- Watch what happens if you take a credit card

and stick it in a beaker of acetone.

- Nail polish remover basically?

- Nail polish remover. - Okay.

- [Henry] It does start to work very quickly.

- [Marques] That is crazy.

- [Henry] This is one that we started about 30 minutes ago.

We'll do a little-

- That's a credit card from 30 minutes ago?

- [Henry] Yeah.

- [Marques] Why does it look, okay, so I see this like,

this like frame on the inside now.

- [Henry] Yes.

- [Marques] Is that all antenna bands basically?

- Exactly. That's the antenna.

And the chip right there in the middle.

And what we're gonna do now is show it's still working.

- [Marques] Ah. Okay.

- [Henry] Oh, that's the important part, all right.

- [Marques] That's it.

- [Henry] Yeah, that's your credit card.

- Theoretically, if you just touch that here,

I think it would work.

Come on, little card.

You can do it.

You still have $20.

You gotta believe.

I guess that's why the antennas are so important.

- Yeah, right?

(phone beeps)

- [Henry] Right, with the antenna, it works now.

- That worked? Wow!

- How cool is that?

- This is just one of the technologies

hidden inside a credit card.

And you can trace its origins

back to a top secret CIA counter surveillance operation.

In this pair of videos,

we're going to uncover

all of the credit card's hidden features

and put them to the test to see how secure they really are,

including attempting to steal $10,000

from MKBHD's locked iPhone.

- That's a lot of zeros.

Careful with that.

Oh my God.

I don't like that at all. (chuckles)

- [Derek] In 1945, at the end of the Second World War,

a group of Soviet school children

visited the US ambassador to the Soviet Union.

They presented him with a hand-carved plaque,

of the great seal of the United States,

a gift to acknowledge the country's recent alliance.

The ambassador proudly displayed the plaque in his office.

But what he didn't know was that hidden inside

was a secret listening device, a bug.

This bug was the first of its kind.

It had no battery, no plug point,

no power source of any kind.

So when the US counter surveillance team swept the office,

they couldn't find it.

In fact, the bug remained undetected for years.

But then in 1951, something strange happened.

An operator at the nearby British embassy

was monitoring Soviet radio channels

when he heard people speaking,

not Russian, but English.

English that was coming

from inside the US ambassador's residence.

But despite multiple sweeps of the building,

the Americans couldn't find any hidden listening devices.

Then in 1952,

they detected a radio signal

coming from the ambassador's office.

- They said, "It's coming from over there

behind that plaque on the wall."

And they took the plaque down and put it down somewhere,

so they tore all the plaster out,

trying to find the microphones that were hidden in the wall.

Of course, there was nothing.

Absolutely nothing.

Joseph Bezjian, who was a total hero,

pointed at the plaque and said,

"Don't say anything.

Just come outside and let's talk."

And then they said, "Right, let's take it to bits."

- [Derek] They prized open the seal,

and to their horror, discovered the bug.

It looked simple,

an antenna attached to a small copper cavity.

But what made this device so hard to detect

was that it had no power source.

It laid totally dormant

until it was activated remotely by the Soviets.

To see how it works,

we're gonna simulate sending some radio waves at the bug

and monitor any signal we get back.

We'll start at 800 megahertz

and then gradually ramp up the frequency.

At first, nothing much happens,

but then around 900 megahertz, we get a strong signal back.

That's because as the radio waves hit the antenna,

their electric field tugs on the electrons inside,

causing them to oscillate

and create an alternating current inside the antenna,

which in turn re-radiates a signal out.

At most frequencies, that signal is very weak,

but around 900 megahertz,

each push from the radio waves lines up

almost perfectly with how the electrons oscillate.

So each cycle reinforces the last and you get resonance.

As a result, you get a strongly reradiated signal.

This resonant frequency is unique

to a given object or circuit,

and it changes based on its electrical properties

like capacitance.

So the Soviets realized they could use this

by adding a cavity.

- What we need to do is have a resonant cavity

that's very, very highly tuned, like a tuning fork for radio.

(metal chimes)

Now, obviously there's a capacitance

between this end and the sheet,

and as the diaphragm moves in and out,

the capacitance changes,

so that changes the tuning of this electronic tuning fork.

