Saturday, November 8, 2008

Crime tech one more notch up

The Collier County Sheriff's Office Crime Prevention Section was recently asked about RFID credit cards and ID theft. To be honest, none of us knew if it was possible to steal credit card information without "swiping" the card with a portable reader. After some research, we found that the "bad guys" have indeed found another way to steal your identity. I thought the information was worth passing on...

Recently, Crime Prevention was asked about RFID (Radio Frequency IDentification) technology and its capabilities to clandestinely obtain personal information from unknowing citizens (i.e. driver's license, corporate ID, College ID, credit/debit cards, etc).

First, what is RFID? The acronym refers to a small electronic device that consists of a small chip and an antenna. Most chips are capable of carrying very little data (under 2,000 bits). We currently see this technology demonstrated in areas like microchips embedded in our pets or as a means of easy payment at McDonald's, Florida's toll booths and Speed Pass at Mobil stations. Now this same technology is being used in credit and debit cards.

How can this be exploited by criminals?

Most information retained on these cards is maintained in 128-bit encryption. Although any encryption would require time and effort on the criminal's part to access information, it is on the lower end of the encrypted data security scale. 256, 512 and 1024 bit encryption levels are all available today.

The criminal would first purchase a portable skimming device similar to the proximity readers used to scan our Agency Identification Cards to enter CCSO buildings. Combine that with a computer and related components and the criminal can be operational with a start up cost of approximately $150.

The distance at which a criminal can pass by a victim and extract information in this manner from their wallet or purse is still a debate. Researchers from RSA Laboratories have found that it is possible to extend the distance between the victim's card and the skimmer where information is being extracted (in some instances to 300 feet).

One facet of their research included contacting the major credit card lenders (Visa, American Express and Mastercard) to see if they felt this was a viable threat. They felt their cards were not vulnerable to this type of activity. A study by RSA Laboratories took 20 cards from these three lenders, put them in an envelope and the information was recovered through this process contrary to the company's position.

The credit card companies mentioned above have since begun deleting the cardholder's name from the information retained on the cards.

What can law enforcement do?

The first step law enforcement can do is to remind consumers to contact their credit card companies and confirm exactly what information is being included on their RFID Profile.

Second, ensure that their credit card companies are utilizing a minimum of 256-bit encryption on their information.

Next, as a cardholder, ask your credit card company if they offer the ability to remove RFID capabilities from their cards. The only noticeable inconvenience would be the need to physically "swipe" your card rather than scan it similar to a proximity reader.

Lastly, ask your credit card company what they offer to the consumer if their accounts are compromised and what responsibilities and costs would fall on the cardholder.

Author: Sgt. Dan Mc Donald - ID#0399 CCSO


Cpl. Lee Van Gelder
Collier County Sheriff's Office
Crime Prevention Section
3301 East Tamiami Trail - Bldg. "J"
Naples, Florida 34112
Phone: (239) 793-9163
Fax: (239) 793-9474

No comments: