[Closed] RFID blocking cards - thoughts

Do they do RFID blocking skullcaps yet?

Is this really a thing? The marketing guy who thought this up must be a genius 😆

😆

Like I say I have no idea if it's a load of balls either. But there must be a reason that pretty much every new wallet on the market has RFID protection.

Or is it like 650b forced on the customer and told you must have this.......but the 650b marketing men seemed to have won 🙄

https://www.amazon.co.uk/BQLZR-Credit-Blocking-WaterProof-Protector/dp/B00RMCHPZC/ref=sr_1_7?ie=UTF8&qid=1490133644&sr=8-7&keywords=rfid+cards

They work - we stock a range and I've tried them and yeah it stops the card terminals picking the card up.

Do you need them..? I'd say only if you're a back pocket walleter. Contactless needs to be pretty close to work and your likely to notice a guy waving a card terminal around your crotch or jacket. Back pocket in a busy area however, pretty easy to put a transaction through without you noticing. Although the banks do cover contactless fraud the chances of most noticing a sub £30 transaction are pretty slim unless your fastidious at checking your statements.

I specifically don't use an rfid wallet though as I like just tapping my wallet to the terminal without taking It out - never been done as far as I'm aware. Tend to use the iPhone more these days though as you get contactless convenience but Touch ID security.

I'm unconvinced.
You have to get your card pretty close for payment to be taken, like 5mm or so.

There is the conspiracy theory that people with wireless chip and pin devices are going around tapping people's bottoms, but I've not really seen any proper examples of that being 'a thing'.

You'll be asked to enter a pin if you use contactless too many times in a day, or try to make a contactless payment over a certain amount, I think it's £20 with my bank, or no more than 5 smaller payments.

It has been shown that it is very easy to read your RFID debit card while its in your wallet without you knowing and then clone the card.

I did have a fraudulent attempt a few months back and God knows what software the banks use, but i got a text straight away.

Being naturally suspicious, I called the banks 24hr fraud line rather than reply to the text, they confirmed they sent the text and already blocked the transaction, no money ever left my account.

Yep - that link from Jamie is to the awkward individual wallets for each card. Can't really be arsed with that faff. Hence the link to a 'credit card' card that protects all your other cards in if within 4cms.

There is the conspiracy theory that people with wireless chip and pin devices are going around tapping people's bottoms, but I've not really seen any proper examples of that being 'a thing'.

It has happened, but reality is that to actually get a merchant account and machine to do this isn't straightforward and you'd likely be shut down before the money even got to your account, so not a huge risk itself but picking up the card info for future use is more than easy enough, no idea if what is stored on the rfid chip can actually be used to put a transaction through though.

I know I tried it when they first came out and I could get the terminal to read a card in my wallet in my jeans.

There is the conspiracy theory that people with wireless chip and pin devices are going around tapping people's bottoms, but I've not really seen any proper examples of that being 'a thing'.

I've seen video demonstrations of stuff like that: people moving through busy trains, brushing through crowds etc and picking up dozens of cards as they go.

That physical part isn't that hard and it is easy enough to re-engineer the tech to make the reader part discrete enough to not be easily noticed.

The "security" comes from the banks only accepting contactless payments from recognised vendors plus the audit trail it then leaves.

It has been shown that it is very easy to read your RFID debit card while its in your wallet without you knowing and then clone the card.

Yep - that link from Jamie is to the awkward individual wallets for each card. Can't really be arsed with that faff. Hence the link to a 'credit card' card that protects all your other cards in if within 4cms.

I have a [url= https://www.amazon.co.uk/Fold-Leather-Credit-Holder-1642/dp/B002AALP7K/ref=sr_1_2?ie=UTF8&qid=1490135107&sr=8-2&keywords=1642%2Bcard%2Bwallet&th=1 ]card wallet[/url] with 2 outer card pockets. One of those slip style sleeves in each side, like a sandwich, protects all cards inside.

