High tech pickpockets, and how to protect yourself

June 19, 2010 11:22:40 AM PDT
In New York City, everybody shares close quarters.

Airports, streets and subways are crowded.

"I don't like walking with all my credit cards with me because I've been pickpocketed before," Tasha Guevara said.

The Brooklyn resident was talking about the sly thief who dips into a purse or a pocket, but there's another type of pickpocket out there.

"People can pickpocket you without even touching you," Walt Augustinowicz of Identity Stronghold said.

How is this possible?

Through Radio Frequency Identification, or RFID. The chips send a short range radio signal used all of the time in id badges and access cards.

But they're also in some credit cards and in all U.S. passports issued since 2006. Passport ID cards have a warning on the back to keep it in a protective sleeve. Augustinowicz owns the company that makes them, identity stronghold.

"Because it's a radio you just get near someone with one of these readers, near their back pocket where their wallet is you -- just walk by them and you can actually skim off their credit card numbers, expiration dates," he said.

Using a ten dollar credit card reader he bought on eBay, he demonstrated how it could happen.

Once skimmed, Augustinowicz showed us how pickpockets can download your sensitive information.

We came to the Borough Hall subway station in Brooklyn with our $10 skimmer to find out how many passengers might be at risk.

Most trusting commuters actually let us try to skim their credit cards, but didn't have ones with RFID chips.

"It's really scary. Anyone could come down in the subway and scan my bag," Meredith Futernich said.

One commuter, Naima Gregory, did have the right type of cards on her.

"I thought it would require a lot more high tech technology than that. I mean that's a $10 device. That's crazy," Gregory said.

RFID experts say it's not that bad. Credit card companies usually flag fraudulent activity, they say, and require the CVC number and home address as additional safeguards.

"The credit card companies basically have said, 'We understand there's a concern out there. We want to address the concern,'" Mark Robert, founder and editor of RFID Journal, said.

The NYPD hasn't tracked any problems here, but California and Washington states have passed RFID anti-skimming laws.

"There's always going to be two sides to this. The benefit and then there's the risk. I think that's the nature of technology," Lance Ulanoff, PC Mag's editor-in-chief, said.

The Federal Trade Commission is aware of the potential risks. It holds occasional public workshops about the threat.

Experts offer several tips for protecting yourself:

  • Leave your RFID credit cards at home. Pay for purchases outside your home with cash or regular credit cards.

  • Stack your RFID credit cards together in your wallet. Putting your cards next to one another will make it harder for a scanner to read the data on a particular RFID card.

  • Wrap your RFID credit cards in aluminum foil before putting them in your wallet. This homemade technique helps, but does not guarantee, blocking RFID scanners from reading the card.

  • Consider a credit card shield for more advanced protection. Several companies manufacture shields that hold your credit card when it is not in use. The shields prevent RFID scanners from reading the data on your card.

  • You can also purchase a specially made wallet to carry all of your cards. These wallets are manufactured with materials that have been approved by the Government Services Administration to block RFID transmissions.

  • Monitor your credit card statements regularly for errors or odd charges.



    With the MasterCard Zero Liability policy, MasterCard PayPass cardholders are not responsible for any unauthorized transactions on their account.

    The information could not be used to make Internet or phone purchases, since the merchant should ask for CVC (card verification code) 2 data - the 3 digit code on the back, or zip code verification - to complete any purchase.

    The information could not be used to create a phony mag stripe care without the CVC1 data that is found in the mag stripe.

    And the information could not be used to create a phony PayPass card. For every transaction made with a PayPass-enabled card or device, there is a discreet authentication code that changes after each transaction. Without the proper code the transaction will not be authorized, making it impossible to duplicate a card without the key that is used to create the code, which is held securely in the PayPass chip itself.