HACKING

Spotted In The Wild: The Electronic Pickpocket

The folk tale flares up again with the help of a viral photo

HACKING
(Illustration: Tara Jacoby)
Feb 19, 2016 at 4:30 PM ET

It’s a cybersecurity urban myth that has existed for nearly a decade: the electronic pickpocket, who can steal from your credit cards just by waving a device over your wallet-carrying pocket. Now, just maybe, he has finally been photographed out in the wild.

Warnings about RFID identity theft first started circulating around 2008 when some financial institutions began using RFID (radio-frequency identification) chips that allowed users to pay by waving their credit or debit cards within inches of a scanner. Tech journalists from publications like Boing Boing and Popular Mechanics demonstrated how anyone with a point of sale (POS) device could scan and charge a card without even coming in direct contact with the chip. But few people outside of the security world were concerned about the threat until a couple years later when Memphis news station WREG warned its viewers about “high-tech hijacking.”

“It’s supposed to make paying for things faster and easier—just scan the card and you paid,” Scott Noll, the WREG On Your Side Investigator said in the segment from December 2010. “But as you’re about to see, it could also make things a lot easier for crooks trying to rip you off!”

According to a gloating follow-up report from WREG, the video got 1.2 million views within three days. It would be the first of many such reports on RFID skimming. Every year or so a different news station films a segment on electronic pickpocketing. The one thing most these videos have in common, besides alarmist reporting, is Walt Augustinowicz, founder of Identity Stronghold, an RFID-blocking wallet company. In nearly every report, Augustinowicz demonstrates how electronic pickpockets could steal money and information from a credit card. Not every segment plugs his company’s wallets, but they’re all helping him stay in business.

Noticeably lacking from these feats of investigative journalism is any actual evidence of ne’er-do well hacker knaves roaming the streets, scanning the pockets and purses of innocent bystanders. In ten years, there has never been a confirmed report of electronic pickpocketing. There hasn’t even been photographic evidence showing an alleged electronic pickpocket in the act.

Until now!

Well, maybe. This week, an image of a man carrying a POS device in a crowded subway went viral on Facebook and Twitter.

According to the Russian news site TJournal, the photo was taken by Russian IT professional Oleg Gorobets, who posted it on his Facebook along with the commented (translated from Russian): “I just saw a man armed with this in the train station. Yeah, it went unnoticed. He was excited. Another reason to keep the PayPass card [credit cards with RFID chips] in a safe place, preferably shielded.”

Gorobets didn’t mention anything in his post about how much money the man might have stolen or even if the man was actively using the device. But that didn’t stop the Daily Mail from running a story with the headline, “The electronic pickpocket: ‘Scammer steals hundreds of pounds by touching victims’ pockets with sales device – and transferring cash from their contactless payment credit cards’.”

The quote included in the headline was never stated by Gorobots, or anyone, other than the Daily Mail. The Daily Mail article also states that a man named Paul Jarvis took the photo. A Paul Jarvis Facebook account is partially responsible for making the photo go viral. Several days after Gorobots took the photo, the Jarvis account included the photo in a post that was shared more than 90 thousand times. That post has since been deleted, but can be viewed through Google cache.

The viral photo and dubious reporting from the Daily Mail reinvigorates a pseudo threat that has been keeping RFID-protection companies in business for years. Sure, it is possible that a man in Russia was scanning cards with his POS device—after all, the device in the photo is illuminated, showing it might be in use. But it’s also possible he was on the way to his boring job with a new gadget.

Whether the photo actually depicts a scammer or not, RFID scanning is a real threat, according to many cybersecurity experts, like Jason James, vice president of risk management company Evantix. James, who also shared the POS device photo from his own social media account, told Vocativ that, while RFID chips can be scanned by handheld devices, newer chips have a much shorter range than early versions.

If you’re still worried, he suggests you protect your cards by keeping them in an RFID-blocking wallet. Or you could simply wrap them in tin foil.

You could also make yourself a hat while you’re at it.