Seems to work when I hold my wallet near a contactless payment terminal, and only a couple of quid. Which is the only reason I use them. At £25 I'd take my chances.

Exactly, worst case scenario you'll get screwed for about £25, but the software they use knows your spending patterns, so it's unlikely to even go that far.

picking up the card info for future use is more than easy enough, no idea if what is stored on the rfid chip can actually be used to put a transaction through though.

No. Not for banks cards anyway. It doesn't just read numbers off the card, it's s two way protocol where the card uses a private key to encrypt challenge tokens which can be decrypted by the matching public key.

https://en.m.wikipedia.org/wiki/EMV if you are interested.

Care to back that up with actual, proven case histories from the wild,

Any idea how much banks quietly write off to card fraud every year because it's not in their interests to publicise it too much?

I certainly wouldn't take a lack of reports from banks as an indication that it doesn't happen.

I'll just drop this in here:
http://www.infoworld.com/article/3023422/security/why-you-dont-need-an-rfid-blocking-wallet.html

Whilst I'm not not for conspiracy theories, that article is over a year old. "Worried about RFID? Haha don't be silly, no-one has one of those."

Anecdotally (and ironically), a good defence against potential skimming threats may be to have multiple cards. A regular RFID scanner sees more than one contactless card, it goes "nope."

I'm guessing that article has an American focus:

"First and foremost, does your credit card actually have an RFID transmitter? The vast majority does not"

Contactless payment is a lot more common in the UK. All three of my bank cards have RFID, as does my pass for work.

https://en.wikipedia.org/wiki/Wireless_identity_theft

https://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/#3604a67778a6

Anyone killed the chip in their passports? Its always tempted me to do so when abroad and see what happens on my return when I have a valid passport with a dead chip

Mrs TJ may be the more sensible on tho in that she has said "no"

A good few years ago when the UK unilaterally declared we had to start showing our passports at borders again I was first off the ferry at dover on my motorcycle. On being asked to show my passport I told the chap it was buried in my luggage and that I would take a while he just waved me thru to avoid the queue

As I had left the UK without ever showing my passport I could easily not have had one with me.

Anyone killed the chip in their passports?

don't need to I'm always directed towards the scanners, and so far I've had a 100% failure rate.

CountZero - Member
I'll just drop this in here:
http://www.infoworld.com/article/3023422/security/why-you-dont-need-an-rfid-blocking-wallet.html

That is a very weakly argued clickbait piece. His problem is that RFID protection is an unnecessary industry, but there are plenty of other unnecessary things to spend money on.

Argument 1: less than 1% of people have contactless credit cards so don't worry about it. [url= http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/ ]This website[/url] suggests there are over 100m contactless cards active in the UK.

Argument 2: "It would be a lousy use of a criminal mastermind’s time [to RFID skim]. Today’s smart criminals break into websites and steal hundreds of thousands to tens of millions of credit cards at a time." Today's best robbers break into banks and jewellers, but that doesn't mean people aren't breaking into houses or nicking bikes as well.

Argument 3: "Still worried? If you actually have an RFID-enabled credit card, it turns out aluminum foil does the same job, if not better, than an expensive RFID-blocking sleeve." £5 isn't expensive, and it could save you money.

I think I'd get one if I lived in London and used the tube a lot as that puts you in a situation where you're regularly in scanning distance of strangers. Still it might all be theoretical and losses are covered by your bank but for the price of a wallet/blocking card it's useful peace of mind (and yes I'm aware there's a whole raft of junk products that sell purely based on the illusion of peace of mind :p ).

[img] [/img]

I'll just drop this in here:
http://www.infoworld.com/article/3023422/security/why-you-dont-need-an-rfid-blocking-wallet.html

Given how far the US lags behind UK/EU when it comes to the adoption of newer banking technologies like chip+pin/contactless, I'd take that article with a little bit of a salt.

