New luggage blocks ID theft on the road

At some point between the time she disembarked from a recent cruise in Miami and returned to Carmel, Ind., someone decided to go shopping with Jody Tzucker’s credit card. “They bought cigars and other odd things in Miami,” says Tzucker, a retired manager for a nonprofit association.

She suspects that the criminals may have skimmed her Visa account information while she was filling up her gas tank in South Florida. Or maybe not. Nowadays, hackers don’t even have to see your credit card to access the information on it. They can scan it from a safe distance.

One of the latest threats against travelers is invisible and silent: wireless attacks that siphon your credit card number, personal information and passwords. Anything with a radio-frequency identification (RFID) chip, including your passport or a credit card, can be read from afar. Thieves can also mine valuable data from your smartphone when it automatically logs on to a WiFi network.

Elliott Advocacy is underwritten by Generali Global Assistance. Generali Global Assistance has been a leading provider of travel insurance and other assistance services for more than 25 years. We offer a full suite of innovative, vertically integrated travel insurance and emergency services. Generali Global Assistance is part of The Europ Assistance (EA) Group, who pioneered the travel assistance industry in 1963 and continues to be the leader in providing real-time assistance anywhere in the world, delivering on our motto – You Live, We Care.

Fortunately, there are a few simple ways to thwart these wireless assaults, including new luggage products and common-sense steps that protect your devices and credit cards.

As it turned out, Tzucker’s card didn’t have an RFID chip. And she was lucky. Before the cigar-loving thieves could finish their shopping excursion, her bank’s fraud detection algorithm tagged her purchases as suspicious, disabled her account and refunded the fraudulent transactions. And that may be one of the most effective solutions — having a bank that can stop fraud quickly and cover any losses. After the incident, Tzucker also switched to using a prepaid debit card when she traveled, which contains no personal information.

But others haven’t been so fortunate. Nearly half of all travelers use their smartphones to access the Internet when they’re on vacation, according to a recent survey by security firm Kaspersky Lab. One-third of phone users store their passwords to online accounts, including bank and social networks, on their devices. While any phone can be a target, the most vulnerable wireless devices run on the Android operating system, according to Kaspersky.

The luggage industry offers one possible solution: new backpacks and suitcases with protective linings to shield your IDs and wireless devices.

This month, luggage manufacturer Briggs & Riley, based in Hauppage, N.Y., will add RFID-blocking pockets to its new @work briefcase and bag collection. The models offer two pockets with electromagnetic shielding, one for IDs and passports, the other for a smartphone or a tablet computer. The black ballistic nylon cases, priced from $129 to $479, are designed to appeal to privacy-conscious business travelers.

Richard Krulik, Briggs & Riley’s chief executive, says that his company is constantly adapting to the concerns and demands of travelers, something he refers to as “reality engineering.”

“Increasingly, travelers are coming to rely on their luggage to keep more than their belongings safe,” he adds. “They need protection for their personal information and data.”

Escape the Wolf, a travel security company based in Virginia Beach, is also introducing a product this month, aimed at leisure travelers and called the Zero Trace Two-Day Backpack. It offers a large interior compartment to store any electronics you want to protect from prying eyes or scans. The $199 backpack, which will be part of Escape the Wolf’s line of security-enhancing luggage, is minimalist on the outside but sophisticated on the inside for a reason, says Clinton Emerson, the company’s chief executive.

“Fancy gets you mugged,” he says. “Fancy gets stolen.”

A closer look at this technology suggests that the best strategy for preventing data theft when you’re on the road is a combination of electromagnetic shields and common sense. A series of tests conducted in 2011 by Consumer Reports concludes that products with electronic shielding can partially block the signal from a chip in a credit card.

Only credit cards with RFID chips are vulnerable to scans. Most credit cards in the United States don’t use this technology at present, although it’s gaining some traction, particularly among corporate travelers.

Wireless devices left in the pouches would run down the battery searching for a signal, and security experts say that an equally effective way to prevent someone from accessing them is to power down the device and remove the battery. However, that’s not an option with the most popular wireless devices, such as Apple’s iPhone and iPad, which don’t have an easily removable battery.

Experts say that making sure the WiFi settings on your smartphone or tablet are set so that they don’t automatically connect to any wireless network, and not storing passwords or credit card numbers on your phone, is an equally effective way to make sure hackers don’t access your data and steal your identity, or your money.

But luggage with electromagnetic shielding can’t hurt, either. It makes your information a less desirable mark. Hackers and ID thieves prefer easy targets, which come from unprotected wireless devices and credit cards emitting a clear, easy-to-intercept signal.

