Wallets with RFID electronic blocker type materials?

[Dan Friedrichs]

Plenty of documented cases, just few make it to the light of day for the mainstream media. There's a reason us security researchers continue to work in this field.

Quite a few PIN/chip cards out there are NFC. Technically, these should be considered NFC cards, not generic RFID.

I'm genuinely curious about this, because I couldn't find a single news report of such a crime. Sure, I don't doubt that it has happened, but if it were a problem worth worrying about, you'd think there would be at least a few credible news reports of it happening? Buying a wallet specifically to avoid this "risk" seems squarely in the "tin foil hat" category (simply because the risk is extremely low). The type of sophisticated criminal who would be able to acquire and covertly operate a RFID/NFC reader is probably capable of some less-risky type of fraud (than following around people in the mall and trying to covertly sneak up to their back pockets with equipment hidden under a trench coat or something).

FWIW, I would NOT want an RFID blocking wallet. I have a single card with an RFID chip, for an access-controlled door, and I can just bump my back pocket against the reader as I walk by.

[Tom M King]

To me, the sleeves are not about blocking RFID, but about making the card last. I tried the Tyvek sleeves but they didn't improve the life of the card. Not only did our bank charge for a replacement card (I don't know if they still do or not), but it was extra time for me to have to go to the bank to order a replacement, and then wait for it to come. For whatever reason, the strip on it would only last about 3 months. They used to last longer before they started charging for them. I think they may only send out a replacement automatically every year or two, but haven't kept up with that either. Since I've been using the sleeves, the cards still work strong, and a replacement comes in the mail before I need it.

[Dan Hintz]

I'm genuinely curious about this, because I couldn't find a single news report of such a crime. Sure, I don't doubt that it has happened, but if it were a problem worth worrying about, you'd think there would be at least a few credible news reports of it happening? Buying a wallet specifically to avoid this "risk" seems squarely in the "tin foil hat" category (simply because the risk is extremely low). The type of sophisticated criminal who would be able to acquire and covertly operate a RFID/NFC reader is probably capable of some less-risky type of fraud (than following around people in the mall and trying to covertly sneak up to their back pockets with equipment hidden under a trench coat or something).

FWIW, I would NOT want an RFID blocking wallet. I have a single card with an RFID chip, for an access-controlled door, and I can just bump my back pocket against the reader as I walk by.

When a group can break into a system and steal millions of cards at once (ala TJ Maxx, et. al.), using NFC boxes to steal cards in onesies and twosies does seem pointless... but at that point, you have to realize they're targeting specific people (and not just credit cards, either... passports are a big deal). And look at it from a different angle... how does someone know their CC info was stolen via NFC? The card itself is never out of the owner's possession, and it's not like the card beeps and tells you someone accessed it.

Imagine this scenario: You're walking through your local mall, strolling from store to store, but never actually buying anything (CC stays tucked away in your wallet). But you just made a purchase while you were perusing store #3, unbeknownst to you, of course. Some guy had an e-cart order waiting for a credit card entry... his "swiper" stood next to you for a few seconds while you both stared in the display case at Sears, giving her the opportunity to connect to your card via NFC. Your card just provided the details for the transaction to go through. You didn't notice the unassuming woman, but you just bought the both of them a $2,000 Gucci bag, which their "casher" will sell on eBay for half of that.

It's not complicated technology, it can be purchased online for dirt cheap, and you're stuffed with the CC company discussion. It appears completely random to the CC company, of course, particularly if the "swiper" moves from area to area.

[Dan Friedrichs]

Appropriate GIF for this topic.

Sure, I believe it's do-able. But if someone steals my credit card number (which has happened perhaps a half-dozen times in my life....and I've never had an RFID or NFC card), the issuer just takes care of it and overnights me a new card. Not my problem. If this were such a risk, the card issuers wouldn't be enabling the technology.

Anyhow, my point was that "RFID blocking wallets" are about 10 million times more popular than necessary, given the near zero risk of this actually happening to someone. Junk marketers have sold the public on the idea that they need this to be "safe", when in reality, the incidence of this happening is immeasurably low, and the impact of it happening is essentially zero. In terms of risk/reward, spending even a cent on some "protection" from this risk is not worth your money.

[Brian Elfert]

Both Chase and Capital One state that none of their credit cards have NFC or RFID capabilities. Cards that do have NFC or RFID capabilities usually will have Zip, Paywave, Paypass, or ExpressPay on the front of the card.

I do keep my cards in Tyvek sleeves, but that is stop wear, not for RFID blocking. Some Tyvek sleeves can block RFID, but no idea on mine.

[Matt Meiser]

Card issuers should improve their technology if its that easy. I'd say those who are the ones who will bear the initial cost of fraud (actual costs and lost opportunity due to the bad publicity) aren't too worried about it--most retailers haven't even enabled the chip readers on their terminals yet.

Smart phones sound like a pretty good approach. Not that its fool proof but when I pay with Apple Pay I need to hold the phone very close to the reader and then confirm the payment with my thumbprint. No one ever touches my card which is the most likely way for my info to get stolen, and I was told by an Apple employee that the information is useful only within the current transaction. They can't even identify me as a repeat customer in their own system to send me an e-receipt without me giving them my email address again.

I started carrying a thinner wallet in my front pocket. I have photos of quite a few of my non-essential, non-bank cards on my phone instead of carrying them and use a phone number or the retailer's app look up most loyalty cards . My cards are holding up a lot better since I stopped sitting on them.

[Myk Rian]

Appropriate GIF for this topic.