Here's some light reading:

https://www.theatlantic.com/business/archive/2016/03/us-determined-to-have-the-least-secure-credit-cards-in-the-world/473199/

https://arstechnica.com/business/2014/08/chip-based-credit-cards-are-a-decade-old-why-doesnt-the-us-rely-on-them-yet/

http://edition.cnn.com/2015/08/20/opinions/dodge-credit-cards-chip-and-pin/

I'll get one next time I get a wallet. Few weeks back my (mrsmidlife's work, all our car expenses for one of our cars go through it) contactless credit card paid for fizzy drinks and chocolate while I was getting my everyday card out. The wallet hadn't gone closer than about 8cm to the reader and it took a good 15 minutes of faff to work out which card had paid for it, get it refunded(had to fetch the shop supervisor back from their break) and properly pay with my everyday(non-contactless) debit card.

One thing that really annoys me about this is my bank no longer issues non contactless cards so I do not have the option not to have a contactless card. That annoys me. I have never used contactless and never will so any contactless transactions on my account will be fraudulent. I can't even get the bank to deactivate contactless on my account but if I kill the chip I can no longer use the card at all.

My bank (Lloyds) was happy to re-issue me with a non contactless when I asked, this was about 2 years ago, they might have changed policy. At the time I was trying to keep to a single contactless in my wallet to avoid cross paying while allowing me to not take the card out of the wallet.

I don't trust anything that doesn't EIAP

but for the price of a wallet/blocking card it's useful peace of mind (and yes I'm aware there's a whole raft of junk products that sell purely based on the illusion of peace of mind :p ).

Suppose that's the issue, if you don't want to change your wallet, don't want to cover every card in tin foil 🙄

Then if you want to buy a blocking card - which one do you buy as how do you know if you have bought a good one or bad one.

The one I linked to at the top looks good but it's £25 but you can also buy well reviewed ones on amazon (supplied by) for £12.

Personally I really like contactless payment and I'll take the convenience over the pretty mild security risk any day.

It's definitely more secure than cheques or the old magstripe + signature method. And I'm sure that skimmers on ATMs and payment terminals are far more common than rogue RFID scanners with valid merchant accounts.

I don't trust anything that doesn't EIAP

What's that? AcronymFinder is giving me nothing.

I have never used contactless and never will

Why not?

And what [i]do[/i] you use?

Cougar - so that if there are any contactless transactions on my account I will know they are fraudulent
Graham - usually cash sometimes use the chip and pin

If you don't like the idea of non-authorised contactless payments, just get a new card issued from your bank without contactless and then add it to your iPhone (other phones available) and use the contactless on there instead?

That's what I do and it's really easy. No contactless on my cards but all in my phone and Apple Watch. (which is *really* convenient)

Rachel

allthegear - my bank no longer issue any contactless cards. I asked them. Neither of the banks I hold accounts with

Rachel, do you really think the paranoid luddites who won't use Contactless are going to be happy using a phone instead?

I am not sure how putting a card on my phone will help anyway
[img] [/img]

Graham - usually cash sometimes use the chip and pin

So do you think that Chip+Pin or getting cash out an ATM is more secure than contactless?

You still in Edinburgh these days? Used the Tesco garage in Dunfermline recently?

https://www.thecourier.co.uk/fp/news/local/fife/390322/skimming-device-found-at-dunfermline-petrol-pump/

if I kill the chip I can no longer use the card at all.

There will be an antenna running around the near edge of the card.
You can break the antenna without breaking the chip.
🙂

Which banks, tjagain?

Clydesdale certainly - I think BOS said the same when I asked them -

My preferred medium of exchange
[img] [/img]

I've skim read the thread, so someone may have said this already, but there's an important difference between whether scamming an RFID card is technically possible (which it probably is) and practically feasible (which it probably isn't).

To process a debit/credit card payment, you need to be a vendor with a Merchant ID issued by an acquirer, i.e. a bank. That ID is registered against the bank account that the funds will go to, and to open a bank account you have to jump through a lot of Anti Money Laundering and ID hoops. The paper trail from the person waving a card machine around your crotch on the tube, and the ultimate recipient of the funds would be clear and conclusive, so it's just not worth it from a scammers perspective.

