The truth about RFID credit card fraud

Despite demonstrations to show it's possible, documented cases of RFID credit card fraud are unknown. And as security professionals know, there is a huge gulf between potential crime and actual crime.

Credit: stebepb

I’ve written before the non-existence of RFID credit card crime, a least as promoted by all the vendors selling anti-RFID shielding products. I’m one of the few voices consistently saying that buying RFID-blocking wallets, sleeves and the like is a waste of time and money. I’ve frequently said that I can’t find a single documented case of RFID credit card crime. Each time I write about this, I get tons of angry email from vendors of these products as well as people who “just know” that they have been victims of RFID credit card crime.

The “victims” who write me always talk about a mysterious man, acting strangely, who walked by with a visible device, which they strongly believed to be an RFID reader, and shortly thereafter their credit card has a fraudulent charge on it. I always reply that a “feeling” that RFID fraud happened isn’t evidence of an actual crime, and that I still, after years of searching, haven’t find a single law enforcement authority or document showing evidence of RFID credit card crime.

The latest batch of emails contained two better “proofs” of RFID crime that I hadn’t addressed before.

RFID car crime evidence

Proof number one was a video of thieves stealing a Mercedes-Benz. Although the video doesn’t show any evidence of the theft or how it happened, the accompanying or referenced news stories do claim the car was stolen wirelessly. Many Mercedes-Benz models use RFID wireless technology, which theoretically could be used to steal the car.

I reached out to Mercedes-Benz several times to confirm whether or not the type of RFID crime purported in the video happened or could have happened, but after multiple queries over two weeks, they have not responded. I also could not find any law enforcement resource to talk to me about that particular crime or any possible other RFID car-related crime.

With that said, I believe that it is possible for RFID car-related crime to have occurred. In the past, most car manufacturers didn’t use good security development lifecycle (SDL) programming practices. I know that many car operating systems and wireless starting systems were full of security bugs. Although I don’t know of the details of the car crime in the video or other purported wireless car crime, I know enough that I believe that RFID car crime has most likely occurred.

I have to believe that any car manufacturer using any critical wireless signal today is now practicing SDL and protecting wireless signals from interception and forgery. I know many of the world’s smartest ethical hackers who now work for car-related companies, and who are part of teams whose jobs it is to prevent digital-related crime in their employer’s products. RFID car crime might be possible with older models, but I think the easy “replay” crimes being reported today are soon to be a thing of the past if they aren’t already.

U.K. report on contactless fraud

Another alert reader sent me a link to an official U.K. government finance report that claims there is a very small percentage of RFID credit card (i.e., contactless card) crime occurring in the real world. On RFID-related crime it states:

“Contactless fraud covers incidents on both contactless cards and mobile devices. Fraud on contactless cards and devices remains low with £6.9 million of losses during 2016, compared to spending of £25.2 billion over the same period. This is equivalent to 2.7p in every £100 spent using contactless technology and is a decrease on the 2015 figure of 3.6p in every £100. Fraud on contactless cards and devices represents just 1.1 per cent of overall card fraud.”

On its face, this seems to be pretty compelling evidence of RFID credit card fraud. Still, after searching over many days, I could not find a single instance of real-world (i.e., not a security researcher’s demonstration or claim) of RFID credit card fraud.

This is a very, very important point. There is a huge gulf between potential crime and actual crime. In the computer world, 5,000 to 7,000 unique vulnerabilities are publicly announced each year on average, and perhaps a few hundred of them are actually used to compromise a computer. If you’re a defender, you need to worry the most about the stuff that is actually being exploited and not so much about every possibility — especially if that potential crime has never been reported as a real crime.

The UK report seemed to suggest that somehow I had missed public data on the claimed £6.9 million of contactless fraud. I decided that I was going to hunt down that data, once and for all, and find out if RFID credit card crime was real. I contacted nearly a dozen organizations connected to RFID credit card security including VISA, Mastercard and the Secure Technology Alliance. I even contacted the creators of the UK report referenced above, which got me in touch with the UK Finance division.

