Please sign in to post.

RFID card hack?

I have read and re-read all the reassurances that RFID-blocking devices are unnecessary, including one site that said there has "never" been a proven case of capture of the card number by someone nearby with a scanner. However, my contactless Visa card was hacked and used for 3 purchases ( all declined by the card provider), under circumstances that make me wonder about this.

This is a new Visa card, linked to an airline miles program,, that I got a few months ago specifically to earn miles in that program. I used it exclusively for large expenditures such as airline tickets and property tax, never for general online purchases or point of sale purchases. I did not carry it with me outside our home until a recent road trip. I brought it along then as I planned to purchase some airline tickets during the trip.

We left home on July 25 and our first stop was Boise to visit family. While there, we stopped by a Walgreens to pick up some needed items. My husband paid for the purchase with an unrelated card, while I stood nearby with my card in my small cross-body bag. From there we proceeded to our family vacation spot in the Utah mountains to spend a week. My purse, with the card inside, spent the week in a drawer in our condo.

On August 2 we drove over to Park City, checked in to a new hotel, and walked around the booths at the Park City Arts Festival. I carried my purse there, rather than leave it in the hotel room. But again I did not use it for any purchases.

The next morning, when I checked my email at 7 am, there was a fraud notice from the card provider. The suspect transaction was listed as a $20 purchase on August 3 ( that same day) at RNAVYHW, which the bank identified as a restaurant in Michigan when I called. There were also two $7 to $8 purchases at Walgreens, one on July 26 (the day we were at the Boise Walgreens) and another on July 28. Both were declined by the card provider. The fraud agent I spoke with said these were declined because the "address did not match". (I wonder why they did not notify me until the third suspect purchase).

So, given my use history, I cannot see how the card information was stolen, other than by a skimmer/scanner in the Walgreens store where I carried the card. Why they attempted such small amounts is beyond me; perhaps they were just testing the validity before making a major purchase.

Does anyone have an alternative explanation?

In any case, I am going to look into an RFID-blocking card holder for the rare occasions I need to carry the card along with me.

Posted by
7181 posts

We often fear "the new". Unless you can give better detail of the transactions you did do, I'm not inclined to believe that a scammer got close enough to skim your new card. You wrote:

" I used it exclusively for large expenditures such as airline tickets and property tax, never for general online purchases or point of sale purchases"

Large expenditures don't have anything to do with frequency of fraud. Does your town's tax office shred all their trash? Is it possible that nice middle-aged lady has a Crystal Meth habit? (I don't mean to sound cruel. You can understand why I wrote that.) Were you on WiFi when you bought the airline tickets? What else did you buy? Could someone have looked at your mail before you took it out of the mailbox (I mean with the new card?)

Have you looked at all your statements since the day you got the card to see where you used it and "forgot" that you did?

Posted by
2744 posts

Since you have used the card to buy airplane tickets etc... it's out there. That's the only explanation you need. I had a $13 purchase on Amazon last for a card that I hadn't used in 6 months, when that went through they charged $10,000 in Gold on the card (which alerted the fraud department). The bank called me and I went upstairs, card was in the drawer upstairs where it had been for months. During my conference call discussion with the bank and police (they were trying to set up a sting to get the culprit by pretending to get the gold), I was told that it's actually more common that there is a long delay between the "fraudster" getting your number and the use of the card.

The truth is that these cards don't work unless they are within 4" of a reader. So unless you were standing by someone scanning you within 4" it's unlikely they read your card. It's not charging your card because you were standing near the register at Walgreens (Can you imagine the confusion if the reader at Walgreen's was just randomly reading cards? )

it's still more likely your card is on the darkweb and hopefully the bank is sending you a new card.

Additional information

https://www.creditcards.com/credit-card-news/rfid-blocking-wallet-worth-it/

One other thing, I know you say you used the card to pay property taxes etc...… That's one that scares me. I work for a company that addresses cyber security concers. Right now my company is dealing with at least 3 cities where ransomwear has attacked them and accessed all kinds of personal information. I am sticking to checks with any governmental payments for the time being. your local governments appear to be really weak when it comes to protecting your data. (Heck they managed to take the entire city of Atlanta down last year!)

Posted by
7453 posts

Actually, the fact that fraud protection worked, shows that the incident was not as a result of being "hacked" via RFID. Usually transactions are caught because someone only has the number, maybe the CCV, but no other form of authentication like is provided by a chip or the RFID transaction.

Posted by
16028 posts

It is the proximity of dates that troubles me. Particularly the fact that the first attempt was at a Walgreens on the very day that we were IN the Boise Walgreens. Since I do not shop at Walgreens at home, this is one of the very few times I have ever been in a Walgreens in my life. Certainly the only time in the last few years.

The first fraud attempt was July 26. My online airline ticket purchase was AFTER that date. The only transactions before that date were online to King County Property Tax, way back in April when the card was brand new; a payment in late June to a reputable adventure travel company we have used before (I called them and made that payment over the phone); and a mid-July payment to my dentist that I did in the office, not online or by mail.

Posted by
7129 posts

No comment on the RFID, but just a warning for everyone to carefully check your credit card usage especially while you’re on vacation.

We’ve never had a problem with credit cards, but the first night of a trip to NYC, Connecticut, Rhode Island I noticed my credit card normal alerts for transactions were suspicious, especially when the transaction after a fake small trial transaction was for a hotel in Rome!