My preferred medium of exchange

Ah, so you've moved to Fife then? 😉

I love contactless!

I realised I didn't use my all my cards much and used my watch to pay for everything contactless, which is easy as I don't even have to whip my wallet out

Thanks to the slim wallets thread a while ago I bought a Hacket x Trove and carry 3 cards now - work ID, debit card, driving licence - plus some cash. I use all of these regularly enough to warrant carrying them (driving licence less so, but it's handy and I have my ICE details on it)

I was thinking about some sort of RFID type material or a RFID blocking card but then figured it was just a money spinner and extremely unlikely to happen (I live and work in London)

[still love my little wallet too :-))

In all seriousness I know not using contactless does not really improve my security. However because contactless payments show up differently on my statement it simply means that I can see any fraudulent contactless payments at a glance - as any contactless payments on my account will be fraudulent

@tjagain - does that logic not seem slightly flawed? I'm surprised you moved away from shillings and cheques? 😯

However because contactless payments show up differently on my statement it simply means that I can see any fraudulent contactless payments at a glance - as any contactless payments on my account will be fraudulent

How long did it take for you to adopt debit card use ?

I use a RFID blocker in my wallet, I remember reading an article where someone setup a card reading device and was able to log over 100 card an hour in a busy park, this was a few years ago.

If in London, I would be worried, they no longer need to touch your wallet to get your money, but again this has been going on for years.

[img] [/img]

Call me a tin foil hat wearer if you like, but isn't that like saying pick pocketing isn't real. RFID hacking has been going on for many years now, it's just easier to secure yourself than keep up to date with the new hacking techniques. These days it's even easier, as it's quite easy to disguise your true identity when setting up as a merchant.

As someone above said, disable the RFID and use your iPhone, at least it requires a fingerprint as well.

Wouldn't pay for a blocker.
A piece of foil is plenty.

There's a vid somewhere on youtube demonstrating the active blockers. Probably eevblog? I certainly remember some store where they had these blockers on display at the till... you can see where this is going... all contactless payments were failing 😉

If in London, I would be worried, they no longer need to touch your wallet to get your money, but again this has been going on for years.

That picture has been doing the rounds for a while. It's not taken in London, it's from Russia.

It really doesn't matter where it was taken, but good to know, it's not like it can only happen in Russia. 😉

That's quite clearly a....

[img] [/img]

Inspired by this thread, I've just ordered one of these.

https://www.amazon.co.uk/Barclaycard-Contactless-Payment-Device-Smartband/dp/B01MZ95A44

Wouldn't pay for a blocker.
A piece of foil is plenty.

This.

If you want to be fancy, stick some foil onto a strip of gaffer tape and then cut to whatever shape you want (like a credit card shape maybe). On a three fold wallet putting a strip in the notes section should suffice.

It really doesn't matter where it was taken, but good to know, it's not like it can only happen in Russia.

Hah, and I've just spotted, the URL of the image is Snopes! I've found the full article:

http://www.snopes.com/fraud/identity/pickpocket.asp

If you're going to set up as a fraudulent merchant, there are much better ways of generating cash than wondering round the tube with a RFC reader or terminal!

tjagain - Member
One thing that really annoys me about this is my bank no longer issues non contactless cards so I do not have the option not to have a contactless card. That annoys me. I have never used contactless and never will so any contactless transactions on my account will be fraudulent.

Your stoic ability to adopt a contrary position for almost any conceivable aspect of life is quite something.

tips hat.

Your stoic ability to adopt a contrary position for almost any conceivable aspect of life is quite something.

tips hat.

He's contrary about headgear too.

(-:

Rik - Member

there must be a reason that pretty much every new wallet on the market has RFID protection.

Yep, marketing.

The UK's card and bank security is entirely built on 2 things- 1, blocking large frauds and not really giving a crap about little ones, and 2, paying customers back when it happens. It's the same for contactless- don't worry about being skimmed, it's extremely unlikely and if it does happen it's a trivial thing.