I asked everyone two questions:

  • Is it possible to commit RFID contactless credit card fraud involving a scenario where a remote thief wirelessly reads information from a victim’s RFID card and then successfully commits fraud using that information?
  • Is there a single example of RFID contactless credit card crime committed in the real world, involving that same scenario where RFID shielding might have prevented it?

Starting with the creators of the UK report, since it specifically talked about contactless credit card crime, I asked how much of the reported £6.9 million of contactless fraud was contactless credit cards versus mobile devices? Sadly, they were never able to provide an answer, although everyone I talked to felt that mobile device fraud and other scenarios that did not involve a remote thief with an RFID reader were far more likely.

The reason the UK Finance division could not tell me is that UK merchants aren’t required to report contactless card crime apart from contactless mobile device crime. The UK Finance department does not have the data to split the amount. Further, all my attempts to contact merchants who reported fraud crime to the UK government were not successful.

So, I do not know how much of the £6.9 million of contactless fraud was contactless cards versus mobile devices, or whether RFID shielding might have helped. I could not find any public evidence of a single RFID contactless real-world crime being committed, and the most knowledgeable officials I spoke with off the record did not think there would be any matching the fraud scenario I was seeking.

Maeve Dunne, an analyst with UK Finance trade association, replied to my questions saying this, “Waving a card reader about in the street or on a train couldn’t take a payment from passers-by and there’s never been any verified report of this ever happening in the UK.” Dunne’s statement doesn’t rule out this happening in other related RFID scenarios or other countries, but I think the answer has to be that RFID credit card crime preventable by shielding is very rare and may be non-existent.

When I asked several contactless credit card security experts about their opinion of whether fraud could be committed using my proposed criminal scenario, they all said, “No!”. They said it was technologically impossible and some even accused me of being with RFID vendors who are trying to sell RFID shielding products. I chuckled, because I’m constantly attacked by those vendors for dismissing their products.

Why RFID credit card crime is (and isn’t) impossible

Even though they said that contactless credit card crime in the fraud scenario I proposed was impossible, I pushed back for an explanation as to why. The information that is transmitted wirelessly from an RFID card is very limited and doesn’t contain enough information for a merchant (or device or service) following its license agreement to allow fraud to be committed. That’s not a simple statement, so let me explain more.

To believe that RFID credit card crime is occurring, you have to ignore that RFID readers can read RFID information from many tens of yards away only in perfect conditions. The real-world conditions of multiple cards in someone’s wallet or purse, blocked by other cards and material and surrounded by all sorts of other metal objects (e.g., keys or coins), all contribute to RFID cards being hard to read at distance. In fact, when used at a merchant with normal readers, RFID cards must be within a few centimeters to work. You often can’t even keep it inside a wallet and have the signal reach the merchant reader.

Let’s assume the criminal mastermind has the best RFID reader and the victim is alone and is basically holding their card out in front of them so the reader has a clear shot for RFID eavesdropping. Let’s assume the criminal can actually get all the information available from a wireless read.

Most RFID credit cards will only readily transmit the credit card number and expiration date if read by a wireless RFID reader. The attacker will not get the person’s name, security code, or the address attached to the credit card. This effectively prevents the information from being used on nearly any online vendor’s website. Have you ever been able to use a credit card online without providing your correct name, security code, or address, much less missing all three? Not me. So reusing the stolen wireless information is almost worthless.

Can’t the wireless thief just take the captured information, make a fake RFID credit card, and re-use it in-person at stores just like the legitimate card is used? For in-person transactions, the merchant doesn’t care what your name is or ask for your security code or address. You just wave the card over the reader and it transmits the same information as was sent in our theoretical thief situation. Or is there some information sent by the RFID card in a legitimate merchant transaction that a wireless thief reader cannot easily steal? The answer to the last question is “Yes.”

