RFID chips, biometrics and one-time PINs: High-tech solutions are evolving to thwart high-tech credit thieves
Just one day after using her RFID-enabled credit card successfully, Greenville resident Karen Schulz found the card denied.
Since the card should have been fine, the Greenville resident immediately called her bank. The bank told her a hold had been placed on the card when activity showed up at a Target in New York. They told her the number could have been retrieved when she used the card to buy gasoline.
“I was so gratified they put a hold on it,” she said.
Factor3, a Greenville-based company, is trying to commercialize technology that could solve that problem, said John Boyd, founder and chief financial officer of the company.
Card fraud is common
Stories like that abound. Greenville County Sheriff’s Office spokesman Deputy Jonathan Smith said that when he was working white-collar crime, the office had people coming in to report stolen cards or fraud several times a week.
Thieves steal credit or debit card information easily – prying it from cards electronically, obtaining it from stolen cards, finding it in information-laden dumpsters or even skimming it from a card handed over to be swiped.
Smith advised people to be particularly cautious with debit cards, which link directly to a bank account.
“If you allow someone to use your card, say to buy gas, and give them the PIN number and they buy something you didn’t authorize, the bank will hold you responsible,” he said. However, if you did not give them the PIN or authorization to use the card, it is then treated as fraud.
Card fraud can happen to anyone at any time, according to experts. More than 9 million Americans suffer from identity theft every year. Card fraud “is a multibillion dollar problem,” said Richard McDonald, CEO of Factor3.
But consumers can fight back. They need, however, to know what steps to take to protect their personal information and to fight fraud if it occurs.
The newest concern is electronic pickpocketing through the use of cards with RFID, or radio frequency identification, chips embedded. The chips make it possible for a consumer to use a smart card by waving it over a reader rather than swiping it through one. The chip includes information about the card and its owner read remotely, meaning usually one to four inches in distance.
These cards, becoming more common with more than 1 billion estimated issued worldwide, provide convenience for consumers, who are able to keep the card in their possession at all times, according to the Smart Card Alliance. Merchants gain from faster transaction times and lower operational costs. Issuers gain by the card’s penetration into the cash payment market.
Some voice concern that thieves with readers could steal the information from the cards while they are in the consumer’s pocket or while the card is in use. A 2007 study by researchers at the University of Massachusetts, RSA Laboratories and Innealta Inc., experimented with about 20 different cards and two card readers. They found that the technology was vulnerable to theft but said security would be beefed up as the technology matured.
Security experts said cards now use encryption and the fear of remote reading should decline as security levels increase. Also, many cards create a new authentication code for each transaction so only one transaction can be made with stolen information.
In addition, issuers are moving away from smart cards that include a magnetic strip to one based on chips using the EMV (Europay, MasterCard and Visa) security standard, with all the information stored solely on the chip. No strip will be needed as fewer people swipe their cards.
Old security ‘not adequate’
Boyd, who calls himself a serial entrepreneur, said the idea for the Factor3 card being developed by his company and its partners came during a visit to Disney World. He watched the biometric scanning as visitors used their park passes. The cards can be used anywhere in the park. He also watched food stamps being sold in a BI-LO parking lot, a practice he thinks could be eliminated with the Factor3 card.
The card under development includes biometric scanning of fingerprints and a one-time PIN that changes with each use, he said. Once a cardholder swipes two fingers across a specified section of the card, it can be waved in front of a reader or swiped.
Boyd and McDonald emphasized that the fingerprint is only stored on the card and is in no database, either government or private.
“Static passwords and PINs are not adequate any longer,” said McDonald. He said one in four Americans reported card fraud, but that the actual number is higher than that, because people often don’t report it.
Currently, Factor3 is on its third version of the card and is negotiating with a group for a pilot project to test the card and work out any quirks that show up from consumer use. McDonald said an ideal pilot program probably would focus on a government agency or a business and include about 500 people.
The two hope to have a card ready for use within six months. But credit and debit cards probably are not the first place their card would be used. It could be used for residents to access a condo complex, or to allow government employees to securely log into a computer or other system. It could be used for recipients of government benefits.
“The important thing,” he said, “is to get started. People don’t tend to worry about fraud until it happens to them.”
Consumers are ready
The goal of the card, McDonald said, is “to prevent cardholder-not-present fraud.” Currently, about $30 billion to $40 billion of this type of fraud occurs annually.
While the Factor3 card is not likely to solve all identity theft problems, “what we’re doing now is certainly not working,” he said.
Boyd said that when he talks with people, they tell him they have too many passwords and PIN numbers and that they are too similar. They know that’s not safe. He said he expects many consumers to jump at the opportunity of biometric and one-time PINs on a card.
“It sounds like it’s worth trying,” said John Bennett, a Spartanburg resident who said he currently has three credit cards plus a debit card. “If my wallet is stolen, I have to immediately pull the plug on all of them. It’s a pain. I’d be willing to have my fingerprint stored on a card as long as it doesn’t go into a database. I wouldn’t like that.”
Factor3 plans to design, manufacture and sell the cards as well as provide authentication that the card is valid to the person using it, McDonald and Boyd said.
Until that card or other similar protection is available, experts said it’s important to realize that most credit and debit cards are much more low-tech. Thieves steal the cards, find them dropped, take photographs of the cards when they’re out of sight of the owners or go through bank statements or credit statements thrown away.
For example, a year before Schultz had her card problem, her mother experienced a confusing and difficult fraud situation.
She responded to “something on the computer that looked very official, like it was from her bank,” Schulz said. The scammers took control of the computer and got all her mother’s passwords and numbers. Her brother called about the same time and when told of what happened, he told his mother to turn off the computer immediately.
The bank worked with her, but she had to replace all her cards and passwords, Schulz said.
Foiling crooks with aluminum foil
Consumers also need to realize that theft and fraud is something that has to be lived with, Smith said. The consumer is doing nothing wrong when using a card online or when using a smart card at a store. There is probably nobody in the country that doesn’t have a good part of his personal information on the Internet, where it can be lifted or sold or stolen.
Beyond protecting against the obvious kinds of fraud, the first step for a consumer comes from knowing if the card – credit or debit – is RFID-enabled. Symbols of electric waves in the corner of the card indicate that a chip is embedded. Some cards have the words Pass Wave, Blink or PayPass.
Easy steps can be taken to help protect the cards. Simply wrapping the card in aluminum foil might be enough protection. The consumer would have to unwrap it for use. Special envelopes have been developed to protect the information on the RFID card.
The Federal Trade Commission suggests that account numbers not be given over the phone unless the card owner initiated the call to a company known to be reputable and that cards be carried separately from a wallet. Another suggestion: Carry only the card needed for the transaction. The commission also said that card owner need to notify the issuer if they plan to travel. And, finally, report lost or stolen cards immediately.
One important step is detection – review all types of card fraud. Review credit card statements and view checking accounts often to find any unauthorized charges. Check your information at credit reporting agencies at least once a year and maybe more often, Smith said.