In seconds, Walt Augustinowitz can steal your credit card info without ever touching you.
He says it’s a major security flaw in some credit cards that send a wireless signal, letting you pay without swiping your card.
Similar technology is used in many new cell phones, making them behave just like the cards Austinowitz says are vulnerable. Augustinowitz’s company, Identity Stronghold, makes devices to shield cards.
“Your own phone could be scanning your credit cards and sending them off to unknown sources and you'd never know it’s happening,” he says. “It’s completely hidden.”
He was able to modify an Android phone to hijack credit-card numbers with a program easily disguised as, say, a downloadable game. Credit-card companies, on the other hand, insist the interaction is safe.
“Consumers should be absolutely comfortable with using contactless cards,” says Randy Vanderhoff, who runs the trade association representing the credit-card companies.
He doesn't buy Augustinowitz's claims.
“We are not seeing this type of fraud happening to the average citizen, even though more than 75 million of these cards have been in the market for over five years,” Vanderhoff says. “So where's the problem?”
The problem is referenced in this patent document for a device to shield credit cards, filed by VISA in 2005.
"Unfortunately, due to the wireless nature of the contactless portable electronic devices, it is entirely possible that a contactless reader may be used for surreptitious interrogation (e.g., data skimming) of the contactless portable electronic devices," the filing reads.
“The fact of the matter is the insecurity is there,” Augustinowitz says. “We've proven it, we've demonstrated it, we've shown how purchases can be made.”
This week, the credit card group hosts its annual trade show in D.C. Augustinowtiz has had a booth in years past, but wasn't invited this year. The trade group wouldn't say why.
How to protect yourself
1. Customers can talk to their bank and request to not receive a “contact-less payment” card. If you have one already, you can ask the bank to replace it.
2. You can also purchase a credit card shield/sleeve like those made by Identity Stronghold.
3. Absent that, wrapping the card in tin foil will do the same as the shield.
4. Be careful what you download on your phone. Many of the Near-Field Communication phones that can act as a credit cards are Android Phones. The Android App Market is not as tightly controlled as the Apple App store, so it conceivable that a malicious program, like the one used as a demonstration by ABC7, could be slipped into a program.
5. Finally, check your credit card and bank statements for unauthorized charges. If you see any, report them immediately.