Quite a while back I noticed a new symbol on my bank card, it looked similar to the RSS logo you’d usually find on a website. I already knew what it meant, and knew what was coming. Shortly after I noticed merchants with debit machine carrying the same symbol, my worst fears had been confirmed. A few weeks ago, I decided to test it out to see if my fears were really as bad as I thought, or if I was just over reacting. My fears were indeed as bad as I thought they were. I had purchased a coffee at local Timmies (Tim Hortons), but instead of inserting my card, and putting in my pin, I simply pressed my card up against the screen, and read the feedback… Approved. No pin entry, no security, it just took my payment.
The next day, I decided to test my credit card, which does not carry the symbol, and sure enough, payment was approved, again without entering my PIN. Now I do realize that there are probably certain restrictions, like no payment over over $50 can be done via this method, but $50 is $50, and over time, it all adds up. There are plenty of things crooks need that are under $50, gas to fuel their vehicles, food to fuel their bodies… No you can’t jack high priced items on the cards, but you can still get free stuff on someone else dime.
Now my original fear was just losing my wallet, or having my wallet jacked, the crook now has between the time he took my wallet and me discovering its gone, to spend my hard earned money anyway he seems fit (at $50 max a shot). However my fear was just the tip of the iceberg.
This weekend I took out my wallet and put it down on by my computer, a few moment later I put my phone on top of it. As I did this, I heard a strange sound come from my phone, one I had never heard… at first I dunno what caused it, but after a few moments of doing some test, I realized the NFC (Near Field Communication) ability of my phone was picking up my cards. I currently have 3 cards which have touch-less capability, My debit card, my credit card, and my Opus card (Montreal Bus/Metro Pass). Now at this time the beep was clearly a negative sounding beep, so I know my cards were not read, but it tell me that the phone had the capability of reading this type of card.
Now my fears grow stronger, I remember watching an episode of NCIS where a street girl is walking down the side-walk with her headphones on and every once and a while put the device (disguised as a media player) up to people’s pockets till she gets a positive read… I am now realizing that this is not fiction (as a lot of the stuff created for these shows are).
So how capable is my phone of actually reading cards? I did a search and found a NFC Tag reader in the Google Play Store, now this is just a tag reader and not a usable application to steal someone info, its like grabbing the headers from a database, but not the info contained, so you would know the database contains user names and passwords, but wouldn’t have the actual data. The application successfully read my OPUS and Debit cards, but again gave a negative beep when I tried my credit card, which again doesn’t mean its not possible, just that this app didn’t recognize it. But for security purposes, and the off chance I am wrong about my previous statement, I have removed all identifying numbers. Here is what the card reader found on my debit card:
My OPUD card was a Type-B card where as you can see my debit card is a Type-A card. My opus card also did not have any extra applications compared to my debit card.
So now that my worst fears are starting to come true, knowing that my phone’s NFC capability can indeed read cards, I also start to realize that obviously I am not the only one thinking how this could be used… I did a search and found an article on Forbes from July 2012 entitled “Hacker Demos Android App That Can Wirelessly Steal And Use Credit Cards’ Data“. Now I am realizing that my fear, which used to be based on my wallet being stolen, and a crook having the time it takes me to discover my wallet is missing to spend my cash, was a bit of an under estimate… in fact they could get my info with me even knowing.
It seems the easier they make it for us to spend our money, the easier it is for the crooks to steal our money. Yes security features take up valuable time (to a merchant), but I would rather take the extra 15 seconds to have my card processed with my security in mind, then save 15 seconds and leave myself vulnerable to thieves and crooks.