Jump to content

RFID skimming: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
How RFID skimming is performed: More weasel tagging
Tags: Mobile edit Mobile web edit
remove spurious caps
 
(47 intermediate revisions by 28 users not shown)
Line 1: Line 1:
{{Short description|Unlawfully copying payment card information}}
{{Disputed|date=July 2019}}
{{Disputed|date=July 2019}}


'''RFID [[Skimming (fraud)|skimming]]''' is a method to unlawfully obtain someones payment card information.
'''RFID skimming''' is a method to unlawfully obtain someone's [[payment card]] information using a [[RFID]] reading device.

== How RFID skimming is performed ==
== How RFID skimming is performed ==
Modern{{Which?}} payment cards have a built in chip that transmits the cards&#39; information wirelessly. This is because it is necessary in order to enable [[Contactless payment|contactless payments]], which has become increasingly popular during recent years<ref>{{Cite web|url=https://www.visaeurope.com/newsroom/news/1-billion-visa-contactless-purchases-made-in-last-year|title=1 billion Visa contactless purchases made in last year|website=www.visaeurope.com|access-date=2019-01-06}}</ref>. Criminals can take advantage of this new technology by using a scanner that wirelessly scans the victim&#39;s payment card in the same way that a cash register scans it, when making a contactless payment. These scanners are legal and can be bought in regular electronics stores<ref>{{Cite web|url=https://www.amazon.co.uk/dp/B00F91ONV2/ref=asc_df_B00F91ONV257881850/?tag=googshopuk-21&creative=22146&creativeASIN=B00F91ONV2&linkCode=df0&hvadid=309904628368&hvpos=1o1&hvnetw=g&hvrand=611162221074075592&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9045935&hvtargid=pla-577620202982|title=NFC RFID Reader / Writer ACR122U ISO 14443A/B + Free Software in White: Amazon.co.uk: Beauty|website=www.amazon.co.uk|access-date=2019-01-06}}</ref>.
Modern payment cards have a built in chip that transmits card information wirelessly. This is because it is necessary in order to enable [[contactless payment]]s, which has become increasingly popular during recent years.<ref>{{Cite web|url=https://www.visaeurope.com/newsroom/news/1-billion-visa-contactless-purchases-made-in-last-year|title=1 billion Visa contactless purchases made in last year|website=www.visaeurope.com|access-date=2019-01-06}}</ref> Criminals can take advantage of this new technology by using a scanner that wirelessly scans the victim's payment card in the same way that a cash register scans it, when making a contactless payment. These scanners are legal and can be bought in regular electronics stores.


Most{{Which?}} modern{{When?}} mobile phones running Android OS have a built in NFC reader that can be used to unlawfully scan contactless payment cards<ref>{{Cite web|url=https://play.google.com/store/apps/details?id=com.charm.android.nfc_emv_card_info&hl=en_US|title=EMV Card Reader - Apps on Google Play|website=play.google.com|language=en|access-date=2019-01-06}}</ref>. A criminal can hide the scanner e.g. inside a glove or a bag, and then place himself close to the victim and wirelessly steal the victim&#39;s payment card information<ref>{{Cite news|url=https://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which|title=Contactless card fraud is too easy, says Which?|last=Bachelor|first=Lisa|date=2015-07-23|work=The Guardian|access-date=2019-01-06|language=en-GB|issn=0261-3077}}</ref>.
Most modern mobile telephones running Android OS have a built in [[Near-field communication|NFC]] reader that can be used to unlawfully scan contactless payment cards. A criminal can hide the scanner e.g. inside a glove or a bag, and then place it close to the victim and wirelessly steal the victim's payment card information.<ref name="auto">{{Cite news|url=https://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which|title=Contactless card fraud is too easy, says Which?|last=Bachelor|first=Lisa|date=2015-07-23|work=The Guardian|access-date=2019-01-06|language=en-GB|issn=0261-3077}}</ref>


With the wirelessly obtained payment card information, the criminal can use it to make fraudulent purchases online{{Citation needed|date=March 2020}}. This is called [[Card not present transaction|Card Not Present]] fraud.
With the wirelessly obtained payment card information, the criminal can use it to make fraudulent purchases online.{{Citation needed|date=March 2020}} This is called [[Card not present transaction|card-not-present]] fraud.

