Slashdot Mirror
Ask Slashdot: How Do You Keep Your Credit Card Secure?
It's easy to pontificate about the best security practices -- but the real test is what we do with our own money. Long-time Slashdot reader Keybounce writes:
So, like most of you, I recently got a new credit card with a chip in it. I was not worried about that -- I know the chips are harder to copy and counterfeit. But I recently discovered that the card is also a radio card -- swiping it near the screen caused an message to show up on the reader. In this case, it told me to use the chip reader instead, but this means it has an active radio signal, and could be "hacked" -- stolen by someone with the right device.
How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?
So leave your own answer in the the comments. How are you keeping your own credit card secure?
How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?
So leave your own answer in the the comments. How are you keeping your own credit card secure?
Currently I use an envelope that claims to be RFID shielding. No idea if it works or not.
I have backed on Kickstarter an interesting "jamming" solution, Vaultcard, which looks promising.
The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.
I could care less. If I see fraudulent transactions I call AmEx and I get a replacement card next morning. No need for me to go out of my way to keep a card that provides access to someone else's money secure.
It's really not my job to go the extra distance to improve their security. The card is the way it is, and if it's good enough for the banks, it's good enough for me.
I've had the card cloned a couple of time in the last five years, and it was never more than a minor inconvenience. Call the number in the back, tell them that I didn't spend $2000 on a strip club in Mexico, and they send me a new one.
Never underestimate the bandwidth of a 747 filled with CD-ROMs.
If you cannot afford to buy something with cash, then you can do without it.
There have been serious suggestions here in Norway to forbid cash payments for various things. This includes buying tickets from bus drivers, paying at restaurants and for purchases above some threshold (think 2000 USD and such).
The bus drivers don't want to have cash because of robberies, the tax administration wants to make it harder for restaurant owners to cheat, and the police wants to make it harder to launder money.
We're not there yet, but I'd say it's coming soon.
Exactly. Why is this my problem? I am not liable for fraudulent charges.
I don't bother. The number of attacks in the wild is still essentially zero, and I'm indemnified against all loss. It might be inconvenient, but it's not a loss. So it's not worth my time and trouble guarding against.
I might worry about it if I were to go to the Olympics or something else with lots of international tourists, the best ones to skim, but for regular everyday use, the chance of you being skimmed rounds to zero, and if it does happen, you are blameless.
Learn to love Alaska
Maybe you are not presenting your experience with proper English, but if you swiped the card and were then told to use the chip reader, that does not imply that the card has any RFID capability. It simply means that the swipe passed along enough information that the reader learned that there was also a chip. I've seen this on multiple credit cards and have confirmed that the card has no RFID. Maybe you shouldn't have used the word swipe and only mean to say that you were told to use the chip when you got the card near the card reader, but if you actually swiped it then you know nothing about if RFID is present. It does not seem to be as common as many fear mongering commercials for cheap crappy wallets would have you believe.
As to what to do if your card really does have RFID, I suggest doing the same thing that I do with my card without RFID, keep a close eye on your charges and alert the issuing bank if there are any discrepancies. Beyond that, don't worry. It is the problem of the idiots who put RFID chips in the cards if their cards get sniffed, and it is the problem of the issuing bank if they accept bogus charges on your card. Your only issue is to not be completely stupid and pay the credit card bill without checking it for accuracy (and there are certainly some people who do).
I'm an American. I love this country and the freedoms that we used to have.
The 16-digit system is ridiculous. If you're going to use your card online, or in restaurants, etc. your card number is quasi-public.
Two of my cards have an option which sends email and/or SMS and/or app-notifications upon every transaction, accepted or denied.
I caught a bogus attempted charge last month - this saved a lot of exposure & aggravation. It also informed me last week when my personal activity caused my card to be suspended ( several international charges, different countries in the same hour). CapitalOne, Discover, & Chase offer this, and I assume some other competitors do so as well.
Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.
You are mistaken - the RFID chip is connected to the EMV chip - may even be the same chip nowadays. This wasn't always the case, but is now. The RFID data includes an EMV-derived authentication code like the CVV.
This had all been theoretical for me until Costco replaced my Amex card with a Visa that had PayWave (RFID). I did a LOT of reading then!
I am not liable for fraudulent charges.
Sometimes you are. I was fraudulently charged $19/month for several months by Travelocity. I disputed the charges through Bank of America, and BOA told me that Travelocity was their "marketing partner" so the fraudulent transactions could not be reversed. I cancelled the credit card, closed all my BOA accounts, and switched to Wells Fargo (the only other bank within bicycle distance of my house). I also never again used Travelocity for anything. I periodically go into the local BOA branch and steal their ink pens.
Here is how to stay out of trouble.
1. DO NOT USE YOUR ATM CARD ANYWHERE, EXCEPT AT THE BANK THAT ISSUED IT IN THE LOBBY.
2. Feel free to use your credit card anywhere, AS LONG AS YOU CHECK THE MONTHLY STATEMENT AND DISPUTE ANY CHARGES.
3. Anywhere especially seedy, PAY CASH or use a Green Dot Card from Walmart money card loaded with the exact amount.
4. Only use checks for re-occuring variable bills like phone, gas, electric so an error can no clean out your bank account. Some phone cable and phone companies occasionally have problems with sending customers erroneous $1000 monthly bills.
5. Do not use online banking. Make sure you have it turned off.
6. Make sure you have an ATM only card that can not be used as a debit card. This means it only works at ATM machines.
7. Setup all fixed cost bills, mortgage, car, insurance, student loan for auto pay so you don't need to use online banking or write a check.
