4

I've heard/read several pentesting stories where the pentesters clone RFID badges. I've also seen some articles saying RFID skimming is a negligibly small problem. The RFID skimming I'm talking about is where someone walks up to you to skim your card or "fires" a "skimming beam" from a distance, and not where you actively (unintentionally) put your card on/in a skimmer like on ATM machines.

All the articles I've read that say we don't need anti-skimming wallets and such mainly say things like "It's not common", "You get too much junk", "It's impractical resource-wise".

How common is RFID skimming? How concerned should the average Joe be about it?

(If I have some money, especially if I have access to some confidential data, I would definitely get anti-skimming stuff, but that doesn't sound like most people)

ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34

2 Answers2

3

The article you point to presents things more from one perspective than the other.

From the same article, I find the statement :"RFID crime isn’t a great payback for the effort and risk." at least arguable.

If you wonder if cards can be read at greater range than stated, the answer is definitely yes. It's all a matter of the quality and power of your hardware. Given the hardware is good enough you can certainly obtain a good read distance.

Considering a few meters is quite accomplishable, this part of the problem is practically solved. High range read is quite possible. It's a matter of basic communications, just like trying to read a radio signal. With a powerful enough receiver you can get signals from hundreds of kilometers away.

Of course the RFID system in the cards is a passive element, but still it can be read from quite a range by normal means, not considering directed energy methods (aka the ray-mode, like a label scanner uses). So yes, I can enjoy my coffee across the street and make everyone on the restaurant on the other side make some 'donations' (and this would only be a beginner method).

The general defense against this is most of the time the limit of the amount transferable. In my country, that amount is the equivalent of roughly 4 Euros or $5. It may not seem much if taken from a person or 2 but if taken from hundreds or thousands it may become profitable very fast.

You will indeed need a relatively complex back-end setup where your reader can actually provide you the transferred amounts, which is actually the risky part the article talks about. This is the reason most current CC-frauds do not rely on such actions - there are other simpler methods to hit high ends of money without resorting to this. Think of it as the equivalent to robbing a very large bank compared to robbing quite a lot of small local ones.

But this does not mean it won't happen.
It is technically very viable and it can be done in such a way to earn extreme amounts of money before anyone ever realizes there's something wrong. It just needs the proper setup (tech setup and key location).

As for the average people, they are not really concerned a lot due to the limitation of the transferable amount. Losing E4/$5 is not much of a damage. But gaining it from a few dozens of thousands of people that can enter daily on a large China-type mall-area can be a big earn. That is why it is increasingly likely that in the future we will see such a large scale skim.

So why not protect if possible ? A foil case for your card is cheaper (you can find them even under $1) than the amount you may lose in only one transactions and you can keep it for years.

guntbert
  • 1,825
  • 2
  • 18
  • 21
Overmind
  • 8,779
  • 3
  • 19
  • 28
  • Things don't scale forever. More power and more sensitive scanners can increase range but there are physical and practical limits, so I wouldn't assume that hundreds of kilometers is possible. I mean, maybe it is, but it may also require hooking up a nuclear generator to the Arecibo Telescope, in which case you really don't have to worry about that... – Conor Mancone Dec 27 '19 at 11:27
  • You don't need kilometeres, just a few meters in enough, which is quite easy to get. You can just plant your reader at a big market entrance and have tens of thousands of transactions daily. – Overmind Dec 27 '19 at 13:02
  • Indeed, I agree (and upvoted your answer). I was specifically responding to your statement about how this could work from a distance of hundreds of kilometers. There are practical limitations that would likely make that impossible. – Conor Mancone Dec 27 '19 at 13:18
  • True, that was just an analogy with radio transmission where you can have a very powerful receiver and intercept low power transmissions. – Overmind Dec 27 '19 at 13:21
1

I asked a friend who works as the head of Fraud in a major bank about this, and while I can't point to a public source on this, he said that it does happen. But not a lot.

There are a few problems for criminals:

  • you need to register with a payment provider, which introduces a paper trail to help identify the criminals, even if fake documents were used
  • these types of payments will start triggering all kinds of anti-fraud algorithms so the criminals will not get many "hits" before they are blocked from processing payments
  • it's not nearly as profitable or undetectable as so many other options for crime

For you as a cardholder, you can dispute fraudulent payments, which further adds to the evidence, and you can get reimbursed.

So, threat? Yes. Worth mitigating? Not at this time.

schroeder
  • 123,438
  • 55
  • 284
  • 319