LOCAL 12 - Search Results
Digital pickpockets using smartphones to steal credit cards
SEATTLE (KOMO) -- Convenience and speed are reasons businesses often used to encourage early adoption of a technology intended to improve our lives, especially when it comes to paying for goods and services at a cash registers.
But digital pickpockets have found a way to use the same technology to line their pockets with goods and services bought with stolen credit cards. The newest smartphones are making it easy for thieves to steal and use stolen credit cards.
To understand how it's done, you need to understand our attraction to speed and convenience.
In an effort to speed up credit card transactions at the cash register, major credit card companies have adopted a "contactless" payment systems like MasterCard's Paypass. It relies on radio frequency identification or RFID technology. RFID enabled credit cards are embedded with a hidden microchip that stores all the account information necessary to complete a transaction.
It's the same information on a card's magnetic strip. The difference is how it's communicated during the transaction. The RFID enable card uses a hidden antenna to broadcast the information to an electronic credit card reader. The user completes the transaction by tapping the card over and electronic reader at the register. With the traditional card swipe, the account information is read off the magnetic strip.
Now smartphone manufacturers, including Samsung, Nokia, Motorola, LG and HTC are releasing phones that are "NFC" or Near Field Communications enabled. NFC is form of RFID technology that takes advantage of both transmitting and receiving data via the smartphone.
NFC enabled phones have the ability to read the data on microchip credit card but they do not come with the software to actually do it. Software is also needed to translate the information otherwise the credit card data is meaningless.
Enter the hackers or code writers (depending on your point of view) who have not only written software to make the credit card info meaning meaningful, but software that leverages the smartphone's ability to use NFC to transmit data to an electronic reader.
For years, digital pickpockets have built RFID readers that can electronically sniff someone's wallet or purse for account information embedded on an RFID enabled credit card. That step has all but been eliminated by the cell phone manufacturers. The newest versions of Android smartphones have the hardware to do the same thing and more.
With a firmware modification and a free open source application that can easily be found on the internet, the average person can turn their NFC enabled smartphone into a credit card stealing machine and then use the smartphone as that stolen credit card.
The Problem Solvers want to see for ourselves just how easy an NFC enable phone make the job of a digital pickpocket easier.
We modified a Motorola Razr and installed the software to test just how easy it would be scan a RFID enabled credit card and play it back to an electronic reader.
KOMO News has elected not to name the application or the firmware modification because we don't want to encourage others to do this behavior.
We visited eight Seattle area stores that were equipped to accept a contactless payment system like Paypass with and without the store's knowledge. The Problem Solvers were able to use a variety of credit card numbers that had been scanned into the phone as if they were stolen by digital pickpocket.
We made successful transactions at six of the eight stores we visited. Of the two that were not successful, clerks believed it was a problem with the reader detecting the phone.
"That's frightening" says Robbie Watson of Zelo Bike Shop after we showed him how I used a credit card that wasn't my own to make a purchase at his store. Since the electronic transaction doesn't include the cardholder's name, there was no way for Watson to verify the account number I was using was actually mine.
"Even if you showed me your ID, I couldn't verify the account," said Watson. "There's something not right about this"
At Seattle Cigar and Tobacco, owner Naeen Ahmad realized the same problem when we showed him how we used the phone in his store. There's no way to verify the info broadcast by the phone to the reader is my credit card.
"I think it's very dangerous, extremely dangerous. It's like anybody's credit cards are not protected anymore," said Ahmad.
Security consultant Steve Manzuik believes it's going to fall on the credit card industry to make contactless transactions more secure.
"It's a feature that hasn't been very well thought out," said Manzuik, who works with Leviathan Security Group, a Seattle firm that works with corporations on fixing their computer security breaches.
"The payment card industry wanted to speed things up a little and make it much faster for people to buy things," said Manzuik. "They are moving to this standard, which clearly isn't as secure."
MasterCard Worldwide says it's aware of the situation we were testing.
"The circumstances under which it can occur in the real world are extremely rare," MasterCard spokeswoman Beth Kitchner said in a written statement.
"We don't consider this to be a serious threat to our cardholders. MasterCard strives to stay far ahead of fraud. However if even one cardholder is impacted, we have a zero liability policy," Manzuik said.
Nobody is going to buy a phone and be able to start scanning credit cards in an hour says Manzuik. But if you have the technical ability, it's not that hard to figure out.
Manzuik believes people should be able to tap their phones and pay for something using and RFID enabled credit card.
"It's the fact that they are doing it insecurely, that's the problem," Manzuik said.
There is now a cottage business growing on the internet of devices to protect credit cards, driver's licenses and passports embedded with microchips from the electronic sniffing of an RFID reader. Most products consist of foil lined wallets and sleeves.
There are also tutorials on YouTube demonstrating how a person with a sharp knife can remove or disable the microchip embedded in a credit card.
If you want to simply get rid of the RFID enabled credit card but not the account, call the credit card company and ask them to issue you a card that does not have the microchip inside.