Beware of electronic pickpockets: Understanding the dangers of RFID card theft

For Vijay (name changed), the weekday at his home in Pune started rudely and unusually early: At around 4 a.m., he was awakened by an SMS from HDFC Bank informing him of a suspected fraudulent transaction on his credit card that had been declined due to an incorrect PIN.

Somewhat shaken but also relieved that a theft had been prevented, the 41-year-old supply chain consultant then checked his bank statement to make sure everything was in order. Instead, he found that an international transaction of USD 422 (Rs 35,000) had already been made earlier in the day. A stunned Vijay immediately informed the bank and had his card blocked while demanding a refund.

“The first transaction was done without an OTP. It was done in the US, presumably for a flight booking. I didn’t even get an SMS for the transaction, which is quite odd. The second transaction was similar but was declined due to an incorrect PIN. That’s when I was alerted by the bank’s fraud protection system,” Vijay tells Newschecker, adding that the whole matter frustrated him because he always makes it a point to avoid physically paying with his card whenever possible, just to be on the safe side when it comes to device cloning/skimming.

“I only use Samsung Pay, which transmits a virtual card number to the POS machine, not the actual one,” he says, racking his brain to recall a slip-up on his part. Vijay recalls that while he has physically used his card a few times in Azerbaijan, the country’s local laws require the use of a PIN each time. However, he does not rule out the possibility that his card was skipped at one of the machines there.

“I still have not received any response from the bank as to why no SMS was received. There is clearly a loophole in their system. Also, normally, any international online transaction without OTP gets an automated call to confirm the transaction. No call was made, which is also strange. HDFC is still investigating the case but has confirmed that the transaction will be cancelled in my next statement,” says Vijay, adding that HDFC had an almost identical incident before, but the bank immediately notified him, blocked the card and sent him a new one. “This transaction did not go through as it was caught by the anti-fraud system,” he says.

Another HDFC customer shared a similar experience on Twitter, stating that his debit card was defrauded of around Rs 12,000 through a gift card transaction from the US. Again, no OTP was involved.

“The day before the incident, I was at a busy place on College Street buying a cigarette when I noticed two guys standing casually nearby. I took out my wallet to give her cash but when I put it back in my back pocket, I saw one of the guys telling the other about my action while both were eyeing my wallet. One of them came close to me at the same time so I turned around and eyed them long enough so that after a few seconds they walked away. But I mistakenly thought they were pickpockets. But in fact they had a machine in their pockets that could clone card data if they were close enough and long enough. Luckily, it was a transaction without OTP so a refund was possible,” the customer tells, warning other users about the new super covert form of pickpocketing – Skimming using radio frequency identification (RFID). Customers of other banks also shared similar stories on X (formerly Twitter).

A new generation of digital pickpockets is increasingly turning to RFID skimming to steal credit and debit card data in seconds. The contactless nature of this technology makes RFID card theft smoother than the usual approach used by fraudsters to clone bank cards with magnetic stripes.

What is card cloning/skimming?

Credit/debit card cloning is the electronic theft of data from a card to enable unauthorized charges in the victim’s name. The thief places a device called a skimmer, which secretly reads and copies card information, in an ATM or point-of-sale (POS) terminals – systems used to process card payments in retail stores.

Most payment cards have a magnetic strip on the back. When the card is swiped through a device, the skimmer steals and stores all the data stored on the magnetic strip. This is later retrieved by the criminals and used to create duplicate cards. These cards are used to charge the person’s credit card or withdraw money from the bank account. This strip stores information such as your card’s expiration date, your full name and the card number.

Given the ease with which fraudsters can clone magnetic stripe cards using a simple skimming device, the latest payment cards are equipped with RFID chips that allow them to transmit transaction information to a card reader just by being near it, without physically inserting the card into a slot. However, this RFID technology, an essential part of modern contactless payments, is obviously still not foolproof.

What is RFID skimming?

RFID chips or tags have been used by businesses for years for warehouse and shipping management, as well as in access badges for security systems. Today, these chips are increasingly used on credit and debit cards as well, as they allow the card to be read without having to swipe it through a device. The icon usually looks like a horizontally aligned Wi-Fi signal or four curved lines and indicates that the card is equipped with an RFID chip, which allows you to hold or tap a card over a terminal to make a transaction.

Equipped with RFID card readers that use radio waves to transmit signals that activate the tag, criminals can wear them on their bodies while on the street, allowing them to secretly steal information and consequently money from RFID-enabled cards just by being near their owners. Worryingly, there are also mobile apps that can read information from RFID cards.

The places where RFID skimming is most likely to occur are:

• Retail stores
• Public transportation
• Restaurants
• ATMs
• Petrol pumps

How to protect yourself from RFID skimming

One way to avoid such fraudulent payments is to disable the international transactions feature on your card immediately after receiving the card, as fraudsters tend to choose the international route (some well-known e-commerce sites may not require a CVV for a purchase).

You can also protect yourself from RFID skimming by covering your bank cards with foil or investing in RFID-blocking/jamming material. Another way to protect your cards is to keep multiple RFID cards close together in your wallet to make them harder to read, or carry them in your front pocket to deter thieves.

For maximum security, use RFID cards only for online purchases at home. While it can’t actually stop thieves from stealing information from your card, regularly monitoring your statements will help you and the credit card company identify unauthorized purchases and limit your potential losses. Also, remember to keep your distance from other customers when using your card. The threat of a long-range RFID skimmer is greatly exaggerated, as even the best long-range RFID readers would struggle to successfully and illegitimately copy data when you take into account real-world conditions like distance, weather, and the presence of hundreds of other radio signals.

Like what you read? Let us know! Send an email to [email protected] if you want us to take a deep dive into a scam that you think deserves attention. If you want us to verify a claim for accuracy, provide feedback or file a complaint, send us a WhatsApp to 9999499044 or send us an email to [email protected]. Visit also the Contact us page and fill out the form.