According to latest estimates, more than 1 billion credit cards and IDs have been released with an RFID chip in the recent past. You may have heard about the new payment form that many larger retailers in the US support. Just wave with your credit card at the counter in close proximity to a payment station and your credit card information are automatically transmitted to the payment processor. That is in theory a great system as it simplifies and speeds up payments when you make purchases.
But since you just have to hold your credit card near the station and do not have to enter any form of authorization, what's keeping third parties from exploiting the signal that the credit cards emit? The answer is next to nothing.
If you have the right set of tools, and you can get your hands on them for about $100 online, you too can retrieve the credit card information, including the credit card number and expiration date from any card that is having an RFID chip and that is not protected by its owner. The one hindrance is that an attacker needs to get real close to the location of the credit card, usually within 2-4 inches. That's not a problem though if you are standing in line or in crowded places.
Find out if your credit card has an RFID chip
To find out whether a credit card has an RFID chip, you can look at the card to tell if it does or does not. If you see the marked symbol on the image below, it is supporting RFID. Also, if the card says PayPass, payWave or blink, it also has RFID capabilities.
What the credit card companies say
Visa, MasterCard, American Express and other credit card companies have stated that RFID technology is safe, and that state of the art fraud detection prevents abuse of the system. Field tests however have shown that the system can still be exploited, for instance with a kit that is recording the information and creating a duplicate of the credit card.
Protect your credit card from leaking information
If you do not use the new payment options at all, you can ask your bank for a credit card without RFID chip. While costs may be involved, it is the best way to make sure no one is able to read your cards data. If that is not an option, you could alternatively try and remove the RFID chip from the card but that is leaving visual signs of tampering which may get you into explanation troubles. You could alternatively try to smash the chip with an hammer to destroy it.
You can also buy protective sleeves for your cards and IDs that block the signal from being picked up, or use tinfoil as a low cost alternative for that.
I just asked a few of my friends whether they know if their credit card has an RFID chip on it, and only one knew about it. What about you? Do you know if your cards support RFID?