- Credit card info swiped with off-the-shelf scanner
- Estimates place nearly 140 million customers at-risk
- In statements to WREG On Your Side Investigators, card companies downplay the threat
Click HERE to read Part 2 of this report
(Memphis, 12/03/2010) Call it high-tech hijacking.
Thieves now have the capabilities to steal your credit card information without laying a hand on your wallet.
It's new technology being used in credit and debit cards, and it's already leaving nearly 140 million people at-risk for electronic pickpocketing.
It all centers around radio frequency identification technology, or RFID.
You'll find it in everything from your passports to credit and debit cards.
It's supposed to make paying for things faster and easier.
You just wave the card, and you've paid.
But now some worry it's also making life easier for crooks trying to rip you off.
In a crowd, Walt Augustinowicz blends right in.
And that's the problem.
"If I'm walking through a crowd, I get near people's back pocket and their wallet, I just need to be this close to it and there's my credit card and expiration date on the screen," says Augustinowicz demonstrating how easily cards containing RFID can be hacked.
Armed with a credit card reader he bought for less than $100 on-line and a netbook computer, WREG On Your Side Investigators put Augustinowicz to the test.
For about an hour he patrolled Beale Street, looking for RFID chips to read, and credit card information to steal.
"There you go," said Augustinowicz scanning one willing participant's wallet. "It's a MasterCard," he explained looking at the man's credit card number and expiration date pop up on the screen.
Even people who thought there was no way we could pick their pocket electronically without laying a hand on them, soon learned they were wrong.
"You have a SunTrust card in there," Augustinowicz explained to a second "victim." "And that's your account number and expiration date," he said showing the man the screen.
"That's just too vulnerable for everyone to take advantage of," said another person, who at first doubted she would fall victim to electronic pickpocketing.
Even scarier, Augustinowicz says bad guys could work a crowd, stealing numbers and then e-mail them anywhere in the world.
"After a game here I could literally pull couple thousand cards," Augustinowicz explained to a group of women visiting from Chicago.
Using just an off-the-shelf card reader, Augustinowicz explained he could swipe credit card numbers, expiration dates, and in some cases, even people's names.
It's enough, Augustinowicz says, to do damage.
"We've done it," he insisted. "We've picked up the phone, called 800 numbers, ordered stuff under a fake name, shipped it to a foreclosed home and the product comes in the mail."
It's not just your credit and debit cards at-risk.
While they are harder to hack, all US passports issued since 2006 contain RFID technology that can be read, and swiped.
"It gives me a lot of personal information like your date of birth, your photo if I wanted to make some sort of ID," said Augustinowicz demonstrating with his reader.
Augustinowicz is the founder of Identity Stronghold (http://www.idstronghold.com).
His company markets secure sleeves, and ID holders designed to block RFID hacking.
Among his customers is the US government.
"As soon as I squeeze it, it can read it," explained Augustinowicz showing off a badge holder. "When I have it closed, it can't read it."
So is Augustinowicz just a boogeyman, trying to scare people into buying a product, or is the threat real?
We showed video of Augustinowicz in action to computer security expert, and University of Memphis professor Mark Gillenson.
"It's potentially a major problem," said Gillenson after watching clips of Augustinowicz swiping people's credit cards number.
Gillenson calls it technology run wild, and calls our findings compelling.
"I think people do need to be concerned and do need to be aware and we'll see if this becomes a major problem," said Gillenson.
And that's the big question.
Experts at the Identity Theft Resource Center tell WREG On Your Side Investigators they've never seen a case of RFID skimming used to steal information.
But Augustinowicz believes that's because the crime could easily go untraced; unsuspecting people, falling victim to just another face in the crowd with a hidden scanner in hand.
"You might as well paint your credit card number across your t-shirt and walk around with it because it's the same difference," warned Augustinowicz.
In our time on Beale Street, Augustinowicz scanned 26 wallets and purses.
Five of them, nearly 20% had cards with RFID chips.
All wallets and purses scanned for our story were scanned with the permission of the credit card holders.
Click HERE to read Part 2 of this report