50

According to the Popular Mechanics article RFID Credit Cards and Theft: Tech Clinic, the fact that many new credit/debit cards have a RFID chip embedded on it, there is a risk (albeit, small according to the article) that the card would be 'skimmed' - from the article:

RFID cards do have a unique vulnerability. "Your card can be read surreptitiously. Unless you were paying attention to the guy behind you with a reader, you'd never know you were being skimmed."

Now, even though the risk is low, there is always a chance. With that in mind, a friend bought me a wallet - a Stainless Steel RFID Blocking Wallet to be precise, that claims to

prevents 'accidental' reading of your information

I have this wallet still (it is rather nice looking), so my question is really two-fold:

  • Can a steel woven wallet prevent RFID scanning of credit card information?

and

  • Is there a practical way I can test this myself?

(Note: I have no affiliation with anything to do with the manufacture or sale of these wallets)

  • 1
    an attacker could set up a RFID receiver nearby a reader to skim of cards being actively read (as in being waved in front of the reader), the only way to protect against that is to surround the reader with a faraday cage and have the user put the RFID card inside to be read – ratchet freak Oct 04 '13 at 08:24
  • 7
    RFID credit cards are designed for short-range operation (1 centimeter), and radio fields drop off with the square of the distance. Even as close as 1 meter you're talking about a field 10.000 times weaker. That also means a reader can protect the card being read by adding a low-power jamming signal at 10 centimeters from the reader. Even at low power, it would overpower the passive RFID card everywhere but in the proximity of the reader itself. And that's without a feedback circuit from the jammer to the reader. – MSalters Oct 04 '13 at 10:27
  • 3
    Just as an interesting aside, this technology looks very similar to the [OffPocket](http://offpocket.com/). If the construction is sufficiently similar, I would expect it to work in a similar fashion. – Tinned_Tuna Oct 04 '13 at 14:02
  • 1
    @MSalters In other words, on an elevator is the perfect time to scan someone – Izkata Oct 04 '13 at 17:01
  • The little secret the RFID industry has been holding onto for decades is that the technology is outdated, unpredictable and unreliable. Just stand close to the wall in an elevator and that will mess up the signal. Hell a fly could land nearby and mess with it. – Wyck Oct 04 '13 at 22:00
  • I once got a debit card with an RFID chip in it. When I got it, I took it out and made a purchase at a fast food place that read RFID chips; I'm sure you recognize their big golden arches. By the time I got home, someone other than me had already made purchases on it. My current strategy is to refuse RFID cards entirely. – Michael Hampton Oct 05 '13 at 15:50

10 Answers10

50

Any Faraday cage will do the trick. So a shielding of just about anything conductive, be it aluminum foil, conductive paint, wire mesh, or any of a number of similar alternatives is going to be opaque to radiation. That means no radio waves in or out, which means the RFID signal is blocked.

Note that the size of the mesh has to be significantly smaller than the wavelength in question; RFID specs are mostly in the MHz range but go as high as 2.4GHz, which is about a 10cm wavelength. So your mesh should be just fine. But aluminum foil is cheaper.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 1
    Thank you for this (+1), 10cm wavelengths can be definitely overcome, the wallet is smaller than that - but you're right, aluminium foil is a heck of a lot cheaper. –  Oct 04 '13 at 07:17
  • 55
    So what you're saying is, giving your credit card a tinfoil hat *might actually be effective?* ;) – Mason Wheeler Oct 04 '13 at 11:42
  • 3
    It should be noted that it's not trivial to make a wallet a real Faraday cage. If you have gaps in the cage, it will leak quite easily. If you have ever tried to cover you mobile phone so well it does not get connection to cell tower anymore, you know it's very tricky. See this, for example: http://truthiscool.com/rfid-blocking-wallets-too-good-to-be-true – Zds Jan 04 '14 at 10:10
  • 2
    @Zds a bit of physics knowledge can be helpful. If you understand what you're doing, then it's pretty simple (overlap, contact, etc) but even crappy shielding will be enough to dramatically lower the useful range of the device. – tylerl Jan 04 '14 at 23:17
19

Next time you go to the shop leave your card in your wallet and try as much as you can to pay for your purchase. Try with several different card readers to be sure. If you can't pay, then it's pretty well protected. If you can, well...

I can't speak for that particular wallet but it is certainly possible to block RFID in that manner. It just depends if they did any research and took it seriously or if it's just a marketing gimmick.

