Uh, no. Those chips embedded in credit/debit cards do not broadcast a wireless signal. They have been in use in Europe for years. What the chip does is add a layer of protection and makes it harder for your card information to be stolen and cloned.
ETA: Three of my credit/debit cards have them. Now it's the waiting game for merchants to catch up and install machines that can read them.
Sure about that?
A lesson in card cloning
Check your wallet
You might not know it, but you could have a credit or debit card that uses a tiny computer chip and a radio antenna to transmit account information from your card—even when you’re not shopping.
MasterCard uses “PayPass” to identify the cards. Chase bank coined the term “Blink.” Some contactless cards, which use a radio frequency identification, or RFID, chip, might simply have a symbol on the card consisting of four curved lines. An industry newsletter, The Nilson Report, says 35 million contactless chip cards are in circulation in the U.S.
The cards are touted as convenient, but they are also vulnerable to being skimmed without ever leaving your pocket. The information communicated from your card to a card reader can be enough to create a counterfeit card that can be successfully used to make an unauthorized purchase, as we observed in a recent demonstration by Recursion Ventures, a security research and consulting company in New York City.
The basic equipment needed for that form of fraud is readily available to would-be crooks. An electronic card reader available online for less than $100 can be connected to a laptop to store skimmed information. When Chris Paget, whose title at Recursion is chief hacker, used such a reader to scan a Chase debit card he’d recently received, the card’s account number, expiration date, and security data immediately appeared on the computer screen. Two credit cards still inside the mailing envelope revealed the same type of account data.
Making a counterfeit
From a few inches away, the account data can be read even if the card is inside a wallet or purse. By transferring the skimmed card data onto a blank magnetic-stripe card, Paget produced a counterfeit card that he then used to make a purchase that was successfully processed.
Second example:
The other type of chip-based card doesn’t require physical contact between the card and the card reader; it uses RFID radio technology to send data short distances through the air. These cards are available today, and have names such as Visa PayWave, MasterCard PayPass, American Express ExpressPay and Discover Zip.
The problem with RFID cards is that, unless the card is inside a protective covering, they can be read from a few inches away by someone who has a portable RFID reader. Metal foil is said to be the best protective coating to prevent data theft. Some wallets are now sold with protective pockets for RFID credit cards, although the degree of protection provided is not uniform.
This one is from Forbes:
Pull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” that triangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing. As she showed on a Washington D.C. stage Saturday, she can read all the data she needs to make a fraudulent transaction off that card with just a few hundred dollars worth of equipment, and do it invisibly through your wallet, purse, or pocket.
At the Shmoocon hacker conference, Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.)
If anyone still doubted that the trick had worked, Paget accidentally flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?” she added somewhat sheepishly.
Contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay. According to a show of hands among Shmoocon’s audience, dozens of the several hundred conference attendees in the room had contactless cards, and about a quarter of those weren’t aware of it until Paget asked them pull out their cards and check for contactless symbols.
Paget, a well-known security researcher for the consultancy Recursion Ventures who was known as Christopher Paget until a gender change last May, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. (That’s the striped panel pictured above.) In one practical version of the scam, Paget says, a fraudster could simply bump up against his victim with that reader in a coat pocket and invisibly scan the RFID signal through material like a leather wallet or cloth pants. In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.
The scheme, Paget points out, doesn’t involve any hidden bug in the system, but rather the more fundamental problem that any commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. “Whatever encryption or other security there might be, it doesn’t matter,” she says. “The reader just spits out the number as if I’m the point-of-sales terminal, which is totally stupid. This is an embarrassingly simple hack, but it works.”
Over time, they are getting better, but they still aren't there 100% yet.
