Most of us like to grumble at least occasionally about how complicated life has gotten. And it certainly has, in a lot of ways, but in others it’s gotten a lot more convenient. Just a few decades ago, for example, buying things meant going to the bank — your own physical branch, mind you, during the brief hours it was open — to take out cash. If you didn’t have time for that, or ran out of money, you’d write a check and hope the merchant accepted it. The merchant, meanwhile, hoped your check was good. Now, paying is as simple as a quick tap with your phone or a card, and the transaction takes place instantly. It almost seems too easy. The NFC circuit in your phone, or the RFID chip on your card, gives the terminal your payment information, and boom, you’re done! But can you trust that only the terminal can read that information? Or should you invest in an RFID blocking wallet (or something similar) for added protection? Let’s dig into the technology and see if it’s worth doing.
How Does RFID Work?
There are several different kinds of Radio Frequency Identification (RFID) chips, but they all work on the same basic principle. There’s a small chip with a bit of code on it that contains information. In commercial settings like a factory or an Amazon warehouse, that chip might identify a part or a specific package. On credit or debit cards, it holds your payment information. There’s also an antenna attached to the chip.
When a chip reader comes close to the RFID tag, the reader’s radio waves act as a power source for the chip and antenna, and it responds by transmitting the information it contains (radio waves are a power source in themselves, remember; it’s how your microwave cooks things). Industrial RFID tags can be read from several feet away, but the kind on your cards need to be very close to the reader.
Who's Calling Me?
Search any phone number to learn more about the owner!
The Near Field Communications (NFC) chips in your phone are essentially a souped-up form of RFID, which can transmit and receive (so it’s both a tag and a tag reader). Like your cards, this only works in very close proximity to the payment terminal.
Can RFID Really be Hacked?
That leads to a couple of big questions: a) whether RFID cards can be hacked; and b) whether they’re a safe way to pay.
The first question was answered long ago with a definitive yes. All the way back in 2006, security researchers were demonstrating “proof of concept” attacks harvesting the information from RFID cards. But the second question is tougher, because most of these hacks targeted other RFID devices rather than debit and credit cards. The whole point of chip-enabled cards, after all, was to make them more secure compared to the old-school magnetic stripe. The stripe was easily read by credit-card “skimmers” — an illicit reader installed over the top of a legitimate one — which allowed criminals to make a duplicate of your card, and max out your credit in a hurry.
Chip cards are a tougher nut to crack, partly because key data on the chip is encrypted and partly because they use an algorithm that creates a unique code (an “Authentication Data Element,” or ADe) for each purchase. Scammers using an improved version of a skimmer, called a “shimmer,” can actually read some data from the chip, but it’s not as bad as it sounds at first.
Criminals still can’t clone the chip card, but they’ll get the iCVV code — the digital equivalent of those three digits on the back of your card — which means they can make a better clone of your stipe card. Some card issuers have dropped the stripe entirely, using either tap-and-sign or tap-and-PIN instead, to close this vulnerability.
How Does RFID Blocking Work?
A lot of companies (a lot of companies), seeing the coverage of RFID hacks and vulnerabilities over the years, have begun marketing protective devices to help keep your information secure. Essentially, they create what’s called a “Faraday cage” around your card. A Faraday cage (named for a brilliant 19th-century pioneer in electrical research) is just an enclosure made of conductive material, like aluminum or copper. They’re routinely used in scientific and industrial settings, where sensitive equipment needs to be protected from interference, and even in consumer electronics, where outside signals might mess with your data or your music.
Interestingly, a Faraday cage doesn’t have to be a solid enclosure, because a conductive mesh works just as well. If you cut open a TV cable, you’ll see a regular wire in the middle and a copper braid around the outside; the braid acts as a Faraday cage to shield the wire in the middle (which carries your TV signal) from interference.
That’s important for consumers wanting a wallet that can protect their cards from a potential hacker with an RFID reader. A solid Faraday cage wouldn’t make a very practical wallet, but mesh can be incorporated into even a slender, flexible wallet without much difficulty. That’s how RFID blocking wallets work.
Do I Need an RFID Blocking Wallet?
Here’s the thing about RFID hacking: despite all the potential vulnerabilities that have been demonstrated over the years, it just hasn’t been a “thing” in the real world. There are a couple of reasons for that. One is that relatively few cards are “contactless,” meaning you could theoretically read them from a few inches away (subway, coffee shop, elevator) with an RFID reader. Most need to be inserted into the terminal, or make physical contact with the “Tap” reader.
A more important point is that, on the whole, it’s just not worth criminals’ time. Like any other business, they’re concerned with efficiency and return on investment. For pennies, they can send out a mass phishing email and potentially steal credit card data from thousands. Hackers can steal millions of card users’ data in a single breach, and — more importantly — sell them on to other criminals for as little as $10 to $15 each. A look at the FTC’s credit card fraud data for 2022 shows over 400,000 incidents involving new accounts (i.e., identity theft), compared to under 40,000 involving existing accounts (credit card hacks, skimming, shoulder surfing, and everything else combined).
In other words, criminals have collectively decided that “the juice isn’t worth the squeeze.” That’s not to say a hack is impossible, especially if you’re a public figure or in some other way a high-value target. It also doesn’t mean things will necessarily stay this way (there’s a lot of money and talent on the criminals’ side, after all).
So, do you need an RFID blocking wallet or sleeves for your cards? No, probably not. But if you’d sleep better for having one, by all means go ahead and buy it.
There are Some Special Cases
That’s not to say there aren’t a few scenarios where RFID is a legitimate threat; they’re just not usually something a private citizen needs to be concerned about. Those passes you swipe to get into secured areas at work? Those are RFID tags, and they’re much easier to duplicate than a credit or debit card. So are the card-shaped hotel room keys.
While attacks like those are seldom targeted at an individual, as opposed to the organization, it’s possible that someone with an RFID reader — like the Flipper Zero, marketed to hobbyists as a “Swiss Army Knife for hacking,” at well under $200 — could manage to copy the RFID for your specific room, and steal your personal belongings. It’s a stretch, but it could happen. There’s certainly no harm in using a sleeve or RFID blocking wallet to eliminate that minimal risk.
More often, this kind of thing is a headache for the companies involved, and the suppliers of the actual RFID cards and their readers (whose customers, of course, use them for security reasons and expect them to be, well… secure). If your workplace suddenly decrees that you need to keep your access card in an RFID-blocking sleeve or wallet when it’s not in use, this is why.
Don’t Worry, Be Happy
So what’s the bottom line?
If you’ve been eyeing advertisements for RFID blocking wallets or contemplating a half-dozen sleeves to protect your cards individually, you can relax. There’s little realistic likelihood that anybody’s going to hack your cards that way. On the other hand, if the price fits your budget and it will make you feel better, there’s no compelling reason not to.
On the whole, though, you’ll do more for your own security if you keep up to speed on the latest scams and threats through blogs like this one, and keep a close eye on your accounts for any unexpected or illicit activity.
Better yet, sign up for Spokeo Protect (our identity protection service) and let us do all the monitoring for you. That will address a whole lot of threats that are more immediate and dangerous than RFID hacking, and should do a lot more for your peace of mind than any wallet, however high-tech.