February 23, 2018
Early on as credit card and other companies were experimenting with various methods for payment, the ability to have a “contactless” payment form was created. This allowed those who had cards with RFID (Radio Frequency Identification) technology to place their card close to the receiving payment device and pay for the purchase without the need to swipe their card (although swiping technology ala the magnetic strip is still there).
These types of cards have marketing names on the card like PayPass, Blink, PayWave, Express Pay, etc. If you have any of these on your card or a wavy logo, then you have an RFID enabled card.
Security researchers proved quickly that the RFID technology had its weakness in the close field transmission convenience it provided to users. Since it was a signal, it could be picked up by anyone with the right equipment, who could clone a card’s information and use it for fraudulent purchases. But there’s a problem with the real-life implementation of this idea being a holy grail for criminals. It's one thing to find a problem in the research lab, it's another to see it used in the real world.
For starters, you have to be within a few feet and sometimes inches of the transmitting card to read it. Criminals aren’t that stupid. To start with, the percentage of credit cards with RFID transmission technology is small, statistically around zero percent. So would a criminal stand on the corner of a busy street for hours hoping to catch a would-be victim when the likelihood of success is so low? Probably not, they know they can spend their time more effectively doing something else. The cost of acquiring all the equipment needed to “sniff” an RFID signal is much more than the cost of just going to the underground Internet and buying bulk blocks of credit card numbers. They know how to use their time for the best return, and not waste it on something with little chance of success.
But what about other RFID enabled items like Passports, ID cards, driver’s licenses, etc? Well, the best a criminal might glean from those items is an address. That information is ubiquitous and frankly, not very useful to them, another logical reason an RFID blocking sleeve is not needed. So what about the risks in today's market?
As technology tends to do, it advanced quickly and the use of RFID has quickly fallen out of favor as the new EMV chip cards were adopted. As credit cards expire, new ones are issued and as new technology advances so too are new cards issued. Some companies like American Express still offer all three options on their card; contactless, magnetic stripe and EMV chips for convenience, but with the country-wide move to EMV, vulnerable RFID has gone the way of the dinosaur, thus why the need for an RFID blocking sleeve is gone.
Additionally, with the move toward mobile payments using cell phones and wearables, it has diminished the allure of an all RFID world. For example, the new metallic square chips on the new cards being issued are NOT RFID, and any new RFID cards now incorporate a chip-and-PIN protection scheme which generates a new password key between the card and the machine every time it’s used for payment which makes it near-impossible to capture and replicate.
As Roger Grimes of InfoWorld expressed it, the RFID “scare” is nothing but “entertainment for the paranoid”. But that in itself makes this a wonderful opportunity for companies to capitalize on the scare and make some money! We can even find the Electronic Frontier Foundation trying to sell you a an RFID blocking sleeve. You will see that despite the lack of any real threat, companies have rushed to produce unique wallets and purses which block RFID. You have as many RFID blocking wallet choices as you do for normal wallets. The fact remains, however, that this is a marketing opportunity, there is no real threat to your wallet from RFID “skimming”. RFID wallets and purses continue to be sold at an increasing rate with nothing more to support the hype than fear. The bulk that the additional material adds to a wallet or purse isn't justified since there is no credible threat.
June 18, 2021
September 23, 2020
July 23, 2020