RFID blocking - security questions

I just bought a new wallet and nearly all of them boasted RFID blocking for Credit card security.

IMG_96921920×1440 339 KB

Previously I carried a card shaped card protector next to my cards.

IMG_96941920×1440 208 KB

Howevvverrrr… I just realised that I have no idea if this is a real threat that we should be protecting ourselves from, or just fear-mongering from companies that want to sell protection that we don’t really need. Who better to ask than you people?!

I guess my follow-up question would be: if it is a concern, what does that mean for us chipsters? Do we need to be thinking about protection?

My understanding is this, could be wrong

Anything LF such as work access badges are vulnerable to being sniffed

Hf stuff using only uid can Be sniffed

hf stuff using basic keys like mifare classic CAN be sniffed but it takes significantly more time since it has to try to brute force some stuff

Newer stuff using proper keys such as desfire is pretty much unbroken at this time

Usually I see these companies play it off that people are sniffing credit cards, which has a kernel of truth to it

The original version of wireless tap to pay like 10-15 years ago, was done quite poorly and not explained to customers… it was essentially the magnetic tape info… all your credit card number and stuff… completely in the blind… so it would just fart out your credit card info at a reader…. Very insecure and could be sniffed

That system was taken offline very quickly

The new stuff, using the little EMV chip on the card, works using good cryptography, so that the chip and the reader talk to each other in a way that even if somebody listens to all of the traffic, no actual data is exposed

The nfc tap to pay uses this system just wirelessly
So it’s secure

It’s part of the reason we can’t copy credit cards to implants, but instead have to build implants out of existing cards at the moment since they can’t be broken

All that being said, I think the flipper zero used to be able to pull surface level details from a tap to pay card, such as card number and expiration date…

I’m not sure how or why that is, wether it technically makes you vulnerable, but it kinda seems bad

Nothing more than the app MX EMV Card Reader can read. The CVV is not part of the data.

That’s what it was…

So it’s someone can sniff like 75% of what they need… but they have no other way of getting the rest

I feel like I used to be able to make purchases without the cvv in weird situations like pizza or whatnot , but maybe with the new EMV payment processing agreements being more firmly enforced… I can’t think of the last time I got away without a cvv

If I remember correctly from my time as a cashier during the big transistion to EMV, the teeth they used business to implement EMV readers, was before any fraudulent activity was automatically covered by the banks, and venders where either NOT or had only minor liability

Moving into the EMV system, if I remember correctly, it was setup so that if you stayed with magstripe only readers, which allows fraudulent activity far easier… the business would be automatically liable

Which is why when you find a magstripe only business still it’s sketchy and sus, ignoring stuff like square that just took forever to have a EMV reader format

Wow, thank you for such a complete answer. I think I’ll print it out and reread it a few times.

I’ve been using an RFID blocking wallet for years. In a way, I wish that I could use one of diagnostic cards with it. On the other hand, I’m glad that I’m not slapping my debit and credit cards on random readers…

It’s probably pointless unless someone manages to press a payment terminal against your pocket without you noticing. With regards to implants, the range is significantly smaller, most people don’t know or wouldn’t get one, and the hands have tons of nerve endings so you’d definitely notice if someone tries to scan your hand.

You’d be surprised how out of tune we are with our bodies in crowded places, it’s the reason why so many people get their watch stolen when it’s right on their wrist where they would feel it often

You’d have to know where the implant is and where the optimal scanning location is, which would only be realistic if you knew whoever you’re trying to steal from. Even then, if they have an x-series it could take a while. Still quite unrealistic.

Somewhat unrelated to the main topic: A wallet with an RFID lock and a blocking card (not that I’ve heard of such a thing at all) seems worthless. Just steal the wallet and cut it open, way easier.

Relating to this topic, do jamming cards really work? Is it a regular RFID chip that emits some data or is it a chip that generates random noise?

Regarding LF, my friend who has a NeXT tried scanning with a MaxiProx reader we found. Those readers can read up to a few feet. However, the NeXT could only read from a few inches. We actually don’t know if it read successfully or not as we do not have card access permission for that building. An attacker could probably hide a reader like that in a backpack, but they’d still need to position it close enough to someone’s hand by standing in some awkward position.

That’s interesting. I worked at a fast food restaurant (a smaller mostly regional chain) that for a while only accepts magnetic stripe cards, until a few months ago are now using EMV terminals with chip and contactless reader. Another location nearby is still using magnetic stripe only.

I have seen “jamming cards” that are literally nothing more than plastic… they do absolutely nothing but bilk people into paying $19.99 for $0.03 worth of plastic. I’ve seen RFID blocking wallets that hardly do anything;

I am sure there are possible ways to make a real jammer card, but so far I’ve not had a chance to test for real.

I don’t know how scientific this experiment is but if I place the RFID blocking card (image at start of post) on my ACR122 reader it goes completely blind.
This card appears to have a chip and an antenna and made big claims when it launched on Indiegogo. Not proof exactly but seems legit.

I don’t see an actual chip in that card, but a couple passives and a transistor (?) package. Educated guess is that it randomly modulates the field to prevent data transfer.
But even placing two normal cards together will work due to collision.

Most of the blocking cards are just a piece of metal
You can make one with a piece of foil

It doesn’t “block” things like people picture with a faraday cage, rather it just soaks up the field and starves the chip preventing it from powering up

It’s glorified snake oil, the concept works… but it is dirt simple and only a teeny tiny threat

This is their site.

I can’t get the FAQ page to load so I can’t see much. I can see this “What is RFID Theft?” page but I’m not educated enough to know how real their claims are. As a laymen all I am hearing is “your cards are at risk from hackers who can be up to 20 feet away”. Not knowing any better I bought six cards in their Indiegogo launch and gave them to family members.

Was I duped? It seems to work (with my somewhat simple test).

Watch the video I posted

Short version? Kinda yea
They all play heavily on the fear of people stealing your credit cards, which is ironically the hardest thing for them to do

The things they can swipe from you are far less important or compromising

If it functions, you weren’t duped. But 20 feet away is BS and contactless credit card theft is not a super big concern.

They probably work, but certainly not worth $20. You can accomplish the same thing by putting another 13.56 MHz card in you wallet such as an old hotel room key.

Yeah, the reading from 20 ft things is not possible, at least with current hardware.

That’s what I mean by “yea kinda duped”
Technically they can mess with RF, but the price and the fear mongering is pretty much predatory

Not always, some systems can differentiate tags

That’s the thing, all of its built on little kernels of truth… but the “story” is bullshit

Many driver’s licenses and passports have a uhf tag in them, which I believe can be read at longer ranges with infrastructure

AFAIK stealing that data via RF is pointless, I think it’s a blind reference ID…. So there’s not much point protecting it, since there’s not much point in stealing it

At least with 13.56 MHz which that card is for, can’t be read from 20 ft, and especially card terminals

Like I said,