The truth about RFID credit card fraud

Despite demonstrations to show it's possible, documented cases of RFID credit card fraud are unknown. And as security professionals know, there is a huge gulf between potential crime and actual crime.

1 2 Page 2
Page 2 of 2

It’s proof that it can be done, sort of. It requires that an online vendor violate their merchant agreement and not do basic anti-fraud validation (by requiring a valid name, address, and security code). The vendors not performing the correct validation have the reported fraud taken out of their own bank accounts. I’ve got to think those online vendors are either unscrupulous and intending to be used as a criminal fence or they won’t be in business very long when the credit card merchants trace back the fraudulent transactions to their poor validation checking.

Still, this is not evidence of a real-world crime. 

RFID credit card crime is only possible when...

To worry about RFID credit card crime, you have to assume incredible remote RFID reader ability in real-world situations and online vendors with literally no basic credit card validation, or criminals who want to buy legitimate merchant devices and go through the lengthy authorization process, and provide a real bank account, to capture a few low-dollar transactions before they are cut off.

As Randy Vanderhoof, executive director of the Secure Technology Alliance and director of the U.S. Payments Forum wrote me, “Consumers should listen to their trusted financial institutions, the banks, and payments brands and believe them when they tell their customers that contactless payments cards are secure.”

Even if we assume that all £6.9 million of 2016 RFID crime reported in the UK Finance report was committed by credit cards and not mobile devices, it means RFID crime is still, at best 1.1 percent of overall credit card fraud, and it’s falling. If you are worried about a potential 1.1 percent crime rate while also using non-RFID credit cards which are responsible for 98.9 percent of credit card fraud, aren’t you focusing on the wrong threat? Why use any credit card? As far as I can tell, if you are worried about credit card fraud, you’d be about 90 times safer (and getting safer) to only use RFID credit cards. You shouldn’t run away from or even worry about RFID credit cards, you should embrace them.

Copyright © 2017 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a SIEM solution: 11 key features and considerations