Methods similar to RFID payment card skimming may also be used for copying other RFID-based [[proximity card]]s, such as those used for [[keycard lock]]s. 125&nbsp;kHz RFID and other systems relying on a [[Radio-frequency identification#Signaling|unique identifier number]] (UID) are vulnerable to this.<ref>{{cite web |last1=Maxsenti |first1=Mike |title=How to Clone an RFID Key Card for Less Than $11 – And How to Defend Against It |url=https://www.getgenea.com/blog/how-to-clone-an-rfid-key-card-for-less-than-eleven-dollars/ |website=Genea |date=23 May 2017}}</ref><ref>{{cite web |last1=Mehl |first1=Bernhard |title=Step-by-Step: How to Copy RFID and NFC Access Cards & Key Fobs |url=https://www.getkisi.com/blog/how-to-copy-access-cards-and-keyfobs |website=www.getkisi.com |language=en}}</ref>


== Incidence ==
== Incidence ==
[[Card not present transaction|Card not present]] fraud has increased rapidly between 2012-2016<ref>{{Cite web|url=https://www.pymnts.com/news/security-and-risk/2017/card-not-present-fraud-picking-up-in-us/|title=Card-Not-Present Fraud Picking Up In U.S.|last=PYMNTS|date=2017-01-18|website=PYMNTS.com|language=en-US|access-date=2019-01-06}}</ref>.
Card-not-present fraud increased rapidly between 2012 and 2016.<ref>{{Cite web|url=https://www.pymnts.com/news/security-and-risk/2017/card-not-present-fraud-picking-up-in-us/|title=Card-Not-Present Fraud Picking Up In U.S.|last=PYMNTS|date=2017-01-18|website=PYMNTS.com|language=en-US|access-date=2019-01-06}}</ref> In the United Kingdom an increase could be seen in [[Card not present transaction|card not present]] fraud - from 750,200 reported cases in 2012, to 1,437,832 reported cases in 2016.<ref>{{Cite web|url=https://www.financialfraudaction.org.uk/fraudfacts17/|title=Financial Fraud Action UK - Fraud the Facts|website=www.financialfraudaction.org.uk|language=en|access-date=2019-01-06}}</ref> However, there are no statistics available regarding RFID skimming, as it is difficult to determine the method of card fraud.<ref>{{Cite web|url=https://financebuzz.com/what-is-rfid-blocking|title=What is RFID Blocking (and Why You Don't Really Need It)|date=November 7, 2019|website=FinanceBuzz}}</ref>

In the United Kingdom an increase could be seen in [[Card not present transaction|card not present]] fraud - from 750,200 reported cases in 2012, to 1,437,832 reported cases in 2016<ref>{{Cite web|url=https://www.financialfraudaction.org.uk/fraudfacts17/|title=Financial Fraud Action UK - Fraud the Facts|website=www.financialfraudaction.org.uk|language=en|access-date=2019-01-06}}</ref>. Since it is not possible to know which method the criminal used to obtain the victim&#39;s payment card information there are no statistics on the distribution between different types of skimming.


== RFID skimming compared to other types of skimming ==
== RFID skimming compared to other types of skimming ==
In contrast to other types of skimming such as [[Automated teller machine|ATM]] skimming or hacking an online merchant's web page, RFID skimming requires little or no technical expertise. In order to execute [[Automated teller machine|ATM]] skimming, the criminal needs to custom build a device, then place that device inside an ATM and later pick up the device after the victims have used it. Hacking online merchants web pages requires substantial computer knowledge.
In contrast to other types of skimming such as [[Automated teller machine|ATM]] skimming or hacking an online merchant web page, RFID skimming requires little or no technical expertise. In order to execute ATM skimming, the criminal needs to custom build a device, then place that device inside an ATM and later pick up the device after the victims have used it. Hacking online merchant web pages requires substantial computer knowledge.{{citation needed|date=November 2021}}


== Myths ==
A common myth that is often mentioned by card issuers is that a criminal can only steal the maximum amount that is allowed for contactless purchases. This sum is usually between
$30-$50 and is different for each country. This has been proven wrong in a test by British consumer magazine &#39;&#39;Which?&#39;&#39;. In the test they successfully used wirelessly obtained payment card information to make an online purchase of over £3,000<ref>{{Cite news|url=https://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which|title=Contactless card fraud is too easy, says Which?|last=Bachelor|first=Lisa|date=2015-07-23|work=The Guardian|access-date=2019-01-06|language=en-GB|issn=0261-3077}}</ref>.
== Methods for preventing RFID skimming ==
== Methods for preventing RFID skimming ==
=== Metal foil ===
=== Metal foil ===
Shielding is possible by wrapping the payment card in [[Aluminum foil#Electromagnetic shielding|aluminum foil]]. However aluminium foil tends to wear out quickly. Informal tests found that the shielding effect was not 100% effective, though it did very much reduce the maximum range for reading, from about {{Convert|1.5|ft|cm|sigfig=1}} to {{Convert|1-2|in|cm|sigfig=1}}<ref>{{cite web|title =
Shielding is possible by wrapping the payment card in [[Aluminum foil#Electromagnetic shielding|aluminum foil]]. However aluminium foil tends to wear out quickly. Informal tests found that the shielding effect was not 100% effective, although the foil did very much reduce the maximum range for reading, from about {{Convert|1.5|ft|cm|sigfig=1}} to {{Convert|1-2|in|cm|sigfig=1}}.<ref>{{cite web |title=Aluminum Foil Does Not Stop RFID |publisher=Omniscience is Bliss |url=http://www.omniscienceisbliss.org/rfid.html}}</ref>
Aluminum Foil Does Not Stop RFID|publisher = Omniscience is Bliss|url =
http://www.omniscienceisbliss.org/rfid.html}}</ref>.


