Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Electronic pickpockets: fact or fantasy?

John P. Mello Jr. | March 11, 2013
"E-dips" can putatively snatch credit card information from unwary consumers just by being in close proximity?

As wireless payment transactions grow in popularity, so, too, has the shadow of the electronic pickpocket. These "e-dips" can putatively snatch credit card information from unwary consumers just by being in close proximity.

How much of that scenario is probable and how much paranoia?

"I wouldn't say it's never been done or it's impossible, but right now it's an academic exercise at best," said Sean Brady, identity and data protection director at RSA, in Bedford, Mass. RSA is the security division of EMC.

With existing technology, nicking information from a smart payment card requires more effort than most petty thieves are willing to make, according to Brady. "The level of investment and will to do it -- compared to other forms of attack, which are much easier -- is low right now," he said.

Moreover, a smart card attack is more likely to focus on the device that reads the card than the card itself. That can be done with a device similar to an ATM skimmer.

An ATM skimmer is placed over the card reading slot in an ATM and is made to look as if it's part of the device. When a bank card is used, the skimmer captures the account number and a built-in camera captures the PIN associated with the card as it's entered into the ATM.

"With that information, fraudsters can create fake debit cards," Brady said.

A phony point-of-sale terminal attack is more likely to work on a mobile payment than a smart card, he noted.

Many mobile payments use a wireless technology called NFC, or Near Field Communication. Smart cards use RFID, or Radio Frequency Identification, for wireless communication.

Because RFID is "always on," some payment experts say it's more vulnerable to attack than NFC, which can be turned off in a phone. That's not necessarily the case, according to Brady.

"A smart card is nearly impossible to attack because it has a chip on it that's creating a cryptographic assertion that is extremely difficult to hack or compromise," he said.

That means that when a smart card is used in a wireless transaction, its chip transfers, in addition to an account number and expiration date, a unique security code randomly generated for each transaction.

"If a card number and security code were copied and reused, the transaction would be rejected as a duplicate," Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J. said. "All smart cards have dynamic data as a means of providing an additional layer of security compared to non-smart cards."

If electronic pickpockets exist, they don't appear to have shown up in the fraud reporting system yet.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.