The RFID boogeyman, part 1: credit cards, HuMn wallet and identity theft

RFID is turning into what cookies were circa 2000: a poorly understood but universally reviled privacy infringing technology extraordiniare, synonymous with nefarious plans for consumer tracking by shadowy agencies. (Not to mention supernatural conspiracy theories.)  NFC– Near Field Communications– being a type of RFID operating in the 13.56Mhz frequency, appears to have inherited all of that hysteria and vitriol, as it begins to overtake earlier incarnations of the technology. Case in point: HuMn is a KickStarter funded project to manufacture so-called RFID-safe wallets. Aside from the fact that it does not in fact cover all RFID objects, their marketing language appears to suffer from the same confusions about an ill-defined “identity theft” threat. (What about the US passport? Doesn’t look like the dimensions are compatible. And did they forget NFC-enabled phones? Where is the matching shielded phone cover?)

There is certainly a kernel of truth to the FUD: unauthorized payments can be made by bumping an NFC reader against the unsuspecting victim. Dramatic demonstrations of this abound on the tubes and the topic is rehashed often at conferences. This is not an iron-clad rule that follows necessarily from the technology, but an incidental property of the way cards are configured in the US. PIN entry is not required for credit card payments (not to be confused with debit, which does require it) unlike the chip-and-PIN system in Europe. Without a PIN gating authorization,  mere proximity to the card is sufficient to exercise the payment protocol because the card has no other user-interface to ask for consent. (Mobile incarnations of NFC payments such as Google Wallet are a major improvement in that regard: on Android devices the phone screen must be powered on and users need to have recently entered the PIN to enable payments.)

But jury is out on whether that constitutes “identity theft.” Part of the problem lies in the ambiguity of the phrase, conflating routine credit card fraud with wholesale impersonation of the victim. An enterprising criminal in possession of someone else’s credit– even temporarily by NFC skimming– can spend funds available on that card. But armed with the victim’s full legal name, date of birth and social security number, that same crook can cause a lot more damage with new account fraud. They can get new loans with no intent to pay back or establish lines of credit in the name of the victim– all thanks to the bullet-proof authentication system used for such applications: if you know someone’s social security number, you must be that person. Vanilla card fraud takes place in a closed system, with a single institution implicated, namely the bank that issued this card to the legitimate card-holder. That company has an existing relationship with the consumer and presumably an interest in resolving the matter satisfactorily, in order to retain their business. (Card networks are structured such that that the issuer earns revenue from some portion of the interchange fee from every transaction, not to mention interest on balances.)

Between these two, plain card fraud  is far less dangerous. It is also a problem the industry has “solved” to large extent by creating the appearance of zero liability for consumers, distributing losses between merchants and issuing banks.While dealing with fraud is time-wasting and inconvenient, losses are fully recoverable. By contrast new account fraud takes place in an open ecosystem, where the crook could have ripped off any number of participants with no prior relationship to the victim and not subject to the consumer-friendly liability arrangement of credit cards. It can be more challenging to undo this situation.

Lost in the ambiguity of “identity theft” is that neither SSN or date of birth can be gleamed from a credit card. RFID or not, it is not possible to get this information from a credit card so the risk here is one of plain fraud. for  In fact NFC often provides the least information among all the different modes a payment can be made: while card-holder name is encoded in the magnetic stripe and embossed on the card, it is typically omitted from the equivalent “track data” sent during NFC payments. This is why the case of Barclay’s in UK was a big deal because the cards were personalized with full names.

It is unlikely that gangs of identity thieves are roaming crowded areas and bumping into unsuspecting people with NFC readers (Android phone counts as reader, in case stealth is desired) Such attacks are difficult to scale for three reasons. First skimming requires physical proximity to the victim, limiting the miscreants to a geographical area instead of being able to say target US citizens from the safety of Nigeria. Second the environment is not exactly target rich, with only a small number of banks having issued cards with NFC and even fewer people leveraging that. That makes it easy for fraud-detection systems to pick out anomalies because for most customers any contactless transaction is a red flag. Finally each bump only permits a limited number of transactions because the protocol employs a dynamic CVC3 verification value  unique to each transaction. That is unlike swiping or typing card details into a web browser where the same fixed number is entered for the life of the card. In short, it is a bad proposition for the criminal, combining lots of effort with long odds and limited upside even when successful.

Returning to the original problem: yes it is true that unfettered access over NFC to credit cards allows making unauthorized payments. But then so does handing over the card to a bartender when settling a restaurant tab or holding the card in plain-view in any public setting with other people present– watch out for the person behind you in line wearing Google Glass. (Somehow “visible-light-spectrum-shielding wallet” does not sound as marketable.)


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s