Contributor
My understanding is the only thing a contactless credit card transmits is a one time use number, not your actual credit card number. I suppose someone could set up a transaction on an actual card reader and then get close enough to process a legitimate transaction. I know that contactless cards have to be really close to the reader to work. Not something I really worry about.
Contributor
Everything you said X2!Originally Posted by roger wiegand
Contributor
I think Brian is correct. My understanding of the card (the most recent specification) is that they exchange public keys with either the point of sale (POS) terminal or with the Visa/Mastercard system, and then encrypt everything after that. Not only that, but the transaction ID is unique for each transaction - the actual card number, expiration date, CVV, and holder's name is never transmitted.
I did a bit of research on this and there were no reports of card theft by skimming the RFID.
The people who design these systems are plenty smart. The specification is done in a standards meeting and when a proposal is made, many other people try to break it. It was considered a status symbol if you could break another company's submission. That doesn't mean that there can't be holes, but I haven't heard of any on RFID credit cards. If there were, the technique would spread very quickly and we'd all hear about it. And the credit card companies would replace all our credit cards.
[I participated in standards meetings when I was working - mostly communications. International standards are mostly done through the United Nations but there are a few other groups that develop standards that are adopted internationally. I think the credit cards are done in ISO.]
Mike
[I believe the technique is essentially the same for contact cards and for contactless cards - and very similar for Apple Pay and Google Pay. The credit card people introduced the RFID technique to combat Apple Pay and Google Pay. People were not even carrying their cards any more - they just used their phone.]
[Credit card fraud for in-person transactions is essentially gone, except for stolen physical cards, as long as the chip is used in the transaction, not a swipe. The fraud now is on the Internet.]
Last edited by Mike Henderson; 12-31-2022 at 11:07 AM.
Go into the world and do well. But more importantly, go into the world and do good.
Contributor
It's not necessarily a scam - the wallets may well incorporate faraday shielding to prevent RFID and NFC communications with your cards. That's not particularly hard to do.
But it won't make your cards significantly more secure, for a couple of reasons. First, the RFID and NFC capabilities used in cards require a reader to be within a relatively shortly distance of the card. They can't be read across the room, or as you walk by on the street. This is by design, and fairly inherent, because one of the things the reader is doing is transmitting power to the chip on the card via an induction circuit (like wireless phone chargers), so the chip can operate. They are thus already hard to read inside a wallet that is in a pocket or purse. Second, someone who does detect them can't learn much, unless they are bank tech that manages the information exchange. The cards work by doing a cryptographic handshake using one-use keys, and don't transmit sensitive information to the reader. Rather, they validate sensitive information sent to them by the reader.
Contributor
I don't know if the sleeves work or not for that, but they do protect the cards. The only time I've ever had cards last until they automatically send me replacements has been since I've been using the sleeves. Before, I don't think they lasted a year, or much more anyway if they were in my pocket.
Here's what my wallet looks like:
https://www.ebay.com/itm/16527882055...Bk9SR4SjlI-tYQ
I don't carry cash in it. I don't want anything bigger in my pockets, but the Pro Max iphone has to go in the other front pocket. Cash is just folded in my pocket with the little wallet. Any change goes in the floor of my truck if there are any quarters, or the cashier is told to keep it.
Last edited by Tom M King; 12-31-2022 at 11:20 AM.
Contributor
That's been one of my complaints - the cards wind up cracking in my wallet. I have a card from Chase that has a metal interior and that card has held up fine. But when they sent me a new card, they included an envelope for me to send the old cards back to them. I guess that's because you can't cut up the old card (well, maybe not with a scissors).
But I'll take the metal interior card any day over cracked credit cards.
Mike
Go into the world and do well. But more importantly, go into the world and do good.
Contributor
I recently moved to Michigan and when I got my new drivers license it came with an RFID sleeve which I immediately threw away not knowing what it was. My wife got hers a few days later and cleverly asked what the sleeve was for. I had to humbly go back and ask if they had spares. They are only for the super licenses that allow you to go anywhere.
Contributor
Yes, they do. I use simple tyvek sleaves for the same reason. Have lots of them from a previous gig, so no need in my lifetime to buy replacements. But if you were buying sleaves, also no reason not to get the RFID shielding version. They are only about two bits each in reasonable quantities.
Contributor
I've been through several different types of sleeves and like these the best right now. They also have the advantage of having color coded edges which makes it easier to keep up with which is what. They are ever so slightly thicker than most of the others I've used that didn't last.
https://www.amazon.com/Blocking-Prev...jaz10cnVl&th=1
Contributor
Yes, in that case you were sold a bill of goods. Car fobs are profoundly different from RFID credit cards. They have their own on-board power source (the battery) and are designed to work from a distance. So, the signal you are trying attenuate is much, much stronger than in RFID, and the faraday "cage" (probably a bag) has to more reliably radiation tight. A lot of them aren't, and if you have a tear, hole, significant wear, or simply don't close them properly, even the good ones will fail.
