ALARMS raised by police recently about "electronic pick pocketing" are only feeding hype about a problem that doesn't exist, according to Visa Canada, the maker of many of the cards at the centre of the outcry.
In a release issued April 2, North Vancouver RCMP warned residents of the North Shore to protect their embedded-chip credit cards against identity thieves by shielding them with special metallic privacy sleeves. They said new swipe-free Radio Frequency Identification, or RFID, technology, which allows users to make purchases by waving cards near a sensor at check-outs, also make it easier for identity thieves equipped with electronic readers to steal personal information.
"By simply walking past you, a person with a card reader acquires your credit card number, expiration date and more," according to the release.
In recent years, police on the North Shore have investigated frauds in the hundreds of thousands of dollars that have affected hundreds of cardholders. Those scams have been perpetrated by traditional means, however, primarily by fraudsters who have tricked victims into providing personal information over the phone or who have used PIN-collecting dummy debit terminals installed in unsuspecting stores.
In that time, North Shore police investigators have never reported a case in which the information was gathered remotely from an RFID chip.
Cpl. Richard De Jong, spokesman for the North Vancouver RCMP, conceded there hasn't been a case on the North Shore to his knowledge, and couldn't cite one from the Lower Mainland.
However, he said, it's a relatively new scam, so it could just be it hasn't had a chance to make its way here yet. He also pointed out that without properly scrutinizing their statements, victims may never realize they've been defrauded.
"The technology exists," said De Jong, who uses a privacy sleeve for his own cards. "Is it an extreme problem? No. But we are aware of it and we're putting it out there so people are aware of the potential.
"Bad guys have access to the same scanners," he said. As manufacturers include RF chips in more and more items, he added, whatever potential there may be for RFID fraud today could be "the tip of the iceberg."
The alert, which was circulated by several news outlets, echoes a similar warning from the Surrey RCMP in January. Sgt. Laura Malo, head of the Surrey detachment's fraud section, told reporters that a passing brush against someone, on a crowded bus for instance, could be enough to wirelessly gather credit card information.
This follows reports from numerous American news programs in recent years, warning consumers that they could lose fortunes by leaving swipe-free cards unprotected in their wallets.
But Visa Canada, whose payWave cards are among the credit cards deemed to be at risk by police, said the warnings raise the spectre of something that just isn't going to happen.
"There is a remote risk that data can be intercepted, but we have multiple layers of security that address that," said Gord Jamieson, head of payment system risk for the company. "There's a lot of hype around this for no real reason."
To date, said Jamieson, the card company hasn't received a single report of fraud using the methods described.
First of all, he explained, cards have to be within about five centimetres of a scanner to be activated, meaning they can't be read from any significant distance. Secondly, the only data stored magnetically on the card is the card number, the expiry date, and an additional "dynamic three-digit code" that changes with each transaction, meaning the holder's name, address and so on couldn't be captured.
If someone did manage to scan a card and use the data to make a dummy, the operation would quickly be tripped up by the rotating three-digit code system, added Jamieson.
"Every time (the card) transmits (information), it creates a new dynamic value that is transmitted along with account info that is validated by the issuer," he said. "Every single transaction, that dynamic code changes. When captured, it can only be relayed once. It could not be done over and over and over again."
Touch-free transactions are capped at $50 per wave, meaning the damage would stop at that amount, said Jamieson. Under Visa's zero-liability fraud policy, victims wouldn't even be on the hook for that since the company would cover the loss, he added.
"The fraudster is going to go through all this to capture data that he can use once, that can only used for a transaction of up to $50," said Jamieson. "We just don't see it happening."
Jamieson acknowledged that metallic sleeves would disrupt any signal going to or from a card, but reiterated his view that they were unnecessary.
"We don't promote that; we don't see the need for it," he said. "There are too many layers of security to counterbalance it. It's just not something we've seen in the field."
