(CBS) It’s supposed to make paying for things faster and easier – just wave your credit or debit card over a scanner and you’ve paid. But now some worry that radio frequency identification (RFID) technology is also making it easier for crooks to rip you off. Security expert Walt Augustinowicz took a stroll along Beale Street in Memphis where, as witnessed by CBS Affiliate WREG, he was able to swipe the credit card information from passers-by. “If I’m walking through a crowd, and I get near people’s back pocket and their wallet, I just have to get that close to it and there’s my credit card and expiration date on the screen,” Augustinowicz told WREG correspondent Scott Noll. Using just an off-the-shelf card reader he bought online for less than $100 and a Netbook computer, Augustinowicz explained, he could swipe credit card numbers, expiration dates, and in some cases, even people’s names. People who thought there was no way their pocket could be picked without laying a hand on them, soon learned they were wrong. Scanning one willing participant’s wallet, Augustinowicz showed the man his credit card number and expiration date on his computer. “There you go. It’s a MasterCard,” he explained. “You have a SunTrust card in there,” Augustinowicz explained to a second “victim.” “And that’s your account number and expiration date,” he said showing the man the screen. In about an hour he scanned 26 wallets and purses. Five of them – nearly 20% – had cards with RFID chips. Augustinowicz said crooks could work a crowd, steal numbers, and then e-mail them anywhere. “You might as well print your credit card number across your T-shirt and walk around with it because it’s the same difference,” he said. U.S. passports issued since 2006 also contain RFID technology that, Augustinowicz said, can make personal information vulnerable to theft. Augustinowicz is the founder of Identity Stronghold, a company that markets secure sleeves and ID holders designed to block RFID hacking. Among his customers: The U.S. government. So is Augustinowicz just trying to scare people into buying his product, or is the threat real? Experts at the San Diego-based Identity Theft Resource Center told WREG that they’ve never seen a case of RFID skimming used to steal information. WREG’s Steve Noll show showed a video of Augustinowicz’s demonstration to University of Memphis professor and computer security expert Mark Gillenson. Gillenson calls it technology run wild, and called WREG’s findings compelling. “It’s potentially a major problem,” he said. “I think people do need to be concerned and should be aware, and we’ll see if this becomes a major problem.” WREG contacted several credit card issuers for comments about RFID technology. Discover said its Discover Zip contactless card, unlike RFID, is designed to operate only at very short ranges (less than 2-4 inches). Using RF-enabled technology, the card “has a unique security feature in that the verification code changes each time you use it – so that any skimmed data could not be reused.” American Express told WREG that it is confident in the security of its RFID technology, called ExpressPay. Its says ExpressPay contains a unique “key” that generates a different digital signature for each transaction that cannot be copied, overwritten or read. The ExpressPay key creates an unbreakable cryptogram, ensuring the ExpressPay device is legitimate. “We believe that the cryptogram is the best technology available today for ensuring the integrity of ExpressPay transactions and minimizing the risk of fraud,” American Express said. MasterCard said that its PayPass cards and devices “are as secure as paying with traditional MasterCard cards that have magnetic stripe technology. In fact, many consumers claim that they feel more secure with PayPass because they never have to turn the card over to a cashier and it never leaves their hand.” In response to WREG’s report demonstrating the swiping of digital data, MasterCard said, “[I]’s important to point out that they can’t do anything with that data,” such as making an Internet phone purchase without the 3-digit CVC number printed on the card’s back; nor could anyone create a phony magnetic stripe card. Representatives of Visa have not responded to multiple requests from WREG for comment on its story.
