New credit cards allow hands-free theft

Millions of so-called contactless credit cards have been mailed to Americans on the theory that we just don’t spend money fast enough.

While you’re absorbing that little nugget, consider this as well: The cards, which wirelessly communicate information about you and your account, don’t have an “off” switch.

Contactless smart cards rely on radio-frequency-identification (RFID) technology to speed retail transactions. Instead of handing our credit cards to a clerk or swiping them through card readers, we just wave our plastic in front of a scanner. Often, no signature is required; it’s whoosh and go.

Mobil’s Speedpass was an early example of this technology. After trial runs in several cities, MasterCard, Visa and American Express began issuing contactless cards in earnest.

The technology looks cool; the card issuers assure us these transactions are encrypted and safe. But privacy advocates aren’t so sure.

Grad students from Johns Hopkins University hacked a Speedpass a few years ago to get free gas. More recently, two researchers at the University of Massachusetts pulled unencrypted names, account numbers and expiration dates off contactless credit cards using a homemade scanning device.The New York Times reported that one of the UMass researchers, Tom Heydt-Benjamin, was able to buy electronic equipment online using information pulled off a contactless card sealed inside an envelope.

The “Today” show aired footage demonstrating another data capture, in which Heydt-Benjamin concealed the scanner in a briefcase and “read” data from a contactless credit card in another person’s back pocket.

The problem, you see, is that radio-frequency tags are always open to wireless access, whether you’re using them or not. So anyone with the right equipment can read the data, and the equipment needed to do so is getting cheaper and more sophisticated all the time.

RFID technology isn’t new or novel. It’s gotten a lot more popular, but it’s been used for years in:

* Corporate, government and student ID badges.

* Electronic passes that allow drivers to zoom by toll booths.

* Plastic tags on clothes to discourage shoplifting.

* Identification tags embedded under pets’ skin.

* Books, compact discs and other media at many libraries.

Wal-Mart and other retailers use RFID chips to track inventory. Ports use the technology to track shipping containers.

Furthermore, if you’re a U.S. citizen, the next passport you get will contain an RFID chip. The federal government started issuing these in October 2006. Concerns about RFID signals led the government to include a small shielding device in the passports to block access to the chips’ data.

Your contactless card doesn’t have such a shield, but you can buy RFID-blocking sleeves for your contactless cards or create a simple one out of — seriously — aluminum foil.

Card issuers say sleeves aren’t necessary, of course. They insist the unencrypted account information that the UMass researchers found was an anomaly and that most contactless cards employ stronger security. Issuers also have removed the cardholder’s name from second-generation cards, saying it would be difficult for a thief to use the card number without a name or security code.

Still, the idea that the card is always “open” — and that we might not be able to control who is picking up our information and what’s being done with it — should concern every consumer.

“We think it’s a pretty serious issue,” said Marc Rotenberg, the head of the Electronic Privacy Information Center. “The contactless card design is inherently flawed.”

It’s not just the evildoers that concern Rotenberg. He wonders if retailers and others might quietly pull information from the cards sitting in unsuspecting consumers’ wallets and add it to their databases.

The good news, if there is any, is that you typically wouldn’t be on the hook for any charges made by a crook who merely stole and used your account data to buy stuff. And there are much easier ways for thieves to take your data.

“Stealing credit card numbers wirelessly has more spook value than genuine hacker value, it seems to me,” said Bob Sullivan, an MSNBC technology reporter and the author of “Your Evil Twin: Behind the Identity Theft Epidemic.” “Stealing all those numbers one at a time is hard work — stealing databases of cards is much more lucrative.”

So what do you do if your credit card issuer sends you a contactless card or you already carry one in your wallet? You have a couple of choices:

* You can send it back and demand a regular credit card. Your card issuer should comply; few will risk losing your business by trying to force the cards down your throat.

* If you like the technology and want to use it, consider buying or making a signal-blocking sleeve. Yeah, it might feel a little like making a tinfoil hat to keep out alien mind-reading beams, but better safe than sorry.

Columns by Liz Pulliam Weston, the Web’s most-read personal finance writer, appear every Monday and Thursday, exclusively on MSN Money. She also answers reader questions on the Your Money message board

MSN Money | Liz Pulliam Weston | Friday, December 21, 2007