8. Do not let money pile up in your PayPal account. Paypal is not a real financial institution and can play games with your money and you have very little protection.
9. Bank with a real bank, an 800 lb. gorilla like Chase that has 24-hour fraud people.
10. Keep a copy or scan of all documents/cards in your wallet. If you wallet gets stolen you can quickly cancel everything, instead of trying to figure out what was in your wallet.
11. Pay your credit card off EVERY MONTH, no exceptions. 20% interest is for suckers. If you can't control yourself, set you limit for what you are able to pay. NEVER carry credit card debt. NEVER.
The safest forms of payment are:
1. CASH / Walmart Green Dot Money Card
2. Credit Card
3. Check
4. ATM Card
Why do I make these recommendations?
1. Cash can't be hacked.
2. VISA provides you with protections to dispute charges. That means if you get hit with a charge, you can dispute it and during the dispute period you aren't out any money, unlike bank fraud. If a vendor is getting a lot of chargebacks from VISA, they will figure out they have a hole in their system and fix it or go out of business.
3. Your ATM card connects directly to real money. If you have Autopay setup and someone hacks your ATM/Debit card, you could be in a world of hurt because your account might get emptied out and there would not be any funds available to pay your bills. This is a bad, expensive situation.
4. Your checks have a magnetic toner on the bottom with your bank routing number and bank account number. With these numbers, someone could possibly access your account. Only use checks for variable payments like phone, gas, electric.
5. If you need to buy something that you don't want associated with you directly, get a Walmart Green Dot Card. This is great in case you are in need of a burner phone or other untraceable payment. By law you are supposed to register these cards but Green Dot will still allow you to use it but will deny you a personalized card. Many illegal/undocumented immigrants use these cards. These cards can be sketchy and prone to fraud, so buy it, load it, and spend it as soon as possible.
If you have any questions, let me know and I will check this thread again. Be smart. Guard your privacy, credit score, and your hard earned money.
PayWave is awesome. You just tap the card on the terminal (or near it) to pay, no pin, no signature.
Of course some people will freak out, just like they freaked out when chips came out ("what the devilry is this!"), but it's hugely convenient. Credit cards companies already have very customer-friendly policies for fraud and scams, this is just making things even easier with no risk for the card holders.
I've learned from past experience to have 3 credit cards: 2 in my wallet, 1 at home, that way if one gets compromised I have options until I get a new card. That's a minor price to pay for the convenience.
lucm, indeed.
Not even remotely true. The information that can be obtained with a reader does not contain the actual keys (!) that would be used to sign a transaction.
You could actually read about EMV, the specification is public. It's fairly clear you haven't.
If you cannot afford to buy something with cash, then you can do without it.
There have been serious suggestions here in Norway to forbid cash payments for various things. This includes buying tickets from bus drivers, paying at restaurants and for purchases above some threshold (think 2000 USD and such).
The bus drivers don't want to have cash because of robberies, the tax administration wants to make it harder for restaurant owners to cheat, and the police wants to make it harder to launder money.
We're not there yet, but I'd say it's coming soon.
A card-only system is the perfect surveillance solution. Not only does it reveal everything that you've purchased and from whom, but the time and location as well.
Presidents Putin and Erdogan recommend them!
The moment the cashless society is a fact you will regret that you didn't fight it.
"Trump!!", the new Godwin.
I recently found out that my card was leaking radio waves in the visible spectrum! This is really nefarious because the radio waves do not actually originate from the card itself. When a store, hacker, or other third party sends radio waves in the visible spectrum towards my credit card, the card returns the signal back to a wide range of locations with the user's name, the credit card number, and even the cvv code on the back!
The worst part is that there are even visible spectrum enhancers on the market, which turn the radio signal, which is usually only decipherable at 2-3 ft, into a signal that can be deciphered from 30-100 ft. I can't even believe that these things are legal, or that the card returns these radio waves in the visible spectrum!
The world is going to hell in a handbag!
The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.
Forget track 2 data, the card gives out your name, card number and expiry date wirelessly to anything that asks. That's enough for anyone to start making transactions.
The first thing I do when I get an NFC enabled card is disable the wireless. I do this using a Stanley knife. If you look at your card over a bright light, you can see the induction loop, It then becomes a simple matter of making a small incision into the card to sever the induction loop. No loop, no wireless, card still behaves nicely with Chip and Pin terminals.
I've tested this with an app on my Android phone (here but it hasn't been updated in a while and doesn't work with my Nexus 5x). Its also been tested many times by vendors who don't seem to get that yes, it's disabled now stick it in the machine so I can press savings.
Personally I wouldn't bother with trying to shield or jam it as malicious devices are most likely to be placed on terminals, ATM's and other places where you'll have your card unshielded. If you don't want your card to be exposed, disable it completely.
Calling someone a "hater" only means you can not rationally rebut their argument.
It doesn't include the CVV2 that will be requested even by very low risk online retailers. You might be thinking, "But this field right here is labelled CVV" and it is, but there are like four CVVs for a modern card, and that's the wrong one. The one you need online is CVV2, which is the one written on the back of the card but not stored on the card itself.
This happened because cards _used_ to have just one CVV, baked into the magstripe, so you could tell you had a "real" magstripe read, not one based on just reading the digits off the card, but if people got the CVV elsewhere they'd fake that out. So the "fix" was to have a different value for CVV in each place, and check you got the right one. So there's a CVV for EMV chip transactions, a CVV for the magstripe and one written on the card for online.