- [Derek] So as people in the room speak,

the sound vibrates the diaphragm,

and that changes the capacitance between the two plates,

which in turn alters the resonant frequency.

- So you get a 10-nanometer movement,

that's enough to move the resonant frequency.

- That changes the amplitude of the radio waves

that get reradiated.

So you end up with this,

a return signal that contains the original radio wave,

but it's enveloped within the sound wave.

It's a technique called amplitude modulation,

and it's the same technique used to create AM radio.

So whenever the Soviets wanted to listen to a conversation,

they blasted radio waves from outside,

likely from a van or a nearby building.

And then they received the radio wave

they got back from the bug

and extracted the sound information

modulating that radio signal.

The Americans nicknamed the bug "The Thing,"

since at first, they didn't know how it worked.

It was created by Soviet inventor, Leon Theremin,

who'd been coerced into building the device

while imprisoned in a Gulag during the 1940s.

This is the same guy

who invented the contactless electrical instrument

named after him.

So what did the president and the CIA do

after discovering the bug

that had been spying on them for seven years?

They told no one.

They realized the thing was years ahead

of their own spying technology.

- This was new and nobody done this before.

There were no countermeasures.

- [Derek] So they secretly began working

on their own enhanced version of the device.

(bright upbeat music)

- [Henry] Meanwhile, in the rest of the United States,

the post-war economy was booming.

For the first time, ordinary families could afford things

that used to be luxuries, TVs, cars, even flights.

But paying for these expensive items was clunky.

You either had to carry a huge wad of cash,

or you wrote a check that might take days to clear.

- So banks saw an opportunity.

If you could make buying things even easier,

then spending could explode.

- [Henry] The first bank to capitalize was Bank of America.

In 1958, they launched their-

- [Announcer] BankAmericard.

It's money in a more versatile form.

- Allowing customers to buy

all kinds of expensive items on credit.

This was the first universal credit card.

By the end of the decade,

two million cards were in circulation,

and over 20,000 merchants had agreed to accept it.

A few decades later,

this card was being used worldwide under a different name,

Visa.

But these early cards had two main problems.

First, for each transaction,

the seller had to physically imprint the card details

onto two slips.

One for the customer,

and then one they'd later send to the bank.

That's why the numbers on older cards are slightly raised.

However, this whole process

was inconvenient for the customer,

who was still used to just handing over cash,

but it was even more inconvenient for the seller.

They had to mail all these slips to the bank

or take them over themselves.

The bank would then visually inspect them

in order to authorize a payment.

This meant that it could take days

before the seller actually received the funds

in their account.

So that first problem was speed.

And this actually led to the second problem, security.

A criminal could buy something

with a stolen or counterfeit card,

and by the time the banks realized

they'd been defrauded several days later,

well, the criminal was long gone.

And as criminals got smarter, fraud kept growing.

By the late '60s, credit card fraud

was costing the banks $100 million a year,

around a billion in today's money.

So the banks needed to make a better system,

one that was faster, but also more secure.

Back at CIA headquarters,

they were facing a similar problem.

To enter the building, staff presented an ID card to a guard

who would inspect it and decide whether to let them in.

This process was slow

and all the information was clearly visible on the cards.

So if you think about it,

it wouldn't be that hard for a card to be cloned by,

say, a Soviet spy.

Then in the early 1960s,

they wanted to create a more secure ID card

for CIA officials,

and to do that,

they brought in IBM engineer Forrest Parry.

Parry knew that audio cassettes stored their information

on magnetic tape,

and he wondered if he could use the same tape

to store data on the ID cards.

He managed that part easily enough,

but no matter what he tried,

he couldn't get the tape to stick to the cards.

It would just keep falling off.

Frustrated, he shared the issue with his wife

while she was doing the ironing, and legend has it,

she suggested just ironing the tape onto the card,

and the idea quite literally stuck.

So what's very interesting about magnetic stripes,

and this is an old card from our fellow writer, Casper,

and what we're gonna do is we're gonna show

that if you get a little bit of iron filings

on the back of this card,

we're just gonna run it through here.

So you kinda see it's like sticking to that magnetic stripe.

- Yeah. - Right?

And if we knock off a bit of this,

you see there's sort of ones and zeros.

