Secretly swiped: Your account numbers taken out of thin air

ABC7 I-Team Investigation

Jason Knowles Image
Tuesday, February 10, 2015
Secretly swiped
The ABC7 I-Team reveals the mobile technology that hackers can use to steal credit and debit numbers from you while you're in public.

CHICAGO (WLS) -- The ABC7 I-Team reveals the mobile technology that hackers can use to steal credit and debit numbers from you while you're in public. The cards at risk are enabled with radio technology that allows you to "wave and pay."

It may be convenient, but there are also remote tools that thieves can use to steal information from those cards. The I-Team tested a device that can "secretly swipe" while you are standing in line to pay, on an escalator, or in a crowded spot.

"I would walk up to you and I might stand like this on the train, Ok and boom, I have your credit card," said David Bryan.

Bryan, a security specialist at Chicago's Trustwave, used a device in his backpack to read account numbers and expiration dates - all from cards which I think are safely tucked away in my wallet.

"They have everything in just a few seconds," Bryan said. "The card sends data back to the device, right. So that means it's wireless, so if it's wireless, it can be read through clothing."

The equipment is easily found online but only works on cards with this wireless symbol or cards enabled with "Radio Frequency ID" , "Near Field Communications", "Blink" or "Paypass" technology. As you can see, the device only has to get within 6 inches of the card. Shoppers found it unsettling.

"I don't know what to say, I am speechless," said Kay Bragg, a shopper.

"I'm shocked," said shopper Susan Sherman. " I think that's how some people picked up my debit card number."

And we did it again, attaching the equipment to a laptop.

"From a distance away, I can still read your card right through the wallet," Bryan said. "I have all of your numbers."

Spokespeople representing the Near Field Communications System and MasterCard say that the 3-digit code on the back of the card is usually needed for purchases, and that code can't be read by the device.

But other fraud experts tell the I-Team that there are other devices which can put card numbers and expiration dates on another "dummy" card which can be used at stores without that 3-digit code, and that some internet and phone transactions may not require it.

"So you don't have to worry about having the CVV or other pieces of information," Bryan said.

Then we used it on my CTA Ventra card, which can also be activated as a debit card. Our security expert accessed my account number and expiration date.

"And the last four is 7995," Bryan said.

A CTA spokesperson said that the numbers can't be used to ride the transit system, and also pointed out that the gadget can't get your 3 digit debit card code on the back. And they said that a Ventra card "has the same industry-standard security protections that millions of credit and debit bank cards across the country (have) to prevent fraud."

To fight back, you can buy special wallets and even cheap sleeves that block the radio frequency. You can also use foil.

You should also keep your eyes out for card readers planted by a store's register.

"It could be a device stuck under the counter, it could be an overlay on credit card reader," Bryan said.

"I am very impressed by it. It also frightens me a great deal," said Keith Ricker, a shopper.

Most cards - including MasterCard, Visa, and banks - have policies that say you're not liable for fraudulent transactions. But it can take several days or weeks sometimes to get money back which has been stolen from your checking or debit card. A Chase Bank spokesperson told the I-Team it's actually now discontinuing the use of that radio technology on future cards.

Some security specialists also recommend Apple Pay, which they say is a secure alternative to paying since your actual card numbers are not stored on your iPhone.