The pandemic is giving a substantial boost to all things touchless. So, contactless credit cards, already gaining favor, seem poised to become ubiquitous. They account for more than half of transactions in Australia and several other countries and are quickly becoming the default as new cards are rolled out in the US. All newly issued Bank of America credit cards are contactless-enabled and “most American Express products have contactless technology,” the company says.
But Are They Safe?
RFID-enabled credit cards—you can usually tell them by a sideways Wi-Fi icon imprint—are read by RF-capable payment terminals. Wave them in front of the reader or tap it and you’re on your way. But the security threat from an airborne information transfer is obvious—any in-range reader, not just a legitimate payment terminal, could capture the same information.
And so, as production of RFID cards began in earnest in the early part of the decade, scary headlines followed. Like NBC New York’s 2011 piece, “New Technology Can Steal Credit Card Info Right Out of Your Wallet.” In proof-of-concept experiments, researchers demonstrated how it could be done. A wave of digital pickpockets would hit the streets, some warned. And a new marketplace was born.
RFID-blocking technologies have become big business. There are protective backpacks, wallets, sleeves, and shield cards. You can purchase shirts and jeans with RFID-blocking pockets built in. Criminals can buy readers for less than $100.
Much Ado About Nothing?
You can read accounts of information being stolen from RFID credit cards in scientific journals but not in police reports. It’s just not a thing, say most experts, including Eva Velasquez, CEO and President of the Identity Theft Resource Center (ITRC).
The supposed threat is that information an individual skims can then be used to steal the victim’s identity or conduct fraudulent transactions using their details. But Velasquez says there is just no data to suggest that the theoretical risk is a real-world problem. In a recent ITRC blog, “Do I Need RIFD Protection?”, the organization says, “while hacking of RFID items is certainly within the realm of possibility, it’s just not a viable threat, especially not in comparison to other behaviors that can leave you at risk.”
Indeed, many fraud analysts and criminologists are on record as saying that trying to lift information from RFID credit cards would be a hugely difficult and tedious endeavor compared to the ease with which someone can cheaply procure a trove of credit card information on the Dark Web.
The ITRC says there is nothing wrong with using a RFID-blocking wallet if it provides some extra peace of mind, but warns that it shouldn’t take people’s minds off the important security precautions they really need to take, like reviewing credit reports regularly and protecting online accounts with strong, unique passwords.
Enhanced Security Features
Contactless cards today still have a computer chip and a tiny antenna and broadcast information through the air to be picked up by a contactless reader, but security enhancements make them fraud resistant, say analysts. The card chip in today’s contactless credit cards transmit your account number and an encrypted one-time code to complete each transaction when you “tap” to pay—and doesn’t send your name, billing address, or the three-digit code needed for online transactions.
So, experts point out, even if someone were to successfully use a surreptitious reader, which would need to be within inches to sniff your payment information out of thin air, they would need to crack the bank’s complex algorithm to generate a new one-time code to complete another contactless payment. Contactless payment options like Apple Pay and Android Pay use near-field communication (NFC), a version of RFID, and since they require further authentication from the user, are even more secure, say analysts.
A more realistic and likely event is that a thief will get their hands on a contactless credit card. And, without a PIN or signature required for use, it would be easy for someone with physical possession of a card to use it at a tap-to-pay terminal. Consequently, some card companies limit the amount of a purchase when conducted via contactless payment—although, in the time of COVID, these limits have often been raised or waived.
This article was originally published in 2018, and updated in 2022.