=== Permanent disabling of RFID functionality ===
=== Permanent disabling of RFID functionality ===
RFID functionality can be disabled permanently by cutting internal wires; use of a [[microwave oven]] has also been reported successful, according to informal reports<ref>{{Cite web|url=https://www.instructables.com/id/How-to-Disable-Contactless-Payment-on-Your-Debit-C/|title=How to Disable 'Contactless Payment' on Your Debit Card|last=NTT|date=2013-09-15|work=instructables circuits|access-date=2020-02-10|language=en-GB}}</ref>. Cutting requires location of the internal wires, followed by cutting, drilling, or heating. Methods that visibly damage the card may lead to it being rejected as a payment method when presented to a retailer in the normal way.
According to informal reports, RFID functionality can be disabled permanently by cutting internal wires and the use of a [[microwave oven]] has also been reported successful.<ref>{{Cite web|url=https://www.instructables.com/id/How-to-Disable-Contactless-Payment-on-Your-Debit-C/|title=How to Disable 'Contactless Payment' on Your Debit Card|last=NTT|date=2013-09-15|work=instructables circuits|access-date=2020-02-10|language=en-GB}}</ref> Cutting requires location of the internal wires, followed by cutting, drilling, or heating. Methods that visibly damage the card may lead to it being rejected as a payment method when presented to a retailer in the normal way.


=== RFID Blocking materials ===
=== RFID-blocking materials ===
There are several products you can buy which help stop your cards being skimmed. There are RFID blocking wallets, purses, sleeves, and cards. Wallets, purses and sleeves work by acting as a Faraday cage which creates a screen around your cards which stops electromagnetic fields interacting with the cards. The RFID blocking [https://www.skimsafe.co.uk cards] are the same shape and size as a regular credit card and is placed together with the cards it should protect. It contains a jamming device that is activated automatically when someone tries to scan the payment cards in its proximity<ref>{{Cite web|url=https://www.youtube.com/watch?v=x30MUdu6ATk|title=How SkimSafe Protects Your Identity and Card Details|date=2015-08-16|website=YouTube|language=en-US|access-date=2020-02-10}}</ref>.
There are RFID-blocking wallets, purses, sleeves, and cards. Wallets, purses, and sleeves work by acting as a [[Faraday cage]] that creates a screen around contactless cards, which stops electromagnetic fields interacting with the cards.<ref>{{cite web |last1=Miczulski |first1=Matt |title=What is RFID Blocking (and Why You Don't Really Need It) |url=https://financebuzz.com/what-is-rfid-blocking |website=FinanceBuzz |language=en |date=7 November 2019}}</ref>

=== RFID-blocking cards ===
An RFID blocking card is an RFID-blocking device that operates without a battery by receiving the RFID signal from a card reader or skimmer and it scrambles the RFID signal making it unreadable by any device. Most RFID wallets try to stop the electromagnetic fields interacting with RFID cards whereas RFID Blocking cards use "active jamming technology" to interrupt the communication.<ref>{{cite web |last1=Kingsley-Hughes |first1=Adrian |title=Testing RFID blocking cards: Do they work? Do you need one?) |url=https://www.zdnet.com/article/do-rfid-blocking-cards-actually-work-my-flipper-zero-revealed-the-truth/ |website=ZDNET |language=en |date=20 February 2023}}</ref>


== References ==
== References ==
{{Reflist}}
{{Reflist}}

[[Category:Contactless smart cards]]
[[Category:Contactless smart cards]]
[[Category:Identity theft]]
[[Category:Identity theft]]

Latest revision as of 12:57, 24 October 2024

RFID skimming is a method to unlawfully obtain someone's payment card information using a RFID reading device.

