17
Aug
0 No comments

They are out to get you. Well, maybe not you personally, just your credit card information. If they get you, that’s only because something you did made it possible for them to get all that information. What you did was most likely totally innocent and something that people do regularly, but this time those creative crooks found a way to hack your credit cards.

We’ll look at three ways, restaurants, RFID readers, and juice jacking, where bad guys can obtain your credit card information and can use it to run up bills for you.

Restaurants and Drive-Thrus
My wife and I often eat at Chili’s, not necessarily for great food and service, but because it’s close to our house and we can’t think of anywhere else we want to go. One thing about Chili’s, though, is that you can pay your bill at the table with a table card processor. All you have to do is push a button and your bill comes up, then slide your card; the machine spits out a receipt (well, if you’re lucky; usually it is out of paper or the receipt printer is jammed).

We ate lunch at BJ’s Restaurant and Brewhouse a few weeks ago, and when we paid the bill, the waiter processed our card with a hand-held reader while he stood at the table. The only other time I experienced that was at Heathrow Airport in London where the waiter did the same thing. Usually, when you get the bill, the waiter takes it away into the inner sanctum of the restaurant to run in the credit card machine. There’s where the danger lies.

He or she has access to all the information on the card including the three-digit security code on the back. Those who are particularly tech adept can even clone your card with a card-making machine, all while you are waiting to sign for your meal.

A similar danger is at drive-thrus at fast food restaurants. If you hand your card to the clerk at the first window (the one where you pay), and if he or she has the proper equipment as is intent on criminal behavior, the clerk can create a clone of your card. For example, a Pennsylvania woman working at a Dunkin’ Donuts drive-thru was arrested in 2015 for using information on customers’ cards to create duplicate cards.

In case you’re concerned, those mobile credit card processors are about as secure as security can make them as they are 128-bit encrypted and tokenized. It would take a super computer over 1,000 years to break 128-bit encryption, longer than bad guys want to deal with. Tokenization is a substitute data element where your card data is never stored intact anywhere, making it nearly impossible for hackers to reassemble it through decryption or reverse engineering. It enables a sender/receiver to communicate back and forth without displaying any sensitive data. No, I don’t understand exactly how that works, but it does and is one more layer of security.

There are a couple of ways to avoid being victimized in restaurants where your card disappears into the back room. The obvious one is to pay cash. Another is like closing the barn door after the horse is out by looking for unauthorized charges on your card.

RFID
You can spot an RFID-enabled card by the four curved lines that represent a signal emission. They can be read by a card reader up to six inches away. In fact, it doesn’t even have to come out of a wallet or purse; the card reader can read them as someone stands at the checkout in a store. Smartphone apps also enable contactless payments where they are set up in stores. Trouble is, a crook with an RFID reader that he or she can buy on Amazon for as little as $8 can also read the card financial information.

I watched a You Tube video of a man who sat in a shopping center with a remote card reader attached to a laptop and captured data as people walked by. No, he didn’t do anything illegal with it, but showed the people whose cards he had hacked. He later read his own card and created a credit card on a hotel key card and used it to buy coffee at Starbucks.

The simplest way to avoid that problem is simply wrapping aluminum foil around the card in your wallet or purse. That stops the signal from the RFID chip.

Juice Jacking
Your smartphone is about out of charge and, of course, you left your charger at home. It will go dead in just a few minutes, but all is not lost. There in front of you is a public charger. Not so fast. That charger could steal all the information on your phone.

Here’s how it works. Smartphones all have a common feature to charge, the USB connection. Look at the charger on your phone and you will see that although there may be an AC plug, there’s also a USB plug plugged into that. That USB connection is what enables you to transfer or synchronize information from your phone to a PC or somewhere else that permits it over the same cord that charges it.

Even though it isn’t a common trick for bad guys—yet—it’s a real danger when it is in place in a public charger. The hacker installs a device that captures the data off a smartphone as it is plugged into the public charger. Many people keep their entire lives on their phones including credit card numbers and contactless pay apps, that operate like RFID, where you can pay for an item or items simply by waving your phone in the vicinity of the payment processor.

The nefarious device can suck the data out of a phone in as little as a minute when it is plugged into a public charger assuming the malicious device is attached.

The first public explanation of this hack came at a 2011 DEF CON security conference in Las Vegas where three hackers using inexpensive equipment created a juice jacker to demonstrate how vulnerable people would be when they plug their phones into public chargers.

How worried should you be? Probably not too. The chances of a public charger hacking your phone are slim, because this particular crooked behavior hasn’t caught on—yet.. Still, there’s no reason to take a chance.

If you do have to plug into a public charging station, turn your phone off or sign off so it requires your password to access your data. Carrying an extra battery doesn’t hurt either. Safest of all is never having to charge your phone in public at all, of course. That means keeping it topped off. Also, if you can, carry a charger with you that you can plug into an electric socket.

The bad guys are always out to get you and looking for new and more creative ways to steal important information and data. Restaurants, RFID chips, and juice jacking are three ways they steal credit card information. Just so you are forewarned.

By Robert L. Cain

Comments are closed.