U.S. passports have them. And these days, many more U.S. credit cards are starting to carry them, too.
The tiny plastic chips embedded in passports and credit cards are primarily designed to thwart fraud and counterfeiting. But they also make many credit-card users and travelers uneasy about the potential for someone with prying eyes to steal their personal data.
Susan Levitsky, a seasoned traveler who spent a month last fall in France and Morocco, said she’s concerned. “I’ve heard that the chip allows a thief with a scanner to walk by you and scan your cards while they’re still in your purse, unless you have them in a protective case.”
While her credit cards and passport aren’t new enough to contain a microchip, Levitsky said she’s feeling “the pinch” of needing to be prepared.
How big a worry? The chip technology is different between passports and most credit cards.
With credit cards, the tiny chip contains encrypted data that are activated only when the card is inserted into a designated “smartcard” reader, such as at a store or restaurant. So fears of having someone “skim” your microchipped credit card are largely unwarranted, security officials say.
Passports, however, use a different technology, known as RFID (Radio Frequency Identification), the same type used to tag clothing, pets and even artificial replacements for hips and knees. When embedded in a U.S. passport, the chip can be scanned only by someone at close range with an RFID reader, usually within a couple of feet.
While there’s valid concern about having your microchipped passport “skimmed” by a tech thief, actually having it happen is unlikely, some security officials say.
“Yes, someone nearby could read what’s in your wallet. That’s why I keep my passport in an RFID-shielded wallet,” said G. Mark Hardy, president of National Security Corp., based in Rosedale, Md., which provides cybersecurity expertise to government and corporate clients.
But, he said, “it’s less likely to happen, at this point in time, because it’s so much easier to do fraud some other way.”
Since August 2007, all U.S. passports have come embedded with an RFID chip, intended to deter fraud and improve security. The chip contains the same information as on the passport’s picture page, including a digital version of your passport photograph. (You can still use a pre-2007 passport that doesn’t contain a chip. Once your passport expires, the new one will contain an RFID chip.)
According to the federal Bureau of Consular Affairs, the passport chip is designed with security features to thwart unauthorized access. Also, it can be “read” only when the passport book is open. When the cover is shut, the information on the chip supposedly can’t be scanned by an RFID device.
Separately, a newer U.S. travel document, a wallet-sized passport card, also has a chip. It contains only an identification number, not personal information from the card itself. However, the consular bureau’s website says, “To address concerns that passport card bearers can be tracked by this technology, we are requiring that the vendor provide a sleeve that will prevent the (passport) card from being read while inside it.”
Hammering away: Don’t like that passport chip? There are plenty of suggestions online by those who don’t like the idea of having an electronic chip that could be compromised. Some suggest microwaving your passport to deactivate the chip (although at least one user warned that the chip’s metal could cause microwave sparking.) Others suggest taking a hammer to the passport’s backside, smashing the chip.
If your chip is disabled, intentionally or not, your passport is still valid, even if it’s singed or a little beat up.
But it’s not a good idea, security officials say. “I don’t recommend microwaving a passport. Leave the chip there,” said Hardy, who recently started a new company, CardKill.com, that helps credit-card companies identify stolen credit cards and deactivate them instantly.
When traveling, Hardy uses an RFID-shielded wallet that he bought at a hacker convention. “It means that anybody who tries to pull the signal won’t make it through. It’s like insulation.”
U.S. passport officials say it’s illegal to tamper with a passport’s chip, even if the intent is not fraudulent. It’s a criminal offense to “alter” a passport, and it could lead to penalties. According to the Bureau of Consular Affairs, “Any degradation of the passport book may lead to invalidation of that book.”
Some consumers figure it’s just easier to stick a credit card or passport in a fraud-proof case, just in case. Travel companies, for instance, offer “RFID-shielded” wallets or tiny cases like those used to carry business cards, often containing aluminum. Companies like REI sell thin, waterproof RFID-blocking sleeves – $6.50 for three – that are intended to protect credit and debit cards.
Several years ago, a Consumer Reports writer described making her own RFID-proof case using duct tape and aluminum foil.
For veteran traveler Levitsky, once her credit card and passport are chipped, she plans to keep them encased in a protective cover.
“Why would I want to be sitting on a (travel) bus and give it all away?” she said. “Bad guys are out there.”
WHAT’S IN A CHIP?
Many credit cards and U.S. passports have embedded chips, but they operate differently. Here are some details:
Until recently, most U.S. credit cards were issued with a magnetic stripe on the back, which contained your individual account information. Now, major credit-card providers American Express, Visa, MasterCard and Discover are requiring financial institutions and retailers to switch to microchipped credit cards, which use encryption technology to protect the card’s data. The technology is known as EMV, for Europay, MasterCard and Visa, who created the global microchipped payment system.
Why? Widely used in more than 80 countries, credit cards with microchips are harder to counterfeit than are magnetic-stripe cards. Because the account information is encrypted, the cards are considered safer when used for point-of-sale payment transactions. The chip appears as a small square on the front of the credit card.
When: U.S. card issuers and retailers face an October 2015 deadline to have microchipped credit cards and readers in place. If not, stores and banks could be on the financial hook for fraudulent losses due to use of magnetic-stripe cards. Ahead of the deadline, a number of major banks, like CitiBank, already offer microchipped cards to customers.
As of summer 2007, all new U.S. passports carry a tiny RFID chip embedded in the front cover. Each chip contains the identical personal information found on the passport’s picture page, including a digital image of your photograph.
Why? The RFID chip is designed to help detect counterfeiting, deter terrorism and speed up customs, according to the federal Bureau of Consular Affairs.
How used: The passport’s RFID chip can be scanned by immigration officials using a close-range reader. Your RFID number and passport number will match up with data in Department of Homeland Security databases. Security features built into the card are intended to prevent random access to the RFID information. The passport’s cover also acts as a shield: When the booklet is closed, the chip typically can’t be read.
What they are: A simpler, less-expensive version of a regular passport, these wallet-sized cards are designed for crossing borders – by land or sea – into Mexico, Canada, Bermuda or the Caribbean. They cannot be used when flying into one of those countries or for any other international travel.
When: Introduced in 2008, more than 7 million passport cards have been issued to U.S. citizens. They typically cost $30, compared with $110 for a regular U.S. passport.
How used: Like a regular passport, passport cards contain an embedded RFID chip. However, unlike a traditional passport, the card’s RFID contains only an identification number linked to a “secure database,” maintained by the Department of Homeland Security. To prevent skimming, the cards are issued with a protective sleeve.
Source: Bureau of Consular Affairs, U.S. Department of State