To be absolutely clear, ISO14443 requires anticollision support for transponders. That means all systems can differentiate tags, but not all systems do or bother to. I know it’s a tedious exercise but it’s fundamentally important to understand that anti-collision is built into the protocol itself and it’s trivial to literally cycle through all tags in the field and read them all. Placing multiple ISO 14443 or ISO 15693 cards together will absolutely not protect against readers being able to access the cards.
In those scenarios where systems… that means the readers and the middleware and the application layer… systems do not bother to iterate through cards or check for multiple cards in the field, oftentimes it comes down to random chance which card is actually read. If you have ever experienced placing a wallet up to a reader in an elevator or access control system and having it deny you because there were multiple cards in your wallet, there’s a good chance that you could just keep repeatedly presenting your wallet until the proper card is picked up first and read.
1- Unless you have a MIFARE Classic or a card using ONLY UID for security in your wallet (cheapo amazon door lock) it would have to be a pretty skilled attacker.
2- If you had a “real” RFID blocker/wallet (which usually has just a thin plate of metal in it, they’d also have to be a little lucky and have a pretty strong reader.
3- You’re more likely to be pickpocketed or run your card through a disguised skimmer of some kind in a sketchy gas station than for the above scenarios to be true.
4- Basically real threat, but so is getting struck by lightning. Wrap some tinfoil on an old business card and drop it in your wallet if you’re worried.
What people are mostly worried about is a payment card being rfid skimmed, but as far as I understand in the new emv tap to pay format for bank cards, there isn’t even really a way to sniff that, that exists right?
Something something cryptographic key exchange, so that even if the entire exchange is recorded it’s still secure?
I understand the old original tap to pay years ago was about as secure as the mag strips
Sadly no. This is called track 2 data and it is totally readable with no encryption or authentication necessary. What has been introduced in some geographies is a transaction signature which is required for the terminal to process the payment, but you can still extract the complete credit card number and expiration date and I think maybe even the CVV from the track 2 data, all contactlessly. This data could then be used in “card not present” fraud.