Scott Helme
  • 3,178
  • 3
  • 21
  • 32
  • Thank you for that (+1), that is a nice, quick and easy test to do - never thought of that. I suspect it may be a marketing ploy, but you never know. –  Oct 04 '13 at 07:03
  • 3
    No problem. As Lucas has mentioned in his answer, if you can't pay for the item with your wallet closed you should be able to flip it open and then pay, assuming the protection when closed is adequate. – Scott Helme Oct 04 '13 at 07:11
  • I just used the wallet to 'shield' my train pass - normally, the train pass can be kept in a wallet and the wallet placed on the scanner and the gates open - tried it with the steel wallet and it did not scan. –  Dec 09 '13 at 19:28
11

To be precise, an aluminum foil can do the trick. I hope your RFID Blocking wallet is actually blocking them. I am afraid that it is hard to test the practical way as it is happening unless you are a an IT expert in that field Or a RFID hacker ;)

However there are good products available that promises against RFID theft. sample : http://www.idstronghold.com/

I couldn't find any better solution for myself other than using a RFID Blocking wallet and keeping a close eye on my credit card transactions.

Ebenezar John Paul
  • 2,874
  • 14
  • 23
10

The principle has been used before, your wallet will act as a Faraday cage. This means that the inside of your wallet cannot be affected by electronic fields. This prevents the RFID from being read out. However normally a Faraday cage is closed, so as long as your wallet is closed with the card inside and the metal completely covering your card, you should be alright.

The best way to test this is to get a few readers and try to read your card out while it's in your wallet.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Thank you for this (+1), Faraday cages are something I am familiar with - never linked them to this. –  Oct 04 '13 at 07:12
  • 2
    A faraday cage is considered "closed" when all holes are smaller than the relevant wavelength. A cage that's not visibly closed may still be closed to radio, because visible light is in the nanometer range and radio is in the meter range. – MSalters Oct 04 '13 at 10:21
6

I guess I am a bit late to the party on this question, however I'll add some quick information on wallets containing faraday cages. I have one myself, and they do in fact work very well. I have tested it pretty thoroughly, and not once has signals been able to leave the wallet, with the exception of when I have it open, then it works as intended.

Here is the wallets inside. You can barely see a metallic colored hue. This is the faraday cage sewn into the wallet. enter image description here

Note that the wallet itself is leather, it just contains a tightly woven copper wall inside of the leather.

I also have a video demonstrating the effect here: https://www.youtube.com/watch?v=S1Bb_kVWy5w&feature=youtu.be

Chris Dale
  • 16,119
  • 10
  • 56
  • 97
3

It an block RFID reading, but that's not to say that someone with a high gain antenna won't be able to read the chip.

Worth remembering that although a faraday cage does block radio signals (mostly, but let's not over complicate this!), a metal lined wallet isn't actually a faraday cage because it's not grounded.

Kristin Paget (formerly Chris Paget) is a dominant figure in this area, and has done a lot of great research in RFID reading from a distance. http://hackaday.com/2009/02/16/shmoocon-2009-chris-pagets-rfid-cloning-talk/

She's also created a device which very effectively block RFID reading, and the way to do it in the end was RF interference. You can buy the device she and the team made to block RFID signals.

Owen
  • 1,066
  • 5
  • 9
  • 3
    You don't need to ground it for the Faraday cage to stop signals passing through it. Key are the conductivity and size of the metal mesh. Assuming they are appropriate, a high gain antenna will not help an attacker. – Rory Alsop Oct 04 '13 at 11:13
  • 2
    The linked article does not seem to mention anything about efficiency of shielding, just the fact that that particular type of RFID tag can be read from large distances, no shielding involved. It should be noted that it is different type from the one being used in credit cards and the article states so. – Jan Hudec Oct 04 '13 at 12:01
  • There are quite a few RFID chips. At my previous company, we've demonstrated the ability to read a RFID tag from 20 meters, while inside a fridge. That was a powered tag, though, not passive. As I noted in the question's comments, the RFID chip on a card is designed for centimeters read range. That shows it's pointless to compare different RFID technologies. – MSalters Oct 06 '13 at 19:31
  • 1
    Sorry guys, that wasn't the best article to reference. Chris/Kris Paget's talk on RF sniffing from a distance at Defcon was excellent though, and he demonstrated how a non grounded cage wallet didn't shield as well (Admittedly they do shield though, don't get me wrong). Kris has also done work on reading RFID chips from within mesh wallets using high gain antennae and pretty conclusively shown that it's more a question of technique and equipment than of possibility. – Owen Oct 16 '13 at 16:06
3

It is possible the wallet will work. It depends a lot on how it is manufactured. Keep in mind many people on here have told you to test it at a store reader. These readers are designed to read from a short range. A higher power reader that a thief may have can read much further. Also many of these wallets are only shielded on the outside. My company, Identity Stronghold, makes wallets that have every slot shielded so they protect even when open.

