RFID wallets, sleeves and clothing are security snake oil. You don’t need RFID protection because there is no RFID crime.
Columnist, InfoWorld | 22 NOVEMBER 2017 15:25 GMT
RFID blocking wallets, sleeves, and other products offer protection against RFID skimming. The problem isn’t that these products don’t work, it’s that they’re a solution to a problem that doesn’t exist in the real world. RFID-related crime isn’t only very unlikely, it’s non-existent.
It happens every Christmas. My friends, knowing my long-time career in computer security, can’t wait to show me how smart they were for buying RFID wallets, purses, and even jeans and jackets. What they don’t know, unless they read this, is that it’s a complete waste of money.
What is RFID and how does it work?
Radio Frequency Identification (RFID) is a short-distance electro-magnetic method for transmitting small bits of data. It was initially used primarily for inventory tracking, but morphed into all sorts of uses, including authentication, passports, identification cards and credit cards. It’s the latter use that has driven a billion-dollar defense industry offering specially designed RFID-blocking accessories. You can even buy RFID-blocking totes, fanny packs, and backpacks.
There are millions of RFID-enabled credit cards. No one knows for sure how many credit cards in the U.S. are RFID-enabled, but some estimates put them at less than 5 percent. RFID-enabled credit cards are more popular outside of the United States, with some countries having a majority of credit cards RFID-enabled.
RFID-enabled credit cards can wirelessly transmit the necessary personal information from a card held a few inches away from a RFID reader to complete a financial transaction. There are other ways to pay for something wirelessly, for example, Apple Pay, which uses Near Field Communications (NFC). RFID is especially subject to hacking because the transmission protocol is not encrypted, and, at least, in the first generation of RFID-enabled credit cards, it would transmit the financial information in clear-text.
Very soon after RFID-technologies were introduced, hackers were attacking them. RFID skimming, as it’s known, involves using an RFID reader, usually fit with a strong directional antenna, that can energize and read other RFID-enabled transmitting devices. RFID skimmers were adept at not only intercepting and reading RFID data streams, but doing it from further and further distances. For a few years, RFID skimmers made reputations by showing how far away they could accomplish the attacks. The distances move up to dozens of yards away, with some skimming attacks being possible for over a hundred yards away, particularly for the newer “active” RFID attacks that had their own energy sources.
As RFID-enabled credit cards gained popularity, researchers began demonstrating how easy it was to intercept RFID-enabled credit cards. Today, you can find dozens of demonstration videos where a security researcher shows how easy it is to do. It’s true, you can hack some RFID-enabled credit cards.
These scare videos, live demonstrations and the numerous news articles that accompany them, usually play out some doomsday scenario where a hacker sits on a street corner incepting every RFID-credit card that walks by. The scariest scenarios include some foreign attacker remotely scanning your passport to identify you or steal your identity. Many passport services even offer a premium passport folder that blocks RFID waves.
You can use a myriad of materials that are poor conducts of electromagnetism to block RFID waves — just a few sheets of thick aluminum foil will do the trick. The RFID-blocking vendors will try to overwhelm you with technical terms and specifications, including frequencies and antenna sizes. Aluminum foil works to block them all; you just may need more foil sheets. Do the “official” RFID wallets and other accessories work? Yes and no. Some have been shown to be less reliable than aluminum foil.
But even if the RFID blocking products did protect better than Reynolds Wrap™, the fact remains that in over a decade, not a single crime involving an RFID-enabled device has been reported in the public domain. I don’t just mean credit card crime. I mean no real RFID-enabled crime ever!
There have been hundreds of millions of credit cards stolen in the same timeframe and likely billions of financial crimes, and not a single real RFID theft. It’s not that it can’t be done. The videos prove it can. But there is a huge gulf in the world of threats and risks between what can be done and what is likely to be done. And so far, based on over a decade of historical evidence, RFID-related crime appears not only very unlikely, but non-existent.
I’ve been making this same claim, in public, for nearly as long as RFID-blocking wallets and clothing have been produced. I’ve written many articles over the years, been interviewed dozens of times by shows around the world, and I’ve made enemies of those who make money selling RFID-blocking products. They have threatened me, yelled at me, and called me a goof (well, much worse than that). And in all these years, they have yet to produce evidence of a single real-world RFID crime. Year after year, nothing. Nada!
Some of my critics have asserted that the inherent wireless nature of RFID crime implies that successful attackers are going to get away with it, and people won’t know that it’s happening or how it happened. This ignores the fact that banks would certainly notice if their RFID-enabled cards were being ripped off in a certain area or at greater percentages. If RFID-enabled crime were the huge boon that vendors claim it is, you would get more and more RFID criminals committing crimes until at least one of them copped to how they did it. Part of every plea bargain is admitting to your crime and telling the authorities all the details. I also haven’t read any police reports where the police found a bunch of RFID readers sitting around in a criminal credit card den. It just hasn’t happened.
Not only has not a single RFID crime happened, but I think is unlikely to happen. Here’s why:
- Second-generation RFID-enabled credit cards encrypt and protect the information they transmit. Not all RFID-enabled cards are second generation and protected, but first-generation cards haven’t been created for many years, and so the supply of them is dwindling every day.
- RFID crime isn’t a great payback for the effort and risk. With RFID-crime, someone has to physically sit around and be close to a bunch of RFID-enabled products. The world is full of CCTV cameras, and sitting around committing crime is likely to end up with the thief’s picture saved for the police to see. Furthermore, a criminal who sits around for 8 hours on a very busy city street corner could collect perhaps many hundreds to a few thousand cards — if you assume that every person who walks by has an RFID-enabled credit card (which is nowhere near the truth). That same criminal could buy stolen credit card information by the thousands for cents per card on a number of online forums. If they break into the average web site, as hackers do all the time, they can steal hundreds of thousands to tens of millions of cards for a few hours effort.
Some people ask me about the other doomsday scenario where a foreign agent steals their passport information. In the unlikely event that a foreign spy would want your information, all they have to do is ask for your passport information at their border. You have to hand over your passport anytime you enter a foreign country. Why would they need to steal it? And even if they get the information, what are they going to do with it? Use your passport with a new picture ID? If they have that sort of sophistication, you’re in James Bond territory, and they can simply make a new passport from the ground up…or pay a thug $50 to mug you to get it.
Simply said, there is no real RFID crime and there’s not likely to be any RFID crime. It’s alright if you want to be prepared for the day it might eventually occur. Who knows? One day, the world might experience its first real-world RFID crime. Even then, out of the billions of crimes being committed, is that the one you want to spend extra money on? Or do you want to wait until it’s at least popular enough that it’s at somewhat likely to happen to you? Because right now the real risk is absolutely zero. Save your money or buy a better looking wallet.
This story, “Why you don’t need an RFID-blocking wallet” was originally published by InfoWorld.