If an RFID thief has an RFID reader, it only gets two pieces of critical information: the credit card number and expiration date. In order for a valid transaction to occur, the merchant’s RFID device has to transmit authorizing information, which then causes the card to respond with a character-based authenticating code (part of what is called the datagram) that can only be successfully requested and responded to when using a previously validated merchant device. A remote RFID thief cannot recreate a valid datagram with a simple reader device. The missing component is created by pairing the RFID card and a legitimate merchant device.

Can’t the thief use a valid merchant device?

That begs the question, instead of the RFID thief using a simple RFID reader, can’t they use a legitimate merchant RFID transaction device? Yes, but you’d have to ignore a bunch of important factors, including the previous assumption of how close the thief would have to be to the card. Remember, merchant readers are only good for a few centimeters. Let’s assume that the thief is either very close to the victim’s card or has the capability to do a long read (maybe a specialized criminal device).

Merchant machines have identifying numbers. If the thief successfully got the victim’s card to participate in a bogus transaction, the card holder would eventually report the fraudulent transaction to their card vendor, who would be able to identify the merchant device involved. Not just anyone can buy and use a merchant device. They have to apply for one. Documents need to be reviewed and signed, and the merchant has to have an existing, trusted validated bank account involved, for conducting transactions.

Further, for related security reasons, RFID transactions are limited to fairly small amounts, maybe $20 to $50 or so depending on the credit card network. The RFID criminal would have to go through the expense of getting a legitimate merchant device (that costs money by itself) and supply a valid bank account that the credit card vendor can easily reverse charges to. After committing just a few rogue, cheap transactions, the thief would be cut off using that machine if not their entire merchant account.

RFID credit card crime either can’t be done or not much of it can be done before the mastermind’s crime spree was over. Let’s not forget that the criminal can buy regular credit card information to steal thousands of dollars with far less risk over a longer period of time for a few bucks per card. This is another reason why RFID credit card crime is nearly impossible, and even more so, not very profitable for the risk. It’s very unlikely to be done even if it could be done.

Ah, but RFID crime has been successfully demonstrated

I came across an older internet story on RFID contactless credit card crime. In 2015, security researchers were able to wirelessly steal RFID credit card information (e.g., account numbers and expiration dates) from closely held, unobstructed cards and re-use them to buy large dollar value goods from online vendors.

It’s proof that it can be done, sort of. It requires that an online vendor violate their merchant agreement and not do basic anti-fraud validation (by requiring a valid name, address, and security code). The vendors not performing the correct validation have the reported fraud taken out of their own bank accounts. I’ve got to think those online vendors are either unscrupulous and intending to be used as a criminal fence or they won’t be in business very long when the credit card merchants trace back the fraudulent transactions to their poor validation checking.

Still, this is not evidence of a real-world crime. 

RFID credit card crime is only possible when...

To worry about RFID credit card crime, you have to assume incredible remote RFID reader ability in real-world situations and online vendors with literally no basic credit card validation, or criminals who want to buy legitimate merchant devices and go through the lengthy authorization process, and provide a real bank account, to capture a few low-dollar transactions before they are cut off.

As Randy Vanderhoof, executive director of the Secure Technology Alliance and director of the U.S. Payments Forum wrote me, “Consumers should listen to their trusted financial institutions, the banks, and payments brands and believe them when they tell their customers that contactless payments cards are secure.”

Even if we assume that all £6.9 million of 2016 RFID crime reported in the UK Finance report was committed by credit cards and not mobile devices, it means RFID crime is still, at best 1.1 percent of overall credit card fraud, and it’s falling. If you are worried about a potential 1.1 percent crime rate while also using non-RFID credit cards which are responsible for 98.9 percent of credit card fraud, aren’t you focusing on the wrong threat? Why use any credit card? As far as I can tell, if you are worried about credit card fraud, you’d be about 90 times safer (and getting safer) to only use RFID credit cards. You shouldn’t run away from or even worry about RFID credit cards, you should embrace them.

Show Comments