A new technology in millions of credit cards is making it easier, faster and more convenient for us to make purchases without having to swipe or sign. It's also making it easier for thieves to steal your personal information without ever touching your wallet.
This new technology is called Radio Frequency Identification or R.F.I.D. It's a chip that communicates using radio waves, similar to the way we get through the Sun Pass lanes and the badge used to get into a secure building. Now, this chip is located inside credit and debit cards with the logo pictured.
"As a criminal what you can do is walk by someone if you have an R.F.I.D. reader and you can scan the data that's in there," said Detective Ricardo Arias with the Miami Electronic Crime Task Force with the Secret Service.
That R.F.I.D. reader can be purchased online for as little as $20, along with hacking software that breaks the incription on the credit cards, which is how thieves are able to retrieve your information.
Credit and debit cards are not the only items embedded with an R.F.I.D. chip. U.S. passports issued after 2006 also contain the chip.
Florida International University Engineering Professor Faisal Kaleen showed NBC Miami how easy it was to scan passports with an R.F.I.D. reader and software. Within minutes our passport information was up on his computer screen. Faisal said with technology these days, the information could be emailed around the world within minutes and could possibly fall into the wrong hands.
"Nowaday, all these terrorists," said Kaleen, "I mean do you think they travel with their real identity over there? No."
There are ways to protect yourself. Identity Stronghold and D.I.F.R. Wear are companies that sell R.F.I.D. protective wallets, card cases and passport sleeves. They claim these items will protect thieves from retrieving your personal information.
Local
We have also posted below four major credit card companies responses to the R.F.I.D. technology:
Expresspay will not reveal your personally identifiable information such as name, address, or other types of information typically required for identity theft, or Card Account Number. expresspay uses encrypted and unique codes for each transaction. As with all American Express products, Cardmembers are not responsible for any fraudulent/ unauthorized charges on their Cards. For security reasons, we do not provide details about our anti-fraud safeguards or procedures. Also, regarding your questions about educating our cardmembers about RFID, information about expresspay is included in the materials cardmembers receive with their card. There is also information online about their card and its features.We have a FAQ pages on our site. (click here to view page)
This page can be found if someone went to americanexpress.com and typed in "expresspay security" into the search field, bringing up the FAQ menu on expresspay.
Visa
"Visa payWave is Visa's contactless payment technology. It facilitates fast and convenient transactions at the point of sale and eliminates the requirement for a consumer to make physical contact with the terminal when making a purchase (therefore "contactless"). Consumers simply hold the card or phone in front of the contactless terminal in order to pay.
"Ensuring payment security is one of Visa's highest priorities and Visa payWave enabled payment cards and mobile devices are no exception. Visa payWave cards are as secure as traditional cards and meet all the same standards for security and more.
"Because information travels from card to terminal without any contact, there is a remote risk that data can be intercepted. However, we have built in multiple layers of security for every Visa transaction that helps protect against fraud using stolen information.
"Below are just a few examples of security measures working behind the scenes to prevent fraud:
· Visa payWave cards use advanced cryptographic security where every transaction includes a unique dynamic code, which changes with each transaction.
· Visa payWave cards do not transmit the cardholder's name during a transaction, providing greater privacy than even traditional card payments. Intercepting a Visa payWave transaction results in less sensitive information than when handing a card over to a clerk. Neither the cardholder name nor the three-digit security code on the back of the card are available when the card is read via a contactless reader.
· To protect against fraudulent eCommerce or telephone transactions, merchants use secondary security measures such as asking for the three-digit code imprinted on the back of the card, verifying the billing address associated with account, or an extra layer of password protection such as Verified by Visa. None of this information can be read electronically from the card.
· Some eCommerce merchants also use risk scoring services that are specialized for the online channel, such as those offered by CyberSource, a Visa company. For example, CyberSource can analyze if the cardholder is attempting an online purchase from a computer generally located near the billing address or from a country far away to help detect potential fraud.
· All transactions processed by Visa's global processing network, VisaNet, are analyzed in real-time and scored for its fraud potential. Visa is able to use a comprehensive view of the global payments system to identify fraud patterns and detect suspicious transactions right at the check-out.
"Such advanced capabilities and the multiple layers of security that protect every Visa transaction have helped keep Visa's global fraud rates near historic lows - fewer than 6 pennies for every $100 transacted. In fact, there have been no reports of fraud perpetrated by surreptitiously reading Visa payWave cards.
"Further, Visa payWave cardholders are protected by Visa's zero liability policy, which protects all Visa cardholders from unauthorized purchases. As always, we recommend cardholders check their statements regularly and report any suspicious activity to their issuers."
Discover
Discover issues contactless cards. Unlike RFID, which can operate at ranges up to 25 feet, contactless payment devices are designed with RF enabled technology that operates at very short ranges -- less than 2-4 inches -- so that the consumer needs to make a deliberate effort to initiate the payment transaction.
For contactless payments, Discover uses added security technology both on the contactless device as well as in the processing network and system to prevent fraud, and with Discover's 0% fraud liability, Discover cardholders have the added protection of never being held liable for any fraudulent activity on their cards. The Discover Zip contactless card has a unique security feature in that the verification code changes each time you use it -- so that any skimmed data could not be reused.
For more information on the security of contactless cards, you may want to refer your viewers to the Smart Card Alliance website at: (click here to view page)
MasterCard PayPass cards and devices are as secure as paying with traditional MasterCard cards that have magnetic stripe technology. In fact, many consumers claim that they feel more secure with PayPass because they never have to turn the card over to a cashier and it never leaves their hand.
In response to the claims that you're hearing that a person could use a reader to capture someone's account number and expiration date, I think it's important to point out that they can't do anything with that data.
You can't make an Internet or phone purchase, since the merchant should ask for CVC (card verification code) 2 data - the 3 digit code on the back, or zip code verification - to complete any purchase.
You can't create a phony mag stripe card without CVC1 data in the mag. stripe
You can't create a phony PayPass card without the key that is used to create a dynamic CVC3, which is held securely in the PayPass chip
We mandate the use of CVC3 in the chip, which makes it nearly impossible to duplicate a card or "replay" transactions" - because a code that accompanies an authorization request changes every time an authorization request is made. I've attached a fact sheet that goes into more detail, but this is a key point. For every transaction made with a PayPass card, there is a discreet authentication code that changes after each transaction. Without the proper code the transaction will not be authorized. The attached sheet will explain how the code is generated and what security measures are in place that make it so secure.
Lastly, MasterCard cardholders in North America enjoy the protection of the MasterCard Zero Liability policy, knowing that if their card was ever compromised, they are, as with all MasterCard payment programs, not responsible for unauthorized transactions on their accounts.