We rented a car, using that card.

Posted by
4535 posts

It certainly is possible that the RFID card was hacked by a remote scanner. The technology does exist and it can happen. It is just very rare and far more common for credit cards to be hacked in some other, low tech way.

The reason why I personally would not recommend an RFID blocker, is that the occurrences are so rare, and you are not responsible for the fraudulent charges anyway. It really isn't worth the money to buy a blocker IMO. But if you have a wallet or secure travel purse with RFID blocking, go ahead and use it.

Posted by
7181 posts

Lola, did you USE the card in the Boise Walgreens, or did you use other payment means there that day? I think you have implied that you would not have used the defrauded card to check into the Park City hotel.

Posted by
13809 posts

Carol! Oh my. I did not know that about cities so I thank you for that information.

Posted by
3514 posts

There were also two $7 to $8 purchases at Walgreens ... these were declined because the "address did not match".

This had to be online purchase attempts to see if the card number and other info the crook had was good. No merchant asks for your address to complete a transaction when you are there in person with an actual card. Most stolen card info is not used the same day it is stolen as it is usually sold to someone else and not used by the actual thief.

All they need is the card number, expiry date and your address to use the card online. This could easily have been stolen from the Tax Office where you used your card (printouts of daily activity left carelessly around). Or when you purchased airline tickets the card number could have been intercepted. Or the person you talked to at your trusted travel agency wrote it down when you gave the info over the phone before typing it into their system and the slip of paper was dug up out of the trash.

Sorry, but nothing here points to RFID skimming specifically.

Believe what you want and if buying RFID envelopes for your cards makes you feel safer, then go ahead and do so.

This is why it is important to sign up for the alerting services most credit cards offer that will send you emails or texts when your card is used. It is especially important on a card that is seldom used, like the one here, and request to be alerted on any attempt to use the card. Other cards you can set for transactions exceeding a specific amount so you are not overwhelmed with alerts every time you buy a soda or similar small purchases you will then ignore possibly missing a valid fraud attempt.

As to why you were not contacted until the 3rd attempt? The first two were small and could have been simple typos. The credit card company would have most likely been called by you immediately if the transactions were ones you were trying to do and were getting denied. The 3rd one went over their alert limit and rang some alarm bells so they emailed you.

Posted by
16028 posts

Thanks, everyone.

Tim, no I did not use my card in the Walgreens that day. My husband paid with a completely unrelated (non-RFID) card. My last use of the card, prior to the July 26 fraud attempt, was ten days earlier when I paid for an expensive dental procedure at the office by handing my card to the finance person. I really doubt she was “the one” who stole the card data.

I will of course never know how it actually happened. But I will do as Mark suggests and sign up for alerts on that card. My AmEx is signed up and I do like getting the alerts, especially when traveling.

The good news is that I did not lose any money, and I did earn enough miles through the card to top up our miles account to the level needed for our next summer’s trip to Europe.

Posted by
11294 posts

I have no idea what happened to you exactly, but here's two stories to show that it didn't necessarily have to be RFID-related.

I live in New York, and when I went to the Netherlands, I had alerted my credit card company of my travel dates. While I was away, my card was "used" twice in Virginia at supermarkets. Both times the charges were denied; I came home to an voice mail on my phone alerting me to the attempted fraud.

Of course, everyone said "so, your card was hacked in the Netherlands!" But, this was a back up credit card (it has higher fees for foreign use than my other one), so I NEVER used it in the Netherlands! Meaning, it was hacked some other way.

Interestingly, the fraud algorithms must be pretty sophisticated, since after the hack (but before I learned of it), I used my card on arrival home in New York with no problem. I see that they matched my travel dates to the use pattern, and figured out that using it in Virginia when I was supposed to be in the Netherlands was suspicious, but using it in New York on the day I told them I'd be back was not.

The other story involves a friend, whose identity was used to open credit cards at Target and PC Richards (an appliance store). When he asked how these cards were opened, he was told a drivers license was used to prove "his" identity. So, someone made a drivers license with their picture but his information. Now, his drivers license hasn't left his wallet in many years. So the information was stolen some other way. Did someone hack a database? Or, as Emma says, was someone who had access to the database paid off to steal the information? No way to know, but one thing is certain - the information wasn't stolen from his actual physical drivers license.

Posted by
5239 posts

including one site that said there has "never" been a proven case of capture of the card number by someone nearby with a scanner.

And there still hasn't been a proven case.

Posted by
7181 posts

Regarding Harold’s post: My grey hair has mostly eliminated the problem for me, but I have seen many bars around the USA actually electronically scanning the two-dimensional, data-laden bar codes (no doubt, part of Federal ID requirements ... ) on drivers licenses when they screen visitors for legal age. Maybe they also like to have a list of names if there’s a bar fight or other sort of incident involving famous professional athletes! But this is another case of how (as young people say ... ) “privacy is so ... over.”

I decline to enter if I see that they are scanning, rather than just viewing the licenses.

Posted by
3514 posts

Tim, The use of the scanner is just to see that the ID is real and not a fake. I doubt they are retaining any of the info or that they are connected to any database anywhere tracking you. But if you feel better not entering those places, that is your decision.