In a world of invisible and often unknown security threats, the new bags may make travelers such as Linda Snow feel a little safer. Snow, an actress who lives in Denver, says that many of her friends have had their identities stolen, some of them while traveling. “I’m more careful with how I handle my ID and phone,” she says. Now she’s thinking of upgrading her luggage, too.

Are you afraid your ID might get stolen while you travel?

View Results

Loading ... Loading ...

38 thoughts on “New luggage blocks ID theft on the road

  1. Very interesting article. When I travel, I want to immerse myself in the place where I am going – not worry about whether someone is trying to steal my identity. This just lets me know that I have to keep on being vigilant while having a good time.

  2. Target currently sells money belts with RFID blocking pockets. You can’t put big electronics in them, but they do work for credit cards and smaller items.

    1. I wonder if the electo-magnetic shielding bags that electronics sometimes come in will work to shield RFID signals. They’re the metalized ones that computer circuit boards ship in. Anybody know?

  3. Several years ago, Chase Bank sent me a renewal credit card which had an RFID chip. I immediately called the bank and told them that I did not want an RFID card. The customer service person told me that they would gladly issue a new card without the chip. It only took three or four days for the chip-less card to arrive. There is now a permanent notation on my account record that says that an RFID card is never to be issued to me.

    1. That’s fine if you don’t travel abroad. I will be getting a chip and pin card intentionally before my next trip to Europe.

      1. The European Chip & PIN is NOT an RFID. They are completely different.

        The Euro card works only when the chip contacts are inserted into the reader machine.

        Currently ALL US issued Chip cards are Chip & Signature, which work in Europr, but not well at unmanned gas pumpsand similar machines.

        1. No, there are a few US issuers now providing true chip-and-pin cards, including some affinity cards. I will probably use Andrews Federal Credit Union, as I don’t want to pay an annual fee.

          1. Be very very certain about that. I was given the Chip & Signature card after being told multiple times by the issuer that it was going to be the Chip & PIN card. They told me that according to their records, I don’t travel enough and use the cards I already have from them outside the US to qualify for the chip & PIN and the Chip & signature was good enough. Guess it’s time to find a different bank that has a better opinion of my travel routines.

        2. We just got back from Ireland, had no problem with our chipless card. They sometimes had to swipe it twice, but they’re quite used to that.

  4. Sometimes the biggest “danger” is the fraud detection algorithm combined with the incompetency of the issuer. Years ago I was traveling in Poland. I had alerted the issuing bank of my ATM/debit card (I was young and only had one) of where I’d be traveling. Apparently, after the third use of the card abroad, the bank called my home number and, when I didn’t reply to their message, shut off the card. This was before ubiquitous mobile phones. I was frantically trying to call from various phone booths, getting put on interminable hold, while my cash was running low. Not a fun experience.

    1. Agreed. I won’t bore you with the details, but I had a similar situation last year and now have a new bank card. I refuse to reward incompetent banks with my business.

    2. I agree. One of my credit card issuers told me not to worry about it the last time I attempted to inform them I would be going to europe because “we have superior fraud detection systems that will know.” Really? Needless to say, the card worked just once on that trip. I now no longer have a card from that issuer.

    3. I had one bank that used to issue a fraud alert anytime you used your card out of state. Similar deal to yours, I called and let them know I’d be using their card in Florida, yet they still tripped a fraud alert. And just like your story, the most absurd part of the deal was they called my HOME phone and left a message, even though I told them I was traveling! Thankfully my card didn’t get blocked before I returned home, but needless to say, I was not happy. I’ve never used any of that bank’s branded cards while traveling since!

  5. You can get the same effect without expensive luggage–There are numerous commercial products that shield individual cards and passports. How do they work? Google “Faraday cage” to find out (and then imagine people wrapping their heads in aluminum foil to prevent mind-reading). The U.S. passport card even comes with a free sleeve to accomplish the same thing.

    Passport books are not supposed to be able to be read while closed–the nice thick covers probably have a metallic component to prevent skimming.

    If you’re really cheap, you can probably accomplish the same thing with aluminum foil.

    Alternatively, you can carry more than 1 RFID card (many public transit systems-such as Boston, DC, Atlanta, Bay Area, London, Montreal, Paris—- use RFID cards these days), and skimmers get the signals confused.

  6. The only place I store passwords is on my desktop computer. I certainly don’t keep them on my phone or iPad. I do email myself a list of important numbers, including some passwords, before I travel. Of course, if you forget a password, most sites will email you a replacement.