Sure, I believe it's do-able. But if someone steals my credit card number (which has happened perhaps a half-dozen times in my life....and I've never had an RFID or NFC card), the issuer just takes care of it and overnights me a new card. Not my problem. If this were such a risk, the card issuers wouldn't be enabling the technology.

Exactly. Let them get my card info. Happened once, and didn't cost me a dime. It got jacked at a gas pump.
My CCs don't have RFID. They have a chip. Blocking wallets are useless. With a smart phone, you can install RFID apps. Do that and try to read your cards.

[Dan Hintz]

I do keep my cards in Tyvek sleeves, but that is stop wear, not for RFID blocking. Some Tyvek sleeves can block RFID, but no idea on mine.

Tyvek alone will not block NFC (it's a non-conductive polymer)... if you have a Tyvek sleeve that is blocking it, there must be a heavy amount of carbon embedded in it (and is likely sold as an NFC-blocking device).

[Roger Feeley]

Mike,
I would narrow your comment to:
"It's unlikely that you have a single RFID credit/debit card in your wallet"
Other than that, you are exactly right. The chips in the credit cards are contact cards.

I work for a sniffer company and wrote their NFC protocol decoders. I carry a DC Metro Smart card that uses NFC and I can see the MiFair data but it's encrypted. If someone passes by me and rubs up against my card and reads it, they would still have to get past the encryption to get any personal information.

There is a difference between RFID and NFC. RFID generally refers to those tags that they put on stuff in stores. You walk between the store pylons and the tag sets off the alarm that everyone ignores. NFC is the same basic tech but runs on different frequencies.

[Erik Loza]

I have an RFID wallet. "Allett" brand...

https://www.all-ett.com/

Looks like your average gentleman's black leather wallet on the outside but the inside is a nylon type fabric. Apparently, it has metal mesh or whatever they use to block skimmers. I like it, no complaints. Couldn't tell you if it works or not. It is American made and I will say say that it has lasted a lot longer than $15-$20 leather wallets I used to buy at the mall. We also have RFID blocking wallets for our passports.

Erik

[roger wiegand]

OK, I'm curious. I didn't go to Evil Medical School when I had the chance, so I have no idea what someone can do if they get the information off your passport. It has:

Your name
Your birthdate
Your address
Your gender
Place of issue
Date of issue
Date of expiration
Passport number

The first four items are readily available from many different public record sources. What nefarious plot is possible given the added information of the last four items? My imagination is failing me. I've shown my passport to random officials, airline people, and hotel clerks in countries all around the world and never given it a second thought even though the guy I'm giving it to could well be a Nigerian Prince on the internet at night.

[Erik Loza]

OK, I'm curious. I didn't go to Evil Medical School when I had the chance, so I have no idea what someone can do if they get the information off your passport. It has:

Your name
Your birthdate
Your address
Your gender
Place of issue
Date of issue
Date of expiration
Passport number

The first four items are readily available from many different public record sources. What nefarious plot is possible given the added information of the last four items? My imagination is failing me. I've shown my passport to random officials, airline people, and hotel clerks in countries all around the world and never given it a second thought even though the guy I'm giving it to could well be a Nigerian Prince on the internet at night.

I'm no expert on any of this but my understanding is that a bad guy could conceivably skim your info and create a bogus passport with it, which could be a national security risk. Though, I just read that apparently, US passports already have some type of metal layer built into the RFID chip to help prevent this. My feeling was that the RFID passport wallet was not much more than the regular passport wallet, so why not? Maybe they got one over on me.

Erik

[Thomas Cooney]

Check out this TED talk. The whole thing is great but the portion relevant to this conversation starts at around the 10 minute mark.

https://www.youtube.com/watch?v=hqKafI7Amd8

[Don Morris]

It seems Europe has started adopting some form of embedded chip type of card. From Rick Steve's Europe: "My readers tell me their American-style cards have been rejected by some automated payment machines in Great Britain, Ireland, Scandinavia, France, Switzerland, Belgium, Austria, Germany, and the Netherlands. This is especially common with machines at train and subway stations, toll roads, parking garages, luggage lockers, bike-rental kiosks, and self-serve gas pumps. For example, after a long flight into Charles de Gaulle Airport, you find you can't use your credit card at the ticket machine for the train into Paris. Or, while driving in rural Switzerland on a Sunday afternoon, you discover that the automated gas station only accepts chip-and-PIN cards.In most of these situations, a cashier is nearby who can process your magnetic-stripe card manually by swiping it and having you sign the receipt the old-fashioned way. Many payment machines take cash; remember you can always use an ATM to withdraw cash with your magnetic-stripe debit card. Other machines might take your US credit card if you also know the card's PIN — every card has one (request the number from your bank before you leave, and allow time to receive it by mail). In a pinch, you could ask a local if you can pay them cash to run the transaction on their card."

[Harry Hagan]

Cell phones use Near Field Communications or NFC. You cannot enable Apple Pay without having a passcode or Touch ID enabled. If the phone is lost and you go to Apple.com and put it in lost mode then Apple Pay is disabled. I have an iPhone and haven't set up Apple Pay because a lot of places don't take and it is just as easy to take out a card as to grab your phone and unlock and whatever. I maybe should set up Apple Pay for the places that take Apple Pay, but still don't take chip cards.

It’s my understanding that when the Apple Pay application on your iPhone communicates with the transaction terminal via NFC, a unique transaction number is generated that expires in one minute. Also, no personal information of any kind is shared. These features combined with a fingerprint acknowledgement supposedly make the transaction more secure.

You can also have your credit card company notify you immediately via email and text messaging after your credit card has been charged. For example, when dining out, the email / text arrives before the server returns to your table. Bank account balances can be updated daily too.

Don’t wait for your monthly statement to find out that someone has been ripping you off!