I have seen advertised several times now products that claim to "protect" contactless payment cards (e.g. special sleeves, wallets).
What exactly do these products protect against?
Do you see them as necessary?
I'd like to say up front that everyone else who has posted here is essentially correct. I thought I would post a different perspective, as I am a user of RFID shielding technology.
Every card in my wallet has a RFID chip in it. Credit cards, ATM cards, Transport card, Office key, Drivers License, heck even my coffee discount card. Also, my passport has RFID.
I purchased a shielded wallet from ID Stronghold, black leather with each card sleeve individually lined with some shielding material (presumably aluminium, though the manufacturer didn't specify). This is important as some wallets only shield the outside and not individual card slots, so they are potentially vulnerable if your wallet is open, or thick/full enough to leave an opening. I also have a passport bi-fold with card slots, made from stainless steel mesh (can't recall what brand that was though.) I can verify that the cards in my wallet are unable to be read by and of the scanners I have tested, however your mileage may vary - as this article discusses, the use and effectiveness of several brands and models may differ.
I have 3 concerns about RFID chips.
This technology is not new, and neither are the attack vectors. With the number of cards and identification documents carrying RFID continuing to grow, and the cost of a potential attack diminishing, we can only expect these types of incidents become increasingly frequent.
Ultimately, you need to decide what you believe your exposure is to this type of risk. While I agree that shielding may still currently be important only to the paranoid among us, I would argue that the cost is minimal. My wallet cost no more than a regular wallet, and (though I agree that the individual sleeves are probably less practical) having the shielding built in makes usage no less convenient.
Deciding whether a security measure is worthwhile means you need to balance the cost of the measure against the benefit of using it. In this case cost, other than a bit of money to buy the sleeves, is having to take the cards out of the sleeves every time they are used.
So is that worth the actual threat they protect against? It depends on what there is to steal. In the case of payment cards it's not worth protecting them because in order for people to steal from them they have to have a point of sale terminal and an account with a bank. If they started skimming money off the unwary they'll get caught. Most contactless payment systems limit the amount of money so that no single attack would make it worthwhile. So far there aren't cloning attacks that would work with a contactless system, so that's not a concern - yet. As for inadvertent payment it's not likely to happen, few people accidentally tap their wallet to a payment system, and if they do they can probably get a refund.
As for other types of cards there are some attacks that could work. It's possible to clone some building entry cards and transport contactless cards with a hand-held scanning device, but this is very rare and hard to pull off in practice.
So for most people card sleeves are a solution waiting for a problem. This may change as new attacks come in, but for now it's for the tin-foil hat crowd.
You have good reason to be confused about what "threats" these products are actually targeted at protecting against: not one commercial that I've seen for these items actually provides clear, unambiguous identification of the exact threat that is supposed to be in play here. Every commercial that I've come across just demonstrates a bad guy carrying around some (unseen) device in a bag or something capturing animated waves of some kind emanating from an unsuspecting person's wallet or purse. Naturally, this would suggest that the shielding is meant to protect against attacks involving contactless cards. But the commercials also take care to not actually say that anywhere. And the way the announcer talks and how the "scenarios" play out conveys an impression that all payment cards are vulnerable to having payment info from them silently pilfered by a mysterious attacker.
Not being specific about the threat, of course, makes sense from a business standpoint: most people still don't have credit and debit cards that use contactless payment technology. (Cards like transit system cards are probably another story.) Meaning if you come right out and say that your protection only matters if you have any newer, contactless payment cards you are greatly limiting your market. So, even though that would be the only honest and responsible thing to say, there's an incentive for companies that are willing to use unscrupulous, fear-mongering tactics to leave an impression that everyone is vulnerable to attacks like these. When that's certainly not remotely true.
And that brings us to the question of whether even if you have payment cards that will do contactless transactions these products provide any security benefits to you. About that I'll note two things. First, smartcards with contactless EMV payment abilities, like other EMV smartcards, are specifically designed not to be cloneable even where an attacker can steal information from the contactless signal during a transaction. Or even from signals collected from many transactions. That's the inherent benefit from using a payment type that does dynamic authentication, rather than static authentication (as traditional magnetic stripe cards do).
Second, the name "contactless" is really sort of a misnomer in most cases. Often cards simply will not work to authorize a payment unless they are taken out of a wallet, purse, or other storage place they are in and physically tapped directly against the reader. Other cards (like my transit card, for instance) will work through the material of a wallet but not through the additional covering of, say, a winter jacket. The depictions in the ads of the bad guys' concealed gear being able to capture info from a card buried deep within a bag or inside coat pocket is ... unlikely.
Now, in 2013 some researchers in the UK were able to pick up some card data as far away as about 45 centimeters / 18 inches, well beyond the 2 centimeters or so the cards should ideally be readable at. However, the exact circumstances of how those observations occurred are a little vague, and it appears that the would probably not succeeded in trying to do actual transactions if they had attempted to do so. At any rate, Visa contends that that would not have been possible. (See the question "Can a fraudster with a bogus contactless terminal steal money from my card by brushing up against me?" in that FAQ.)
In sum, the technical risk re. stealing payment card information or successfully doing phony transactions seems to be low-to-nonexistent in the usual contactless payment card implementations. However, if you really, really want to be on the safe side and it would make you feel more at ease you probably could inconspicuously put some metal foil of some kind in your wallet, purse, or other card-carrying device. Save the $25.00+ that some of these ads are quoting to buy products that consist of something more than small pouches made out of 10 cents worth of aluminum. :)
