June 16, 2014 at 1:00 am

Chip technology concerns spread

Risk of thieves skimming data in passports and credit cards minor, security officials say

U.S. passports have them. And these days, many more U.S. credit cards are starting to carry them, too.

The tiny plastic chips embedded in passports and credit cards are primarily designed to thwart fraud and counterfeiting. But they also make many credit card users and travelers uneasy about the potential for someone with prying eyes trying to steal their personal data.

Susan Levitsky, a seasoned traveler who spent a month last fall in France and Morocco, said she’s concerned. “I’ve heard that the chip allows a thief with a scanner to walk by you and scan your cards while they’re still in your purse, unless you have them in a protective case.”

While her credit cards and passport aren’t new enough to contain a microchip, Levitsky said she’s feeling “the pinch” of needing to be prepared.

How big a worry?

The chip technology is different between passports and most credit cards.

With credit cards, the tiny chip contains encrypted data that are activated only when the card is inserted into a designated “smartcard” reader, such as at a store or restaurant. So fears of having someone “skim” your microchipped credit card are largely unwarranted, security officials say.

Passports, however, use a different technology known as RFID (Radio Frequency Identification), the same type used to tag clothing, pets, even artificial replacements for hips and knees. When embedded in a U.S. passport, the chip can be scanned only by someone at close range with an RFID reader, usually within a couple feet.

While there’s valid concern about having your microchipped passport “skimmed” by a tech thief, actually having it happen is unlikely, some security officials say.

“Yes, someone nearby could read what’s in your wallet. That’s why I keep my passport in an RFID-shielded wallet,” said G. Mark Hardy, president of National Security Corp., based in Rosedale, Md., which provides cybersecurity expertise to government and corporate clients.

But, he said, “it’s less likely to happen, at this point in time, because it’s so much easier to do fraud some other way.”

Since August 2007, all U.S. passports have come embedded with an RFID chip, intended to deter fraud and improve security. The chip contains the same information as on the passport’s picture page, including a digital version of your passport photograph. (You can still use a pre-2007 passport that doesn’t contain a chip. Once your passport expires, a new one will contain an RFID chip.)

According to the federal Bureau of Consular Affairs, the passport chip is designed with security features to thwart unauthorized access. Also, it can be “read” only when the passport book is open. When the cover is shut, the information on the chip supposedly can’t be scanned by an RFID device.

Separately, a newer U.S. travel document, a wallet-sized passport card, also has a chip. It contains only an identification number, not personal information from the card itself. However, “To address concerns that passport card bearers can be tracked by this technology,” the consular bureau’s website says, “we are requiring that the vendor provide a sleeve that will prevent the (passport) card from being read while inside it.”

Don’t like that passport chip? There are plenty of suggestions online by those who don’t like the idea of having an electronic chip that could be compromised. Some suggest microwaving your passport to deactivate the chip (although at least one user warned that the chip’s metal could cause microwave sparking.) Others suggest taking a hammer to the passport’s backside, smashing the chip.

If your chip is disabled, intentionally or not, your passport is still valid, even if it’s singed or a little beat up.

But it’s not a good idea, security officials say. “I don’t recommend microwaving a passport. Leave the chip there,” said Hardy, who recently started a new company, CardKill.com, that helps credit card companies identify stolen credit cards and deactivate them instantly.

When traveling, Hardy uses an RFID-shielded wallet that he bought at a hacker convention. “It means that anybody who tries to pull the signal won’t make it through. It’s like insulation.”

U.S. passport officials say it’s illegal to tamper with a passport’s chip, even if the intent is not fraudulent. It’s a criminal offense to “alter” a passport and could lead to penalties. According to the Bureau of Consular Affairs, “Any degradation of the passport book may lead to invalidation of that book.”

Some consumers figure it’s just easier to stick a credit card or passport in a fraud-proof case, just in case. Travel companies, for instance, offer “RFID-shielded” wallets or tiny cases like those used to carry business cards, often containing aluminum. Companies like REI sell thin, waterproof RFID-blocking sleeves – $6.50 for three – that are intended to protect credit and debit cards.

Several years ago, a Consumer Reports writer described making her own RFID-proof case using duct tape and aluminum foil.

For veteran traveler Levitsky, once her credit card and passport are chipped, she plans to keep them encased in a protective cover.

“Why would I want to be sitting on a (travel) bus and give it all away?” she said. “Bad guys are out there.”