Do check your statements though. I'd bet money that lots of people who're paranoid about skimming etc don't bother to routinely check their bank accounts

Cougar - Moderator

Your stoic ability to adopt a contrary position for almost any conceivable aspect of life is quite something.

tips hat.

He's contrary about headgear too.

(-:

Not at all. I have a fine selection of hats. Fedora, Panama, no baseball caps tho

entirely consistent 😉

I have two debit cards that look identical, one on my account and one on our joint account. For years, to avoid getting them mixed up I've cut a corner off of one. That one doesn't work contactless, the whole one does.

So if you are worried, don't buy a wallet, just grab the sissors.

How much to repair an ATM after someone stuck a damaged card in it, I wonder...

(-:

Interesting that people have bought RFID wallets probably as they liked the wallet but it would seem nobody has bought a separate RFID 'protector' credit card........

There was a thread about a year ago on this :

http://singletrackworld.com/forum/topic/rfid-skimming-something-to-worry-about/page/3

look for deadkennys comments on page 3...

How much to repair an ATM after someone stuck a damaged card in it, I wonder...

I wouldn't know, but you'll be relieved to know it works fine (and has done for the last 15 years). You only need to trim the corner, not cut the thing in two.

I may not have been entirely serious.

Terminals can't read more than one card presented together, so if you have more than one contactless card you should be ok, right? I have about five. Maybe just having an old expired contactless card in the wallet would work?

I have often thought it would be cool to have a wallet with RFID protection except for one slot. Then I could put my main account card in it and just beep my wallet instead of having to remove the card. Although that would then break the security concept above 🙂

I may not have been entirely serious.

Sorry! Rubbish day........

I have often thought it would be cool to have a wallet with RFID protection except for one slot. Then I could put my main account card in it and just beep my wallet instead of having to remove the card. Although that would then break the security concept above

I have my main card in one half of my wallet and all the others in another. When I need to pay I just open my wallet, ping the right side and put it away again, no card removal necessary.

I have often thought it would be cool to have a wallet with RFID protection except for one slot. Then I could put my main account card in it and just beep my wallet instead of having to remove the card.

I have exactly that. I'm not bothered about the security aspect of it (as I think the real risk is so tiny) but I want to make sure I'm paying with the right card.

Terminals can't read more than one card presented together, so if you have more than one contactless card you should be ok, right?

Assuming that's correct, it's poor coding. It'd be trivial to reject a card scan that's inside of, I don't know, a second of the previous one.

Maybe that's why multiple cards dummy the readers; it's not that they [i]can't[/i] read multiple cards but rather that they don't know which to read and so reject the transaction?

I killed the contactless on my card by washing it, tumble drying it (which bent the card to the shape of the drum) then using an iron to flatten it again. et voila a non contactless card.

To be honest though if you are worried about the small possibility of someone reading your card, buy a RFID blocking wallet. It is probably less hassle than the above.

Personally i love contactless payment, but like many have mentioned i use apple pay (or android), this uses an encrypted one time use tokenized system which i think is far superior than just using the card.

My actual cards now live in my work bag, and i only get my wallet out when making purchases above 30 pounds, which is quite rare.

this uses an encrypted one time use tokenized system which i think is far superior than just using the card.

That doesn't sound hugely different to what I understand the card protocol to be.

Main benefit of using a phone seems to be the requirement for a fingerprint.

Mind you at least with a card you can be sure there are no malicious programs running in the background that might try to intercept it somehow.

Two of my 3 cards in my wallet are RFID

One is my work pass, then driving licence, then bank card

Middle one is obviously not RFID. I can hold the wallet to the reader and it reads, with all 3 cards stacked. I just turn the wallet the right way round

Assuming that's correct, it's poor coding. It'd be trivial to reject a card scan that's inside of, I don't know, a second of the previous one.

Maybe that's why multiple cards dummy the readers; it's not that they can't read multiple cards but rather that they don't know which to read and so reject the transaction?