The theory about two cards mentioned above interfering, only applies to 125khz prox cards and not payment cards or passports. These 13.56mhz cards have built in anti-collision technology.

I have made a YouTube video demonstrating many of these myths. You can watch it at http://www.youtube.com/watch?v=06jKsbOiruc

Walt Augustinowicz
  • 31
  • 1
  • So it sounds like it was the foil envelope containing my passport card that was interfering with reading the transit card, and not the passport card itself. Thanks for the info! +1 – John Deters Oct 04 '13 at 17:46
  • Yes that can happen. Our company actually makes sleeves for the Dept of State for the passport card as well as several state's Enhanced Drivers Licenses. Placing other 13.56Mhz RFID cards right next to the sleeve can protect them too. It also greatly reduces the read range of 125khz prox cards. – Walt Augustinowicz Oct 04 '13 at 18:14
  • I don't really see the point of shielding the inside of the wallet itself. One of the great advantage of RFID card is the convenience of being able to use it without fishing the card out from the wallet. If you had to pull the card out of the wallet to use it then wouldn't it be easier and safer to just get a swipe-only card? Also, even with inner shield, in the end you still have to unshield the card to use it, exposing it to remote readers anyway. – Lie Ryan Oct 06 '13 at 15:24
  • @LieRyan I should admit that you are absolutely right about the RFID purpose being altered. But when it comes to a point where our data can be robbed without our knowledge, we are left with no options but to safeguard them. This is why they always say, Everything has it's own positives and negatives. – Ebenezar John Paul Oct 07 '13 at 04:49
2

The government is really paranoid about their worker ID badges being read (copied, photographed, ...)--you aren't even supposed to show it to people that don't need to see it and must remove it when you leave a given campus even to go to lunch.

For when you are inside a government building you must wear it someplace visible though, so it has a little holder to hook up to a lanyard.

Thing is this holder has a thin band of aluminum foil glued to the center that sits up against the card. Even though you can see the entire face of the card, it severly limits reading range--you have to pull the card out of the holder a little to read it (Although if you fudge with it long enough right up against the reader you can sometimes get it to work).

Mostly I found it amusing that the government has the tinfoil-hat paranoia, or looking at it another way--that the government validates the tinfoil hat paranoids.

I also have one of these wallets but got it because it was thinner than most others and not too expensive... the seller claims it's "2 1/2 times thinner than paper" which my wife and I still WTF over now and then, but it's thin enough.

Bill K
  • 407
  • 2
  • 6
1

Simply test it at a local store that accepts RFID payments. Most McDonalds restaurants seem to have them. Or if you have an RFID-based transit card in your region, use one of the balance-checking terminals - you can play with one for an hour for free, and nobody will care.

When you're doing your testing, try a couple of things. Have the closed wallet approach the reader from several directions and orientations. Stack multiple payment cards together to see if they interfere with each other. Also see how small of an opening you need in the wallet before your card can be read. I have seen passports (which have an RF-blocking mesh embedded in the passport cover) able to be read with as little as a 1/4" opening.

I carry two RFID cards in my bi-fold wallet, one on each side. Due to mutual interference neither works reliably when the wallet is closed, but each works fine when I flip the wallet open and present the correct card to the reader. I also found I can't keep my passport card with me, and I have to keep my RFID door badge in my pocket, because the extra card interfered with whichever side I tried to carry it on.

Also consider your threat model. For now, practical attacks are still quite rare, and I have figured my own chances of being skimmed are low. Mass transit systems seem to be the logical place to perform an attack, but our city's rail system is still fairly immature. Plus, since the two-card interference model seems effective at preventing my own legitimate use, I personally believe it further reduces the chances of a malicious attacker being successful against me.

John Deters
  • 33,650
  • 3
  • 57
  • 110
0

It appears it's not very easy to build a wallet that completely blocks the signal: http://truthiscool.com/rfid-blocking-wallets-too-good-to-be-true

I don't have RFID reader, but at office we tried to simulate loss of mobile coverage by wrapping a phone into a metal mesh, and it was be hard to get the wrap so tight phone lost the signal. Cell tie signal of course is more powerful, but the gaps in the final wrap were orders of magnitude smaller than in the RFID wallets.

Zds
  • 171
  • 2
  • I'm not sure how this answers anything. Different wavelengths will be filtered differently, and their transmission power will define their penetrability through various materials too. E.g. it's difficult to kick a football through a bubble wrap, but a dart will go straight through. It's just not comparing tit for tat. – TildalWave Jan 05 '14 at 17:23