How RFID skimming is performed

[edit]

Modern payment cards have a built in chip that transmits card information wirelessly. This is because it is necessary in order to enable contactless payments, which has become increasingly popular during recent years.[1] Criminals can take advantage of this new technology by using a scanner that wirelessly scans the victim's payment card in the same way that a cash register scans it, when making a contactless payment. These scanners are legal and can be bought in regular electronics stores.

Most modern mobile telephones running Android OS have a built in NFC reader that can be used to unlawfully scan contactless payment cards. A criminal can hide the scanner e.g. inside a glove or a bag, and then place it close to the victim and wirelessly steal the victim's payment card information.[2]

With the wirelessly obtained payment card information, the criminal can use it to make fraudulent purchases online.[citation needed] This is called card-not-present fraud.

Methods similar to RFID payment card skimming may also be used for copying other RFID-based proximity cards, such as those used for keycard locks. 125 kHz RFID and other systems relying on a unique identifier number (UID) are vulnerable to this.[3][4]

Incidence

[edit]

Card-not-present fraud increased rapidly between 2012 and 2016.[5] In the United Kingdom an increase could be seen in card not present fraud - from 750,200 reported cases in 2012, to 1,437,832 reported cases in 2016.[6] However, there are no statistics available regarding RFID skimming, as it is difficult to determine the method of card fraud.[7]

RFID skimming compared to other types of skimming

[edit]

In contrast to other types of skimming such as ATM skimming or hacking an online merchant web page, RFID skimming requires little or no technical expertise. In order to execute ATM skimming, the criminal needs to custom build a device, then place that device inside an ATM and later pick up the device after the victims have used it. Hacking online merchant web pages requires substantial computer knowledge.[citation needed]

Methods for preventing RFID skimming

[edit]

Metal foil

[edit]

Shielding is possible by wrapping the payment card in aluminum foil. However aluminium foil tends to wear out quickly. Informal tests found that the shielding effect was not 100% effective, although the foil did very much reduce the maximum range for reading, from about 1.5 feet (50 cm) to 1–2 inches (3–5 cm).[8]

Permanent disabling of RFID functionality

[edit]

According to informal reports, RFID functionality can be disabled permanently by cutting internal wires and the use of a microwave oven has also been reported successful.[9] Cutting requires location of the internal wires, followed by cutting, drilling, or heating. Methods that visibly damage the card may lead to it being rejected as a payment method when presented to a retailer in the normal way.

RFID-blocking materials

[edit]

There are RFID-blocking wallets, purses, sleeves, and cards. Wallets, purses, and sleeves work by acting as a Faraday cage that creates a screen around contactless cards, which stops electromagnetic fields interacting with the cards.[10]

RFID-blocking cards

[edit]

An RFID blocking card is an RFID-blocking device that operates without a battery by receiving the RFID signal from a card reader or skimmer and it scrambles the RFID signal making it unreadable by any device. Most RFID wallets try to stop the electromagnetic fields interacting with RFID cards whereas RFID Blocking cards use "active jamming technology" to interrupt the communication.[11]

References

[edit]
  1. ^ "1 billion Visa contactless purchases made in last year". www.visaeurope.com. Retrieved 2019-01-06.
  2. ^ Bachelor, Lisa (2015-07-23). "Contactless card fraud is too easy, says Which?". The Guardian. ISSN 0261-3077. Retrieved 2019-01-06.
  3. ^ Maxsenti, Mike (23 May 2017). "How to Clone an RFID Key Card for Less Than $11 – And How to Defend Against It". Genea.
  4. ^ Mehl, Bernhard. "Step-by-Step: How to Copy RFID and NFC Access Cards & Key Fobs". www.getkisi.com.
  5. ^ PYMNTS (2017-01-18). "Card-Not-Present Fraud Picking Up In U.S." PYMNTS.com. Retrieved 2019-01-06.
  6. ^ "Financial Fraud Action UK - Fraud the Facts". www.financialfraudaction.org.uk. Retrieved 2019-01-06.
  7. ^ "What is RFID Blocking (and Why You Don't Really Need It)". FinanceBuzz. November 7, 2019.
  8. ^ "Aluminum Foil Does Not Stop RFID". Omniscience is Bliss.
  9. ^ NTT (2013-09-15). "How to Disable 'Contactless Payment' on Your Debit Card". instructables circuits. Retrieved 2020-02-10.
  10. ^ Miczulski, Matt (7 November 2019). "What is RFID Blocking (and Why You Don't Really Need It)". FinanceBuzz.
  11. ^ Kingsley-Hughes, Adrian (20 February 2023). "Testing RFID blocking cards: Do they work? Do you need one?)". ZDNET.