The ePickpocketer

The great EMV migration has been here with us for a while and everybody is excited with the new innovations of cashless payment (especially matatu industry) which brought a lot of excitement even though still trying to trace its tracks to be adopted industry-wide. This is because no other industry Kenyans detest like the matatu industry. Most Kenyans detest matatu drivers (because of careless driving) and conductor due to their crooked and dishonest behavior. No-wonder we use disgraced names like “Makanga”,”Concordi / Konkodi (Local Swahili slang for pickpocket-er)” etc to refer to conductors since there aim is to con us the meager shillings by increasing the fares or refusing to handover change. 

As the saying goes, “The more things cange, the more they remain the same”  ~Jean-Baptiste Alphonse Karr. Contactless / radio-frequency identification chips (RFID) / Near Field Communication (NFC) chips bring in new paradigm of IT risk profile revolutionizing ‘ Concordi (Konkodi)’ to ePickpocketer.

How it is propagated
A new kind of thievery or, at least, potential for fraud is on the rise as soon as you activate a contact-less card, you are effectively walking around with a small radio transmitter in your pocket, constantly trying to hook up with a till to hand over your money.Criminals can steal your credit card data by walking by you with electronic scanners, maybe even with their mobile phones.

An ePickpoketer don’t have to steal the card. All they needed is a standard card scanner (the type you’d use in a supermarket) which can be bought online. Placing the scanner as a wallet of an oblivious passer-by would come within a few centimeters of it and, they were able to collect enough data from the card (the cardholder’s name and card number) to use it to make purchases.

Mitigation
The adoption of the contact-less bring in a new IT risk profile that the banks will require to put in place measures to mitigate. There is little the banks can do but remembering the primary duty is to protect the customer data. This can be achieved by putting in place effective information security policies and procuring a Security information and event management (SIEM) or Anti-money laundering System with watertight controls to monitor suspicious transactions.

The second way is to educate the customers of the inherent risks in the contactless and propose mitigation strategies like;

  1. Using your RFID cards at home for online purchases only. Use other credit cards or cash to purchase things outside your home.
    Place your RFID cards next to each other in your wallet. This can make it more difficult to read a particular card, but it offers limited protection.
  2. Monitor your credit card statements for usual activity or errors.
  3. Using credit card shield – The shield which fits in your wallet and prevents the contact-less chip on your credit/debit card from being activated and read. It’s thinner than a standard credit card, It’s light, affordable and easy to use.To use your credit or debit card when you want to simply remove your card from your wallet or purse and present to the terminal as normal, putting you in control of when and where your card is active. Remembering to replace back in your wallet or purse next to the shield.
  4. Placing two cards with RFID chips in your wallet – The scanner can’t read them because they confuse the information and cancel each other out.
  5. If you’re still worried about getting ripped off by someone invading your space with a notepad-like scanner, here’s a tried-and-true precautionary move: Put a piece of aluminum foil in your wallet.

References

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s