- [Marques] Just because it's magnetic.

- [Henry] Yeah.

So you can read a magnetic stripe

with only magnetic filings.

- I don't know, I guess that makes perfect sense.

Right, okay.

- But you can also see how simple it is, right?

At the end of the day,

it's just ones and zeros, you know, in a code.

And that code can be read by this machine

So that is all the information there, Casper Mebius.

- Oh, yeah. - Yep.

- That's the name, the card number?

- Yeah, right there.

The first magnetic stripe credit cards

were rolled out in 1970.

These new cards slashed the time required

to process transactions.

Not only did that make spending way easier,

but it became easier for the bank

to quickly identify and block suspicious payments.

So these new cards seem to solve the problem,

speed and security,

and that's what today's sponsor Saily is all about.

And right now I'm traveling to New York,

and when I touch down,

I'm gonna use Saily to make sure

that I'm seamlessly connected when I land.

All you have to do is first download the Saily app,

then you're gonna search for your destination,

I'm gonna select the United States,

and then you pick a data plan that fits your trip.

And then right here at checkout,

you can apply the code Veritasium

to get 15% off on your order.

And the best part of this is the moment I touch down,

I can just use my mobile data as normal.

I can open Maps, call an Uber,

or call my mom to let her know that I got there safely.

All this without rushing to get on airport Wi-Fi

or any other unsecured public network,

or waiting in line for a local SIM,

or relying on hefty fees

that your carrier charges for roaming.

It's also so much better

than swapping tiny physical SIM cards.

Once the Saily eSIM is installed,

you don't have to install a new one

when you visit different countries.

You just go into the app and you can change it there.

And Saily offers plans across

over 200 different destinations.

So if you're traveling across multiple countries,

get a regional plan or a global plan.

And the Saily Ultra Plan takes convenience even further.

It gives you unlimited data

and special perks like access to airport lounges,

fast track services,

and advanced online security tools.

So download the Saily app via the QR code that's on screen,

and when you're at checkout, use code Veritasium,

and then you can share your own referral code

with your friends to get even more off your next trip.

I wanna thank Saily for sponsoring this video,

and now back to the show.

So, these new cards seem

to solve the problems of speed and security,

but this magnetic stripe had a critical weakness.

This is how you read credit cards,

but also you can write to them, right?

So this is just a blank card.

So if we get some, like, magnetic dust on there,

it's not really doing anything,

but if we write to this one,

let's try reading it and see if we got anything.

- Oh, it's reading as if it's the same Casper's card

with the 0009 and the super long stripe number.

- Exactly.

- So does that mean if you put magnetic filings on it now

it will show that it's written-

- [Henry] So now you see we're getting something.

- [Marques] Yeah, yep.

- But you can, like, line them up

and you can see that they're the same code.

Maybe it's a little hard to see in the light.

Cloning cards in this way

and then using that to steal money

was so easy and so effective

that some people made entire businesses out of it.

- Back then, right, we would have what we call a grabber,

which is a card reader.

I ended up having, like, 300 people

working for me in restaurants, bars.

- [Henry] This is Tony Sales,

co-founder of We Fight Fincrime,

but around 20 years ago, he had a different title,

Britain's greatest fraudster.

- I'd give them a grabber, yeah,

and I'd just say to them, "Just swipe the numbers.

Just when someone comes to pay, swipe their card,

then swipe that one on there."

You know, I'm gathering thousands

and thousands of numbers weekly.

But I'm also becoming a wholesaler of the numbers.

You know, at 16, I was paying, like, loads of people,

300 quid a week wages.

- The problem is that the data

on that magnetic stripe is static.

So if you have a skimmer,

you can clone the card in seconds

and then reuse it again and again,

draining the funds before the card owners realized.

- Yeah, well, I had half a million quid under my bed,

didn't I, at 16?

It's crazy how easy it was.

- [Henry] By the early 2000s,

card fraud was costing the UK

over 400 million pounds a year,

and the single biggest culprit was magnetic stripe skimming.

- The UK was just getting hit massively

with credit card fraud.

- So the biggest card networks got together

to solve the problem.

They created the EMV standard,

a 700-page document that defined

how to make secure card payments.

The result was this, the chip.

