After experiencing problems both activating his Ventra card and loading value onto it from his Discover card and then being double-charged for some fares, CTA rider Barry Finkel began to wonder how susceptible his new transit account is to hacking.
"I assume that since I have not set up the Ventra card to be a debit card, anyone who would clone my card and try to use it as a debit card would not be able to do so,'' Finkel, who works in the information technology field, emailed to your Getting Around reporter. "But I am not sure.''
He was well aware that his Ventra smart card contains a radio frequency identification chip, or RFID tag, which is used to transmit information - including the card's 16-digit account number and its expiration date - to a Ventra reader on a CTA or Pace bus or a fare turnstile at a CTA rail station.
But "I do not know from what distance that anyone with a portable RFID card reader can scan the card as it is in my pocket and read the information,'' said Finkel, who lives in Chicago's Beverly neighborhood and rides CTA buses and trains.
The answer is that passersby at virtually any location could be victimized by this form of "electronic pickpocketing,'' according to cybersecurity experts. But it's not a threat yet, law enforcement officials said.
Ventra cards as well as many other forms of smart cards outfitted with radio chips - ranging from credit and debit cards to hotel card keys to library cards to ID tags implanted in pets - can be read, and the information on them stolen, using card-scanning devices similar to the ones in stores, authorities said. The scanners can be purchased online without providing a retailer's license or any other documentation that the machines will be used lawfully, officials said.
One security expert who was interviewed by the Tribune said he bought six of the scanners for a total of $19 on eBay from a merchant who was going out of business.
Yet there is a wide variance of opinion among the experts regarding the risk to U.S. consumers, who carry around an estimated 75 million bank-issued payment cards containing the RFID-enabled chips, according to the Smart Card Alliance, a trade association that promotes smart card technology.
Stealing the information from a Ventra transit card would require the thief to create a counterfeit Ventra card and load the transit value from the compromised card onto it. Experts agree it is not likely to manifest into a large-scale fraud operation.
"Card-scanning is a potential threat we are aware of and it goes hand in hand with the serious problem of criminals attaching skimming devices to bank ATM machines and gasoline pumps to pull information from the embedded chips in credit cards,'' said Joan Hyde, an FBI spokeswoman in Chicago.
The U.S. Secret Service, which investigates credit card fraud rings, "has not seen any types of the RFID scanners to date in the Chicagoland area," Secret Service spokesman Derrick Golden said.
Some experts said a potentially more lucrative Ventra target is cards with the prepaid debit MasterCard account activated, because those cards carry balances that can be used to make purchases other than CTA and Pace fares.
Walt Augustinowicz, a radio chip expert who operates a company in Florida that provides security services, said Ventra customers who have the optional debit MasterCard feature "are vulnerable to have all their money on the account stolen."
During an interview with the Tribune via Skype, Augustinowicz demonstrated how, using a card-reading scanner that he purchased online for about $150, he could access the 16-digit card number and expiration date of a Ventra card tucked inside a wallet. He repeated the process with a credit card.
"Anybody can buy these readers, hide it in a tablet case and walk around in a crowd and wave it near guys' back pockets or women's wallets,'' said Augustinowicz, whose company is Identity Stronghold.
He said the scanner cannot obtain the three-digit security code on the back of the card, but some online merchants don't ask for it anyway, he said.
"We have taken the information off of a card and used it to go on Amazon.com to buy stuff and have it shipped," he said, explaining that in the tests he tapped into an acquaintance's card with the individual's permission.
"A lot of criminals buy items online this way, have the merchandise shipped to a foreclosed home or other address, then pick it up and fence it" on the underground market, he said.
First Data Corp., which manages the Ventra prepaid debit MasterCard program for the CTA, declined to say how many CTA and Pace customers have opted to open debit accounts.
"We are not disclosing that number," First Data spokeswoman Kwiyoung Baumgarten said.
The Tribune also asked the CTA.
"Still trying to get those" from First Data, CTA spokeswoman Tammy Chase said last week.
She said Ventra cards contain security features that are found widely in any bank card that has the RFID chip.
Despite the safeguards, the CTA "reminds customers to take their own steps to ensure their cards are stored in a safe place and to monitor their accounts," Chase said.
Banks and retailers in the U.S. are being hit hard by crimes that involve skimming devices placed on ATMs and other point-of-sale terminals, because skimming "works like a tape recorder that collects all data," said Julie Conroy, research director at the Aite Group, a financial services consulting firm that specializes in fraud and data security issues.
And even though scanners can lift the names of cardholders in addition to account numbers and expiration dates from some versions of RFID cards, Conroy said, "electronic pickpocketing is not something retailers are concerned about."
In addition to other security features, RFID cards contain a dynamic unique transaction code that cannot be stolen by using a scanner, Conroy said. Without the original card in hand to swipe against a terminal at a store checkout, the RFID chip will not transmit the unique transaction code, she said.
"Scanning crimes are not a scalable type of attack so organized crime rings don't go for it," Conroy said. "If you have the technology to do electronic pickpocketing, quite likely you have the ability to do hacking and skimming fraud on merchants."
A number of companies sell protective sleeves or special wallets that contain a metal lining to prevent card-reading scanners from accessing account information. Augustinowicz demonstrated, using a Ventra card placed inside a security sleeve.
"Scanning crimes are going to be a big issue because it is the safest crime out there for thieves," he said. "We have been saying for a long time that this is a really bad technology to use on a credit or debit-type card."
He said the CTA's Ventra contractor, Cubic Transportation Systems Inc., should consider issuing protective sleeves along with Ventra cards.
Conroy disagreed. She said the security protections built into RFID smart cards are sufficient and she is unaware of any fraud losses linked to this form of electronic scanning.
"Protective sleeves are playing to a highly sensitive consumer," Conroy said. "If my mom asked me whether she should buy one, I would tell her no."
Contact Getting Around at jhilkevitch@tribune.com or c/o the Chicago Tribune, 435 N. Michigan Ave., Chicago, IL 60611; on Twitter @jhilkevitch; and at facebook.com/jhilkevitch. Read recent columns at chicagotribune.com/gettingaround.