US TV station highlights major flaw in Visa/Mastercard/Amex RFID technology

These RFID systems operate in a similar manner to the London Underground Oyster card and allow Visa, Mastercard and Amex cardholders to 'wave' their card in the vicinity of a reader to pay for a transaction - typically of up to 10 euros – without authenticating themselves.

According to researchers on the Katu TV station, they have been able to create an electronic wand - using kit costing around $20.00 - that extracts credentials from a card, wirelessly, at a range of up to four inches.

This data is then sufficient, they claim, to allow fraudsters to generate unauthorised purchases online.

The TV station says that Walt Augustinowicz, a security expert, demonstrated at a local Portland airport "how scammers can rip off your card number by concealing a reader in a tablet or iPad case and waving it near back pockets or backpacks of travellers."

His device, say the researchers, can pick up a person's card number and the expiration date if it's held just four inches from a wallet or purse.

"With permission from purse and wallet owners, Augustinowicz and the Katu Problem Solvers (a consumer TV programme), scanned dozens of wallets and purses at the airport looking for cards with RFID technology", says the station in its report.

"They found cards with RFID in about 50% of the wallets they tested. Owners were shocked and angered that their credit card information could be `magically' snatched from them," it adds.

After contacting the card associations - Visa, Mastercard etc - that brand and manage the cards for financial associations such as banks, the researchers found that they argued that a scammer would not get enough information to make a purchase, and that the reader "does not transmit the cardholder's name, billing address or the security code on the back of the card."

"That's true, but the Problem Solvers tried to make an online purchase with a name and address that didn't match the account holder. It went through, and a security code wasn't even required", says the TV station in its report, adding that it was also able to generate a fraudulent phone order.

Interestingly, Infosecurity notes, the researchers claim that, in a patent application filed by Visa, its own product development director admitted electronic pick-pocketing is "a major concern for consumers."

What’s Hot on Infosecurity Magazine?