(lively music)

It's what you use every time you enter your card

to a payment terminal, and then you enter the pin.

In other words, chip and pin.

Now, the way the chip works

is fundamentally different from the magnetic stripe.

That's because the magnetic stripe

encodes information statically, so every time you use it,

it sends the same information first onto the card reader,

then onto the issuing bank.

But the chip is different.

That's because it's basically a mini computer.

So it can encrypt its information using a secret key

known only by itself and the issuing bank.

When you insert the chip,

the reader sends it a long message

containing all the transaction details

as well as a long random number generated by the reader.

The chip then uses its secret key to garble the message

into a unique code, which it sends back to the reader.

The reader then forwards this onto the bank,

along with the raw transaction details

and the random number.

The bank then applies its own key to the raw data as well,

and if the output matches the code from the card,

well, the bank knows the transaction's valid.

Then, and only then does the bank authorize the transaction.

This process makes the chip more secure for two reasons.

First, each transaction creates a new, unique code,

so you can't steal a code and reuse it.

Second, a chip is incredibly difficult to clone.

That's because its secret key

is never revealed in a transaction,

and it's stored in memory cells

buried deep within the chip silicon.

Now, to extract the secret key,

you'd have to pry open the card,

strip away layers of silicon,

and then overcome multiple countermeasures

designed to destroy the data if tampering is detected.

It is theoretically possible,

but it would take days of work,

hundreds of thousands of dollars of specialist equipment,

so it's not really practical,

unless, of course, you get your hands

on a billionaire's credit card.

With the move from the mag stripe to the chip,

the easiest way to commit fraud was just to steal a card.

That's why banks paired each chip with a four-digit pin,

known only to the card holder.

- But stealing PIN numbers is not very difficult,

and there are multiple ways in which a PIN number

could be stolen from you

before your card was then compromised.

Over the shoulder at the ATM,

with a hidden camera at the ATM,

all these types of different things.

- [Henry] It's not that hard,

but it's much harder than just forging a signature.

- When chip and pin comes in,

our business is dead in the water.

But then it weren't

because America didn't adopt it till much later,

so now we can sell them in the States.

- Chip and pin was introduced in the UK in 2003,

and over the next seven years,

counterfeit fraud in the UK fell by 63%,

leading to a 27% decline in fraud overall.

But over the same period, US card fraud increased by 70%.

It took until 2013 for a huge wake-up call.

Criminals stole 40 million card numbers

from the superstore chain Target.

They used the details to create cloned cards,

which they then swiped around the country.

Finally, the US began to recognize

the need to shift to chip and pin.

And as EMV chip cards were rolled out more widely

over the next few years,

counterfeit fraud dropped by 76%.

But the improved security came at a price.

The time it took to do a transaction more than doubled,

adding on average around 10 seconds onto each transaction.

That may not sound like much,

but if you consider all the transactions

taking place across the country,

it soon adds up.

In the US, it's been estimated that chip and pin

added about 116 million hours every year

waiting at cash registers.

That's why businesses care so much

about the tiniest bit of friction to spending.

For example, it's been found

that one-click checkouts online

can increase spending by almost 30%.

So now the banks switched their attention

from security back to speed.

And they began to wonder.

What if you could take a second off of every transaction?

What about two?

What if you could make each transaction

basically instant without having to make contact at all?

Well, that would require sending a signal across a distance

and then getting back a reply at the speed of light.

- Kind of like the Soviets did with 'The Thing',

which brings us back to the CIA in the 1950s.

While reverse engineering the Soviet device,

the Americans realized its design had one major flaw.

- The main issue with it

is that it is so hypersensitive to disturbance,

they would have to retune

and recalibrate every time the room temperature

changed drastically or somebody slammed a door.

- The device is tuned to work

over a small range of frequencies.

If the transmission signal

is too close to the resonant frequency,

the change in amplitude

due to the movement of the diaphragm is too small to detect.

The same is true if it's too far away

from the resonant frequency.

Therefore, you only get enough sensitivity

in this tiny region,

either side of the resonant frequency.

So the Americans set about creating something more robust,

something that wasn't so reliant

on this ultra-precise frequency.

And to do that, they stopped thinking about radio waves

as something they could modify with sound,

and instead, they started thinking of radio waves

as a source of power.