  7. I don’t worry so much about my credit cards as my limits are pretty low but I do worry about my debit card. Until I can get some better protection (alum card holder etc), I made a home made card holder of duct tape and alum. foil. Works great until I can get the real thing. Instructions are on the internet.

  8. There is some serious confusion over the types of chips in credit cards as well as other things in this article.

    First, the European Chip & PIN cards are NOT RFID. They are completely different technologies. The RFID cards are referred to as “Pay WavE” (or something similar depending on the issuer), not as Chip & PIN. While it is possible that an RFID card may have the Chip & PIN option (and vice versa), they are not the same. The Euro Chip & PIN works by inserting the card into a reader device where the visible chip on the front of the card must make physical contact. The RFID cards are simply waved in front of the reader device with no contact required. Only the RFID cards are able to be read without physical contact of the card to a device. I have a recently issued Chip & Signature card I tried to use as an RFID card and found it does not function that way (knew it wouldn’t but just wanted to satisfy the curiosity). My main bank previously issued all of my credit cards as RFID ones but the latest reissue of them has removed that function. It was also nearly impossible to get any US based bank to even issue a Chip & Signature card (even though I really wanted the Chip & PIN card which is much more useable in Europe) for my upcoming business trip to Europe.

    Second, there is no “personal information” on a credit card beyond the card number. True the number is linked to your account at whatever bank issued the card, but that information is not on the card itself.

    Finally, a debit card is a lot less safe than a credit card if you are worried about the actual money getting stolen from the account (not to mention many debit cards have outrageous usage fees not found on credit cards!). If your debit card is compromised, it can take several days to get the money returned to you. If your credit card is compromised, the thief might max out your credit limit on that card, but none of your actual money is gone — you just don’t pay the disputed amount and usually the credit card issuer will remove the charges from your account.

    I don’t have any issue with the suggestion to have RFID proof luggage or wallets, I actually own one, but only because I think it is cool to pull out the stainless steel wire mesh wallet and have people look at it and go “wow.” 😉

  9. I wonder if there are manufacturers making electromagnetic shield pouches that are portable and thus can be transferred from luggage to luggage, or in purses and perhaps small enough for coat pockets. That would be a far less investment for me than buying new luggage. Also, would anyone on this site know if a simple double layer of aluminum foil wrapped around cards and passport work as a shield?

    1. actually, yes–for low power radio signals, such as used in RFID, aluminum foil works as a Faraday cage.

      1. But it is not a 100% solution. Even wrapped in foil, the RFID can still be read at a very close range (1-2 inches).

  10. RFID can be read from a significant distance from the RFID chip itself. You’re better off with a smart card (probably the one mentioned as chip and PIN). There is another method, typically used in phones. NFC. This requires close contact with the reader (usually less than 1/2 inch). Just making sure nobody can get within an inch of the phone will provide quite a lot of protection. You should test to see just what the distance is with your device though.

    1. One thing the NFC offers on smartphones that RFID doesn’t is two step authorization of use. When you use a product like Google Wallet when making a purchase, you have to enable the NFC use (via a PIN) and then when making the purchase itself, it prompts you to verify the purchase. A lot more secure than a simple RFID.

  11. This is definitely interesting! With the advance of technology come the advance of criminals using it to steal from innocent travelers (and others).

    I might look into one of the backpacks mentioned in this article. Now that passports have these chips in them (thanks Feds for making it SO much easier for criminals) this is worth considering.

  12. Chris…what are you talking about? Chip and Pin is not the RFID – two separate things. Chip and pin actually works a lot more securely than swiping your stripe and not signing.

    The RFID thing is the paypass or paywave type device on many cards. Although most chip and pin cards also have this, it isn’t the same.

    So I’m going to keep my credit cards, passport, etc. in my luggage? I think not.

  13. Let me get this straight: Tzucker had a credit card number stolen somehow (and not through RFID, so I’m not even sure what that has to do with this article). The bank’s fraud detection worked and stopped any additional purchases. The bank refunded the card, so she lost no money. Her response to this was to get a prepaid debit card? Now, if it or the number gets stolen, possibly through the exact same mechanisms, she loses all of her money? How is this a good idea?

    1. This was exactly my thought. A prepaid card offers no security unless one never loses it. This is why I only use credit cards when traveling and some small amount of cash. I don’t have any chips in my cards but I do have a slash-proof bag I use that has an RFID protection pocket for passports or cards.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: