A few weeks ago at a security conference, a demonstration proved how easily the number of a credit card with RFID (Radio Frequency IDentification) technology could be stolen from across a room without touching the actual card:
[Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (Continue reading: Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets).
How do you know if your credit or debit card is using RFID? A common sign is when the card says “Paypass,” “Blink,” or has a wireless signal icon on the back.
What can you do to prevent your credit card from being read wirelessly? Here are a few options:
- Carry only cards that do not have this RFID technology. You can talk to your bank or card issuer to ask for one without RFID.
- Leave your important credit cards (such as those you use to pay bills online) safe at home, so that if your card number is stolen, you’ll have less hassle to deal with adjusting recurring payments.
- Get a RFID blocking sleeve or wallet. (Available for purchase on Amazon here). This will come especially handy when traveling. You can achieve a similar protection here by wrapping your cards in foil, but this isn’t a very convenient solution for most people.
Note: Passports are vulnerable to this exploit as well, at least passports that use RFID technology.
Here’s a news clip from last year where a similar device was used to demonstrate stealing a credit/debit card number from a victim, transfer the card information to a hotel room key, and then use the key to make a purchase with no questions asked:
Microsoft, Facebook, Google, PayPal and many other large online companies have officially announced that they are teaming up and collectively advocating a new standard in technology to help fight phishing spam. This is great news for everyone because it’s not just about detection; it’s about stopping spam before it can ever reach your spam folder. While it certainly won’t kill the giant beast that is spam, it could definitely serve a devastating blow to the spammers who are forging email signatures and inserting false company logos into their bogus emails. The technology is called DMARC, or “Domain-based Message Authentication, Reporting & Conformance.” You can read more about the specifics on DMARC.org.
Although DMARC may lower the amout of spam, it’s still just as important to stay on your guard when checking messages. Here are some tips to recognize these “fishy” tactics:
- Think twice. Do you really need to update your account information now? Is it really an emergency? Would your bank really close your account over this?
- Read again. Even though it has the official logo of your account, are there any design flaws? Does it contain bad spelling or poor grammar?
- Verify the addresses. Did the email originate from the right company? Was the email sent to your secondary email account that your bank doesn’t even know exists? Is the link they want you to visit just the number of an IP address?
- Check the company’s website. There should be an official statement from the company. Contact the company yourself by opening a new browser window and manually typing in the official website address (do not click on any links inside a suspicious message).
Be suspicious; your bank account and your identity depend on it. For additional information, check with the FTC.
The five claims:
- Creating energy and electricity: People power will come to life
- Security: You will never need a password again
- Mind reading: No longer science fiction
- Mobile Technology: The digital divide will cease to exist
- Analytics: Junk mail will become priority mail
IBM takes an in-depth look at each one of these claims at their website, linking to blog posts for each one of the five life-changing predictions. Whether these happen within the next 5 years is difficult to know, but you can be sure that serious questions about safety and privacy will come with them. How trustworthy can the
retinal iris scan be if hackers find vulnerabilities? If not passwords for security, what kind of controls would be put into place over database(s) for matches in voice activated technology? Will the lines be blurred on what we call junk mail if the messages are carefully targeted to each person, yet still unsolicited? What dangers might we see in mind-reading technology if the user wishes to merely think about something without taking an action, yet the system fails to distinguish between the two? How will mind-reading technology react to the thoughts of a person who defined a particular action differently than the system? What will Identity Theft look like when we’re dependent on a valuable body part for our identity, rather than a password that can be discarded after it has been compromised?
As if they’re not already, things in the digital world are about to get really interesting.
How do I know which online credit report to use? The number of reporting sites being advertised seems confusing and deceptive. Is one better than another?
The FTC warns users to be careful not to fall for websites that claim to be the official free annual credit report, as many will subscribe users to monthly fees if no action is taken to cancel their services. Other questions answered by the FTC website include:
“Why would I want my credit report?”
“How long does it take to receive a credit report?”
“Where can I report false information?”
“How often can I request a free report?”
I suggest taking advantage of the FTC’s advice to stagger your reports from Equifax, Experian, or TransUnion throughout the year, rather than asking for all three at the same time. This way, it won’t be a full year before you catch on to a potentially harmful event such as identity theft showing up in your credit history. Read more from the FTC.