So inside the device, they added a rectifier,

which converted the alternating current

from the antenna into a direct current.

- And they used that to power a hearing aid amplifier

with a tiny little microphone.

- [Derek] This amplified microphone output

was sent back to the antenna,

which created a modulated return signal

that was sent out and could be picked up.

- That microphone and the antenna

and everything else was hidden inside pieces of furniture.

They tried it inside the hollow legs,

they actually drilled holes lengthwise

through the legs of the furniture.

They compromised a furniture factory to be able to do this,

a stunning piece of work that one was.

- [Derek] This became known as Project Easy Chair,

and the CIA used it to get back at the Soviets

by planting their own listening device

in the Soviet embassy in the Hague.

(horn honking)

It wasn't until the 1970s when a former rocket engineer,

Mario Cardullo, gave this technology a modern twist

to solve a problem involving toll booths.

Throughout the States,

cars had been queuing to pay for years.

To speed up the process and reduce queue times,

Cardullo invented a small tag that could be used

to identify a vehicle remotely.

The tag had two key components,

a coil of wire to act as the antenna, and a chip.

Like the bugs, the antenna receives a radio wave

as it passes through the toll booth.

That creates alternating current,

which passes through a diode to power the chip.

The chip then flips a series of transistors on and off,

which subtly alters the current in the antenna.

This modulates the radio wave,

encoding the ID number of the card,

which the antenna sends back to a reader in the toll booth.

So the process is almost identical

to the Cold War spying devices,

but whereas they relied on sound to modulate the wave,

here it's a tiny circuit inside the chip.

This technology is called radio frequency identification,

or RFID for short.

And today, it's used in toll booths, clothing stores,

and warehouses all over the world.

(device beeps)

- And also, your credit card.

This is a credit card

that we're gonna go try to buy lunch with.

You guys take tap? - Yeah.

- This is a credit card.

- Yeah, yeah.

- And we're gonna see if it works.

- Okay, yeah. - Where do I put it?

- Don't lose it. - That's pretty cool, eh?

I ran it through the wash.

But there is one more important difference

in the way credit cards work.

See, some of these other RFID devices

function over ranges of 10 meters or more.

But for a credit card,

that's just not how you want it to work.

You don't wanna accidentally trigger a transaction

from meters away.

(device beeps) So the card providers had to find a way

to shorten the range.

The solution was to stop relying on radio waves,

and instead to rely on magnetic fields.

Inside a card reader is a small coil.

When you pass an alternating current through this coil,

it creates a changing magnetic field.

Then if you move your credit card close enough

so that the changing magnetic field

cuts through the card's antenna,

well, it induces an alternating current in the antenna.

And you can see this in action

using a special chip with an LED.

This is one of those chips.

What's very interesting is, like,

that these chips don't have batteries in them.

If I come in with the reader,

if you watch really closely,

you'll see it'll start to light up.

Yeah, there you go.

See?

Yeah, so that's showing that all the power

is coming from the reader.

That current passes through a diode

to power the card's chip.

The chip then alters the current in its antenna.

This modulates the magnetic field around the antenna,

which the coil in the reader detects.

That modulated signal carries the unique code

for that transaction,

which the reader then sends onto the bank.

Cryptographically, this works just like chip and pin.

Except now, instead of using metal contacts,

the chip and reader

communicate through a shared magnetic field.

This technology is called near-field communication, or NFC,

and it's what powers all contactless credit cards today.

The first contactless payment cards

were launched in the mid-2000s,

around the same time as chip and pin,

but contactless took much longer to catch on,

particularly in the United States.

Customers were cautious,

and banks were waiting for enough retailers

to get the right card readers,

while retailers were waiting for enough customers

to get the contactless cards from the banks.

That all changed in 2020.

Suddenly, touching keypads

and handing over cards felt risky.

And tap to pay meant

you could avoid physical contact altogether.

So in the first three months of 2020,

global contactless transactions grew by over 40%.

And over that same year,

contactless payments in the US grew by 150%.

- And so, along comes contactless.

And the first thing that struck me was,

what if you could read a contactless card

through somebody's pocket?

- This is a Flipper Zero.

One thing it does is has an NFC reader in there.

- Okay. - So we're just gonna put

a little read, do a little tap,

and then you get the credit card information.

