illicit scanning of CC's with RFID's: real deal?

Factual Questions
1

news video here.

Summary: new credit/debit cards with RFID technology that enables non-contact scanning for puchases apparently enables a new kind of fraud. Perp approaches victim in a crowd/line, places scanner near victim’s wallet/purse, and is able to read the victim’s credit card info without the card ever leaving the victim’s wallet/purse. This technique does not work with common mag-strip cards (the ones you swipe through a reader or feed into an ATM slot), only the newer cards that let you make purchases by waving the card in front of a scanner at the point of sale.

The video apparently demonstrates the validity of the technique, but goes on to say there have been no reported cases. OTOH, how would a CC fraud victim know that this is how their account info was stolen?

The guy demonstrating the technique owns an identity theft prevention company, so this all comes with a grain of salt. Having said that, what’s the real deal? Is this indeed possible? If so, are there technological hurdles that make it difficult, and therefore not likely to be common? Isn’t the card info going to be encrypted somehow? :confused:

2

Already a thread on this, or at least a very similar topic.

3

Thanks, though a big question remains unanswered: isn’t the card data encrypted somehow? I’d like to think that card issuers anticipated this kind of scanning and took steps to thwart it.

4

No, it’s in plain text for most of them.

5

Most of the cards do use encryption. Blink and Express Pay cards for example both supposedly use 128 bit encryption.

That said, last year, folks at the University of Massachusetts were able to construct a card reader very cheaply and did manage to read quite a few cards. They also found that many cards sent back data in plain text that was not encrypted at all.

6

Wouldn’t encryption require them to control all the RFID readers/receivers as well?