Cars also have much poorer security in the handshake between the fob and the car, than do credit cards between the card, the reader, and the bank, although newer models are getting better. But fundamentally, they are not very secure and most are eminently hackable. You can find instructions on the interwebs for how to build a hacking device that works on most cars.
Also, it matters that hackers aren't after your fob, the way they are after your credit card. They want your car, and your fob protector does nothing to make it more secure.
Last edited by Steve Demuth; 12-31-2022 at 1:53 PM.
Contributor
The hackable car key fobs use a fairly simple technique. Both the car and the fob have a pseudo random number generator and both use the same seed - so both will generate the same sequence of "random" numbers. It's essentially impossible to know the next number if you don't know the seed. And it's almost impossible to determine the seed from a couple of the random numbers.
In older cars, you had to press an "unlock" button to unlock your doors (or a "lock" button to lock the doors). When you pressed the button, the fob generated the next random number and sent it to the car. The car would look at the next several random numbers that it generated (because you could have pressed the key away from the car, and generated a random number then). The number of numbers used to be 250 numbers. If the number from the fob matches any of those 250 random numbers, the car would open (or lock). (if you exceeded 250 button presses away from the car, the fob would have to be reprogrammed to the car.)
Those systems could be hacked but it was difficult. The way you'd hack it is to have a device that received the signal from the fob but blocked the ability of the car to receive it. The car would not respond because it didn't receive any signal. So the owner presses the key again and a new random number is generated. This number is also received and stored, and the first random number is sent to the car, which responds to it and opens the doors. This gives the hacker the second number to use to open your car in the future, assuming you don't press the key button again. Once a number in the sequence is used, only future numbers are valid. So if you get into your car and drive it off, then lock the car at some other site, the stolen number will not work. This would only be of use when you're locking your car and walking away.
To do this hack requires the hacker to be very close to your car WHEN you are attempting to open or lock the doors - ideally between you and the car.
But newer cars do things differently - you don't have to press a button. For this system to work, the car has to be transmitting the next "random" number (just one number, not running the sequence) over and over. When the fob gets close enough, it receives the signal, checks the number to see if it is in the allowed future sequence and, if so, it sends back a number in the sequence to the car.
To hack this system, the hacker depends on your fob being some distance from your car, maybe in another part of the house, or in your pocket as you walk away. The device they have will receive the number from the car, and send it to your fob. It will be valid and the fob will respond with the correct response. But the fob will be too far from the car for the car to receive it.
The hacker can then replay the fob's response to the car and the car will open. But if an additional number sequence is required to start the car they will not be able to start it. It's almost impossible to know what the next number in the sequence is without the seed. They can steal things from your car that way. If the system doesn't require another number to start the car, they can steal your car.
The question is whether there's enough value to the hacker to do this - can they steal enough from your car to make it worth while?
At least that's my understanding of how these things work.
Mike
Last edited by Mike Henderson; 12-31-2022 at 8:47 PM.
Go into the world and do well. But more importantly, go into the world and do good.
Moderator
Fred, if you end up looking for a conventional bi-fold wallet, the Hanks Leather Goods wallet is hard to beat.
My wife uses the RFID sleeves. I don't worry too much about it.
Please help support the Creek.
"It's paradoxical that the idea of living a long life appeals to everyone, but the idea of getting old doesn't appeal to anyone."
Andy Rooney
Contributor
I bought one of the Ridge Carbide card wallets, as I was looking for a smaller form factor to carry my cards in my front pocket. I tried a no-name brand that cost less than $20 for a couple of months, to see if I liked the format, and I found I did, so I ordered the more expensive Ridge Carbide. It's advertised as RFID blocking, and I believe it. There are times when the wallet shifts to lay on top of my key fob when it is in my pocket. When this happens, my car will not detect the fob (the dreaded "Key not detected" when trying to start the car) and I have to shift the wallet over so it is not on top of the key fob. Other than that, I have no complaints. I don't know if the Ridge Carbide is worth that much more money than the knock-off, but it has held up for about a year now with no signs of wear.
Contributor
In very crowded situations like boarding a commuter train would be the biggest risk IMO. It would be easier to get a rogue card reader in closer proximity to others wallets/card holders. 'Social distancing' may help with that. I don't know if an RFID reader could be modified to work from distances greater than factory spec and still be unobtrusive. Of course if it worked at too great a distance it might try to read multiple cards at once so wouldn't work. I don't think RFID theft is one of the top risks to cards.
Contributor
Gimmick. (plus the extra characters)
Posting Permissions
Reply With Quote