Credit Card Hack Exposes Millions
In the race to sign up more and more customers, credit card companies have been promoting the idea that it is more convenient and less socially awkward to swipe a credit card than to pull out cash or write a check. Who wants to feel the burning embarrassment in the checkout line as you bring everything to a screeching halt to write a check or pay with cash?
And now, swiping is on the way out thanks to RFID (radio-frequency identification). Rather than assign you a plastic card with magnetic stripe, credit card companies are moving toward chips programmed with your relevant information. Have a credit card that says “PayPass” on it? Then you have RFID.
RFID is not new. I once worked a security job where I was assigned an ID card that I passed in front of a scanner at every door I entered. The chip in the card was passive, but got its power from the scanner itself when placed near it. Many of us guards learned that we did not even have to pull our cards out of our wallets, but simply wave the entire wallet in front of the scanner.
And, you can see where this is going.
In the old days (i.e. now), credit card thieves might work at a ritzy restaurant for a bit, harvesting card info with a mag stripe reader they could hide in their vest. Trouble with that was that all those cards had one thing in common: they were all used at that restaurant. On the thief’s shift. At his tables. Arrest was quick.
For about $300, you can purchase a cordless RFID scanning device online. It does have to be pretty close to, but not in contact with, a chip in order to power it and read it.
So, imagine: You get into a crowd, start bumping into people’s purses, back pockets, collecting card info with your scanner. Maybe on the subway, where everyone is headed to somewhere else. Your victim base is decentralized. That’s the first step.
Then, you transfer the card info to a cheap mag stripe card. You can buy them in bulk for 30 cents a piece. Hotels and department stores use them all the time. That equipment to do it will set you back another $350. That done, you now have a clone of that person’s credit card.
From there, it’s all up to what manner of crook you want to be. Sell those card clones for $50 each? For a night on the town, that beats Groupon deals. Hook up with the right gangs in a city or overseas buyers online and you could move many of those at a time.
Or, you could swipe them yourself with smartphone accessories straight into an account. Given the right bank, that could work. Fold them into a grander money-laundering scheme?
What if you paid runners a buck apiece to wander subways, concert halls, and other thickly populated areas with your readers tucked away?
Let’s do the math on one simple scenario that does not involve any cohorts, just willing buyers you meet online and $700 in readily-available equipment. Scan 100 RFID chips per day (easy in crowded areas) and you can recoup that investment in your first day’s “work”. After that, $30 worth of blank cards per day nets you $5,000 from your buyers. $25,000 per 5-day work week. Take a couple weeks vacation each year, like normal folk. Clear $1,250,000 your first year grinding.
Beats a job. Beats selling drugs. Do it all yourself out of an apartment.
If you’re crooked.
All this is possible because credit card companies want you to be embarrassed to pay with cash or check. Their commercials show you inconveniencing people in line behind you, then tell you their products are for *your* convenience. They make it easy to swipe, easy to lose track of your spending. Credit and overdraft fees rack up when you are out of touch with your spending.
And now, they make it easier than ever for thieves to steal you money by taking the card-in-my-hands factor out of the equation. Your info is now broadcast, albeit over a short distance.
Pickpocketing was never easier.
Doubt this all would work? It already has.