Pickpockets have been around for centuries, but the “gentleman pickpocket” has some serious skills and has practically turned crime into 'supernatural' art form.
We’ve looked at NFC threats on horizon, but what about criminals with enhanced “digital skills” as e-pickpockets? This is when criminals use RFID readers to lift the sensitive info from contactless credit cards or biometric passports. In the public service announcement video below, “RFID and Electronic Pickpocketing,” there is no conflict of interest as no one is trying to scare you into buying their products for protection.
Snopes called electronic pickpocketing a mixture of fact and fiction, but the reason for bringing up e-pickpocketing is because Texas has allegedly seen such credit card fraud. Although the police wouldn’t elaborate on details, M.R. 'Bubba' Colyer, of the McLennan County Sheriff's Office Criminal Investigation Division, told KWTX about a recent case in which the "suspects were able to get a victims credit card number, and before the victim even realized it, there had been $26,000 worth of charges on it." Colyer added that often victims don't know until their bill comes. "This is going to be huge,” said Walt Augustinowicz, founder of Identity Stronghold. “There's literally going to be millions of people who will get ripped off because of this."
Texas Gets Electronically Pickpocketed - Law Enforcement Reports Losses:
But this is nothing new at all as the potential security and privacy holes were first pointed out back in 2004, when Johns Hopkins University and RSA Laboratories security researchers first reverse-engineered RFID-enabled cards and were able to skim and demonstrate practical cloning attacks [PDF]. Way back in 2006, University of Massachusetts computer scientists demonstrated the attack and called it “the ‘Johnny Carson attack,’ for the entertainer's comic pose as a psychic divining the contents of an envelope.” Years ago when I emailed David Maxwell, director of RFID Protect, about taking the attack and rebranding under “electronic pickpocketing,” he did not reply when I wanted to know if that was because he conveniently sells protection in the form of shielded wallets and purses.
Augustinowicz previously went viral with an Electronic Pickpocket video. He also warned that if you have an NFC-enabled (Near Field Communications) smartphone, that tainted apps are allegedly another way to get electronically pickpocketed. Augustinowicz said, “Your own phone could be scanning your credit cards and emailing the information to anywhere in the world. They can be in Iowa in a cornfield, put their phone in their pocket next to their credit card and get ripped off that way.” Keep in mind that although he’s been featured in many videos, he also sells protection.
I have nothing against entrepreneurs raising awareness to sell security products, but I’m not interested in pimping their products; you can protect yourself from potential electronic pickpockets for free. Multitask and take that tin foil for your hat and instead place it into your wallet; or otherwise wrap aluminum foil around any contactless-enabled payment cards and/or passport. MarketWatch added, “If you have two cards with RFID chips in your wallet, the scanner can’t read them because they confuse the information and cancel each other out.” While I may sort of roll my eyes regarding the crime of e-pickpocketing, I’ll admit that at Black Hat and Def Con I did indeed wrap my “temporary” credit card in aluminum foil.
In 2012 when viaForensics developed a proof of concept mobile app that was capable of reading data from contactless credit cards, it was discovered that the “degree of data leakage depended upon the card type and issuer.” The researchers were able to nab credit card data and then showed a serious vulnerability on Amazon when it was enough info to make purchases. Visa told the researchers that if online shopping sites don't ask for the CVV2 code, the three digit security code on the back of the card, then it's their problem, not Visa's [video]. Other customers contacted their banks to say they didn’t want a contactless card and were basically told too bad, so sad, that’s “tough.” Then at Def Con 2012, security researcher Charlie Miller presented “Don’t Stand So Close To Me” and easily hacked NFC when Android or Nokia were left on the default settings.
It is also worth noting that while extreme RFID tags with normal read ranges of 30 feet have been read from distances as far away as 50 to 69 feet using special equipment, skimming data from credit cards seems to require the attacker to be nearly on top of the victim. That far of a distance has never proven to be true in a case of e-pickpocketing. In 2011, the “U.S. Secret Service who investigates payment fraud,” went “on record saying that there's no evidence of any kind of fraud based on scanning on contactless credit cards.” Since then, however, “Bubba” the Texas sheriff reportedly said he knows of electronic pickpocketing crime victims.
One last little crime nugget as food for thought comes from Belgian Safe Internet Banking in the form of “Amazing mind reader reveals his 'gift'.”