Ask Slashdot: How Do You Keep Your Credit Card Secure?

It's easy to pontificate about the best security practices -- but the real test is what we do with our own money. Long-time Slashdot reader Keybounce writes: So, like most of you, I recently got a new credit card with a chip in it. I was not worried about that -- I know the chips are harder to copy and counterfeit. But I recently discovered that the card is also a radio card -- swiping it near the screen caused an message to show up on the reader. In this case, it told me to use the chip reader instead, but this means it has an active radio signal, and could be "hacked" -- stolen by someone with the right device.

How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?

So leave your own answer in the the comments. How are you keeping your own credit card secure?

Shielding, jamming

[stevel]

Currently I use an envelope that claims to be RFID shielding. No idea if it works or not.

I have backed on Kickstarter an interesting "jamming" solution, Vaultcard, which looks promising.

The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.

Re:Shielding, jamming

[AmiMoJo]

Do you really think that the banks would have added a feature that makes fraud as easy as pointing an antenna at people walking past? Where are the crime waves of people draining accounts with concealed card readers? How come it's been in use for over a decade in some parts of the world and they haven't noticed this massive flaw in their security?

Unless US banks are uniquely incompetent with their card design I think this is just paranoia, whipped up by click-bait articles.

Re:Shielding, jamming

[stevel]

But consider what happened to me last year on the first day of a two-week international vacation. I got a notice from my primary card bank (Chase) that my card had been compromised and that they would cancel it and send a new one. The problem was that I was depending on this card (which has no foreign transaction fees) and I would be moving around every two days meaning that it would be difficult to get a new card to me quickly. They did offer a compromise - disable any card-not-present transactions and had me list which countries I would be in, until I could return home. I had several online purchases outstanding so I had to scramble to fix those, and even then I missed one of the countries I would be in and had my card declined twice before I figured out the problem.

I am sure this case was a leak from a merchant that stored card data insecurely, or maybe a skimmer somewhere. That card did not have RFID. We really do need to move quicker to a tokenized system. Even so, it was more than a minor annoyance to me.

Turn it off

[Mikkeles]

We just asked our bank to have it deactivated and they did.

Re:Turn it off

[mjwx]

Not even remotely true. The information that can be obtained with a reader does not contain the actual keys (!) that would be used to sign a transaction.

You could actually read about EMV, the specification is public. It's fairly clear you haven't.

Actually, it contains your card number, name and expiry date.

Everything you need to start making transactions online.

I have to wonder why people still think that card cloning is a credible threat these days... Card fraud moved online years ago, far better return on effort.

Re:Turn it off

[stevel]

Pretty much every week I place online orders with merchants that don't ask for CVV2. While it is true that the RFID data doesn't include CVV2 (it has a digital signature code created by the EMV chip), what is sent is MORE than enough to commit wide-scale fraud.

Re:Easy

[Lord+Crc]

If you cannot afford to buy something with cash, then you can do without it.

There have been serious suggestions here in Norway to forbid cash payments for various things. This includes buying tickets from bus drivers, paying at restaurants and for purchases above some threshold (think 2000 USD and such).

The bus drivers don't want to have cash because of robberies, the tax administration wants to make it harder for restaurant owners to cheat, and the police wants to make it harder to launder money.

We're not there yet, but I'd say it's coming soon.

Hole punch

[NiteMair]

When I last had a card like this, I just took a hole punch and punched out the RFID chip. they're pretty easy to locate (small square divot, usually right near the RFID symbol printed on the back of the card). You can also pry them out easily with a razor blade if you don't want a hole all the way through the card.

Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.

Re:Hole punch

[stevel]

Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.

You are mistaken - the RFID chip is connected to the EMV chip - may even be the same chip nowadays. This wasn't always the case, but is now. The RFID data includes an EMV-derived authentication code like the CVV.

This had all been theoretical for me until Costco replaced my Amex card with a Visa that had PayWave (RFID). I did a LOT of reading then!

Re:Hole punch

[lucm]

PayWave is awesome. You just tap the card on the terminal (or near it) to pay, no pin, no signature.

Of course some people will freak out, just like they freaked out when chips came out ("what the devilry is this!"), but it's hugely convenient. Credit cards companies already have very customer-friendly policies for fraud and scams, this is just making things even easier with no risk for the card holders.

I've learned from past experience to have 3 credit cards: 2 in my wallet, 1 at home, that way if one gets compromised I have options until I get a new card. That's a minor price to pay for the convenience.

but this means ... or does it?

[frovingslosh]

...swiping it near the screen caused an message to show up on the reader. .... but this means it has an active radio signal

Maybe you are not presenting your experience with proper English, but if you swiped the card and were then told to use the chip reader, that does not imply that the card has any RFID capability. It simply means that the swipe passed along enough information that the reader learned that there was also a chip. I've seen this on multiple credit cards and have confirmed that the card has no RFID. Maybe you shouldn't have used the word swipe and only mean to say that you were told to use the chip when you got the card near the card reader, but if you actually swiped it then you know nothing about if RFID is present. It does not seem to be as common as many fear mongering commercials for cheap crappy wallets would have you believe.

As to what to do if your card really does have RFID, I suggest doing the same thing that I do with my card without RFID, keep a close eye on your charges and alert the issuing bank if there are any discrepancies. Beyond that, don't worry. It is the problem of the idiots who put RFID chips in the cards if their cards get sniffed, and it is the problem of the issuing bank if they accept bogus charges on your card. Your only issue is to not be completely stupid and pay the credit card bill without checking it for accuracy (and there are certainly some people who do).

Shielding, jamming... Nope, try disabling.

[mjwx]

The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.

Forget track 2 data, the card gives out your name, card number and expiry date wirelessly to anything that asks. That's enough for anyone to start making transactions.

The first thing I do when I get an NFC enabled card is disable the wireless. I do this using a Stanley knife. If you look at your card over a bright light, you can see the induction loop, It then becomes a simple matter of making a small incision into the card to sever the induction loop. No loop, no wireless, card still behaves nicely with Chip and Pin terminals.

I've tested this with an app on my Android phone (here but it hasn't been updated in a while and doesn't work with my Nexus 5x). Its also been tested many times by vendors who don't seem to get that yes, it's disabled now stick it in the machine so I can press savings.

Personally I wouldn't bother with trying to shield or jam it as malicious devices are most likely to be placed on terminals, ATM's and other places where you'll have your card unshielded. If you don't want your card to be exposed, disable it completely.