, contact the seller immediately.
• If someone asks you to provide your card details over the phone on behalf of the card Issuer, do not agree. Call the customer support number on the back of your card and ask the Issuer’s representative what to do in this case.
• Use a credit card instead of a debit card whenever possible. In General, the losses will be less if the thief drains your credit limit, rather than having access to funds from your debit card. If your debit card is compromised, you may lose access to all the money in your current account until the Bank deals with the fraud. This could take several days.
• Periodically change your passwords and update your card pin codes.

Keep your data and funds safe at all times.

‘If you are worried about someone reading your cards, there are several RFID blocking products that can prevent skimming.

The post Can someone steal your credit card info from your pocket? appeared first on RFID Cloaked - Protecting your RFID personal data.

The presentation describes potential RFID vulnerabilities in various devices (Mifare, RFID biometric passports, Mastercard PayPass, VISA PayWave), and how to exploit them using NFC smartphones.

It shows how to read/write cards, crack/gain keys, read biometric RFID passports, read NFC payment cards.

To view the presentation, follow the link →

The presentation describes the NFC Protocol and its history, the main devices that use RFID technology, as well as RFID vulnerabilities that exist for these devices.

You will see that there are no secure RFID devices, so RFID protection is necessary.

‘Want to learn more about RFID protection? See the information in our online-shop.

The post Hacking RFID devices using NFC smartphones appeared first on RFID Cloaked - Protecting your RFID personal data.

The following is an interpretation of the Payment Card Industry Data Security Standard version 3.2 (PCI DSS 3.2) against the data readily accessible from a contactless card.

It suggests that your card data is at risk, that this risk is identified as a concern for the PCI (Payment Card Industry) such that they list it as a key concern. Yet contactless cards offer no protection of this data and the PCI does not seem to address this.

All the different data types stored on a bank card including chip, PAN, Cardholder name expiration date magnetic strip

Activities that put data at risk

A survey by Forrester Consulting of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk.

• 81% store payment card numbers.
• 73% store payment card expiration dates.
• 71% store payment card verification codes.
• 57% store customer data on the payment card magnetic strip.
• 16% store other personal data.

Source: The State of PCI Compliance (commissioned by RSA/ EMC)

What are the PCI CONCERNS and it’s role?

The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the front of a payment card.

What does PCI Data Security Standard (PCI DSS) do? Cardholder data protection

Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally or transmitted over an internal or public network to a remote server or service provider.

Paragraph 3.3 of PCI DSS 3.2 states that Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

Paragraph 3.4 states that Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. (See PCI DSS Glossary for the definition of strong cryptography).

But by comparison, the riskiest behavior is using contactless cards with RFID chips and the contactless payment favoured by banks as the alternative to cash. Why? Simply because all contactless payment cards natively and openly reveal basic information that should be protected, the PAN, and other data. With a mobile phone application, currently available to download, it is very simple to access (without the cardholder’s knowledge or permission) the data from contactless cards.

What data can be found reading a credit card?

I want to show you the results of reading the card from one phone application. In the App, the card number is revealed in full, but in line with PCI guidelines, only the first six and last four digits are revealed here.

• Track 1
  • Expiry date: 1 Nov 2017
  • PAN Card number : 540463******8991
  • Format : B
  • Service: International interchange
  • Normal
  • No restrictions
  • None

• Track 2
  • Expiry date: 1 Nov 2017
  • PAN Card number : 540463******8991
  • Service: International interchange
  • Normal
  • No restrictions
  • None
• AID : A0 00 ** ** ** 10 10
  • Label: MasterCard
  • Priority: 1
  • Pin try left: 3 Time(s)

Not only this, but it is also possible to view the recent transaction log of the card.

Data that can be read with unauthorized access from your bank card

According to PCI DSS 3.2, none of this information should be accessible, transmissible, recordable or stored and yet all of it is. So when it comes to risky behaviour should not the guide address and highlight this as follows: 100% of contactless cards reveal PAN and other sensitive customer data in breach of PCI DSS 3.2 when accessed.

What about Governance?

It is said that “all five payment card brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization”. And “PCI DSS applies to All entities involved in payment card processing including merchants, processors, acquirers, issuers and service providers”.

So one must surely ask where’s the excuse for this seemingly non-compliance with DSS 3.2? How can a merchant be held accountable to DSS 3.2 when the governing members appear not to be? Ask yourself as a card user, are you fully satisfied that your contactless payment card is truly secure, that your data is not of use to fraudsters? 

And what does this lack of security ultimately benefit? It would seem only the ease and speed of use of contactless transactions perhaps to ensure contactless payment uptake? Complying with PCI DSS Standards, is that not the primary concern?

‘We have written many articles about security issues with contactless cards. You can read about this in our blog

The post PCI DSS 3-2 Contactless data exposure – Surely not poor Governance appeared first on RFID Cloaked - Protecting your RFID personal data.