You might not know it, but you could have a credit or debit card that uses a tiny computer chip and a radio antenna to transmit account information from your card—even when you’re not shopping.
MasterCard uses “PayPass” to identify the cards. Chase bank coined the term “Blink.” Some contactless cards, which use a radio frequency identification, or RFID, chip, might simply have a symbol on the card consisting of four curved lines. An industry newsletter, The Nilson Report, says 35 million contactless chip cards are in circulation in the U.S.
The cards are touted as convenient, but they are also vulnerable to being skimmed without ever leaving your pocket. The information communicated from your card to a card reader can be enough to create a counterfeit card that can be successfully used to make an unauthorized purchase, as we observed in a recent demonstration by Recursion Ventures, a security research and consulting company in New York City.
The basic equipment needed for that form of fraud is readily available to would-be crooks. An electronic card reader available online for less than $100 can be connected to a laptop to store skimmed information. When Chris Paget, whose title at Recursion is chief hacker, used such a reader to scan a Chase debit card he’d recently received, the card’s account number, expiration date, and security data immediately appeared on the computer screen. Two credit cards still inside the mailing envelope revealed the same type of account data.