- [Marques] It pulled the card number, the expiration.

- [Henry] So this seems kinda crazy, right?

That you can just go up and tap

and get any information about any card that simply.

- [Marques] That was pretty quick, yeah.

- But the same thing can be done

with any old land NFC cable device.

Like, I have a credit card reader app right here.

And

so there you go.

- [Marques] It's the same card number right there.

- But in terms of credit card fraud,

that's actually a lot less useful than you might think.

The chip secret key is never revealed

in any sort of communication,

and without that, you can't clone the card.

Now, you might think to use the card details

in an online transaction, but for that, you need the CVV,

three-digit code that's not stored on the chip itself.

It's actually only written

on the back of the card physically.

So if you wanna read that number,

you're gonna have to find a way

to socially engineer that number out of someone.

- But the truth is that if I can clone a card

by getting close to it,

then I can almost certainly video that card as well.

I take a photograph of that card.

That three-digit number on the back is on the back.

So if I can get access to the card to clone it,

all I gotta do is add the extra step

to get access to the card to see it.

- But there's an even easier way

to commit contactless fraud.

This is called digital pickpocketing or ghost tapping,

and when I tried it, I found you had to be

within about two centimeters of the victim's pocket.

But in most countries,

contactless transactions have an upper limit,

so you can only lose so much in a single transaction.

In the UK, that's grown over time to 100 pounds.

- But what if you could do it thousands of times?

- [Henry] That's exactly what a 36-year-old woman

thought in Italy in 2025.

She was arrested after tapping money

from unknowing tourists in the busy streets of Rome.

And crowded places like this could be vulnerable

to even more sophisticated scams.

- So what if you were to put a contactless reader

into a public space, like, for example,

between the walkway where you go through into the subway

or the underground, right?

You have to go through a narrow space.

What if I could hide a reader in there?

Or if enough people have cards

in a pocket at the right position,

I could maybe read hundreds or thousands of cards a day.

- [Henry] And while most countries do limit

the amount you can pay in a single tap, the US doesn't.

So in a single tap, you could lose thousands of dollars.

One way to protect against digital pick pockets

is keeping your cards in a Faraday cage wallet,

or having multiple cards next to each other

also makes each individual card a lot harder to read.

But of course, that's not much use if you lose your card

or it gets stolen.

- What happens when you make a payment?

Do you get a notification on your phone?

Does the bank tell you?

'Cause the banks will offer that service,

and you should do it.

And I think if everybody watching this,

I watch, you know, I watch Veritasium,

by the way, I'm a fan, I like them a lot.

With the millions of people you have watching it,

if you can get half of those people

just to go onto their phone app and put notifications on.

If you do that,

you will have the biggest impact on vulnerability

when it comes to contactless payment than anybody.

- With notifications on,

you can contact your bank as soon

as you spot a suspicious payment.

But why not go one step further

and transfer all your cards

to the mobile wallet on your phone?

There, your real card numbers aren't stored,

so they can't be stolen.

And even if you lose your phone, your card is safe,

protected by fingerprint or facial recognition.

It seems like the mobile phone

is the perfect blend of speed and security.

But the thing is, tap to pay has evolved

far beyond its original design.

Over the last 20 years, new features have been added,

some for security, others for convenience,

and that convenience comes at a cost.

Coming soon to Veritasium.

I'm here with MKBHD,

and we're gonna try to steal $10,000 from his locked iPhone.

- Really hope it doesn't work.

I really hope it doesn't work.

- I'm gonna get you to put that phone down

on top of this device.

This is just a regular payment terminal.

Nothing weird about that.

- Careful.

Careful with that, careful, careful.

That's a lot of zeros.

Careful with that.

Oh my God, okay.

- Do you even think it's possible, firstly, $10,000?

- I don't know if Apple Pay will let you do that.

- Let's see, let's see if it works,

I feel like I'm a bit of a magician,

but I'm like, I haven't changed anything, right?

- [Marques] Okay, yeah.

- It's still locked. - It's locked.

- [Henry] Nothing else.

- Yeah. - Okay.

We're gonna start the script again.

(dramatic music) (phone beeps)

- [Marques] What just happened on my phone?

(Henry laughs)