After experiencing problems both activating his Ventra card and loading value onto it from his Discover card and then being double-charged for some fares, CTA rider Barry Finkel began to wonder how susceptible his new transit account is to hacking.
"I assume that since I have not set up the Ventra card to be a debit card, anyone who would clone my card and try to use it as a debit card would not be able to do so,'' Finkel, who works in the information technology field, emailed to your Getting Around reporter. "But I am not sure.''
He was well aware that his Ventra smart card contains a radio frequency identification chip, or RFID tag, which is used to transmit information — including the card's 16-digit account number and its expiration date — to a Ventra reader on a CTA or Pace bus or a fare turnstile at a CTA rail station.
But "I do not know from what distance that anyone with a portable RFID card reader can scan the card as it is in my pocket and read the information,'' said Finkel, who lives in Chicago's Beverly neighborhood and rides CTA buses and trains.
The answer is that passersby at virtually any location could be victimized by this form of "electronic pickpocketing,'' according to cybersecurity experts. But it's not a threat yet, law enforcement officials said.
Ventra cards as well as many other forms of smart cards outfitted with radio chips — ranging from credit and debit cards to hotel card keys to library cards to ID tags implanted in pets — can be read, and the information on them stolen, using card-scanning devices similar to the ones in stores, authorities said. The scanners can be purchased online without providing a retailer's license or any other documentation that the machines will be used lawfully, officials said.
One security expert who was interviewed by the Tribune said he bought six of the scanners for a total of $19 on eBay from a merchant who was going out of business.
Yet there is a wide variance of opinion among the experts regarding the risk to U.S. consumers, who carry around an estimated 75 million bank-issued payment cards containing the RFID-enabled chips, according to the Smart Card Alliance, a trade association that promotes smart card technology.
Stealing the information from a Ventra transit card would require the thief to create a counterfeit Ventra card and load the transit value from the compromised card onto it. Experts agree it is not likely to manifest into a large-scale fraud operation.
"Card-scanning is a potential threat we are aware of and it goes hand in hand with the serious problem of criminals attaching skimming devices to bank ATM machines and gasoline pumps to pull information from the embedded chips in credit cards,'' said Joan Hyde, an FBI spokeswoman in Chicago.
The U.S. Secret Service, which investigates credit card fraud rings, "has not seen any types of the RFID scanners to date in the Chicagoland area," Secret Service spokesman Derrick Golden said.
Some experts said a potentially more lucrative Ventra target is cards with the prepaid debit MasterCard account activated, because those cards carry balances that can be used to make purchases other than CTA and Pace fares.
Walt Augustinowicz, a radio chip expert who operates a company in Florida that provides security services, said Ventra customers who have the optional debit MasterCard feature "are vulnerable to have all their money on the account stolen."
During an interview with the Tribune via Skype, Augustinowicz demonstrated how, using a card-reading scanner that he purchased online for about $150, he could access the 16-digit card number and expiration date of a Ventra card tucked inside a wallet. He repeated the process with a credit card.
"Anybody can buy these readers, hide it in a tablet case and walk around in a crowd and wave it near guys' back pockets or women's wallets,'' said Augustinowicz, whose company is Identity Stronghold.
He said the scanner cannot obtain the three-digit security code on the back of the card, but some online merchants don't ask for it anyway, he said.
"We have taken the information off of a card and used it to go on Amazon.com to buy stuff and have it shipped," he said, explaining that in the tests he tapped into an acquaintance's card with the individual's permission.
"A lot of criminals buy items online this way, have the merchandise shipped to a foreclosed home or other address, then pick it up and fence it" on the underground market, he said.
First Data Corp., which manages the Ventra prepaid debit MasterCard program for the CTA, declined to say how many CTA and Pace customers have opted to open debit accounts.
"We are not disclosing that number," First Data spokeswoman Kwiyoung Baumgarten said.