Contributor
My vehicle comes with a fob that locks/unlocks the doors and must be present to start the vehicle.
My paranoia led me to purchase a "Faraday cage" holder. With the fob inside the holder it could still work the locks and other functions. Seemed like a bum deal to me.
jtk
"A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty."
- Sir Winston Churchill (1874-1965)
Contributor
I have a similar issue. My car and fob communicate if they are closer than about 15 feet from one another. I have to make sure when I store the fob it's farther than that from the car. If not it will wake the car up and the and two will jabber constantly and run the battery down over a few days.Originally Posted by Jim Koepke
Sharp solves all manner of problems.
Member
I had to get an RFID-blocking sleeve for one of my cards—my employee ID. It used to be my badge access to secure buildings and areas where I work, but my employer went to a system that did not have our pictures and place of employment on the card (wise). So I was issued a new card. With both cards in my wallet, the badge scanners would not correctly read the new card. With the blocking sleeve on the old ID, the new card reads just fine. Strangely, none of my credit cards seem to interfere.
Contributor
I have always heard (from credible sources) that this was an overblown threat and RFID protection was unnecessary.
< insert spurious quote here >
Member
I can believe it, half the time the silly tap card readers don't work when they're supposed to. How is a covert reader supposed to do any better?
Contributor
I think that the idea that criminals don't already have ready access to my credit card information without bothering to try to scan my pant's pocket is a fantasy. I've sent the information to many hundreds of vendors and handed my card to dozens and dozens of cashiers and waiters who could easily have collected my information, complete with the security code that is often required. Each of those vendors in turn keeps the information on computer systems that are subject to wholesale hacking and collecting CC information for thousands to millions of people at a time. If you are so inclined you can go to the "dark web" and buy as many valid credit card numbers as you want, any time, any day for pennies apiece without bothering to go out and collect them yourself.
So no, this is not something I would bother with.
What I do do is to check my bills carefully every month; sometimes there are bogus charges and I report them. So far they have always been reversed immediately and without any hassle other than having to make the call and get a new CC number. More often the credit card company flags the transaction for me as bogus.
For a real increase in security I think the best option is to use a service like ApplePay. They use a single-use number system so that the information passed to vendors is only good for one transaction, stealing the number is useless.
In the rest of the world system have been implemented in restaurants and such with mobile terminals so you never have to hand your card or phone to some unknown person and have them disappear into the back room with it to do who knows what with it. I hope the US will eventually catch up.
[OP]
Contributor
All good insights. Thanks folks!
Fred
"All that is necessary for the triumph of evil is that good men do nothing."
“If you want to know what a man's like, take a good look at how he treats his inferiors, not his equals.”
Contributor
My understanding is the only thing a contactless credit card transmits is a one time use number, not your actual credit card number. I suppose someone could set up a transaction on an actual card reader and then get close enough to process a legitimate transaction. I know that contactless cards have to be really close to the reader to work. Not something I really worry about.
Contributor
I think Brian is correct. My understanding of the card (the most recent specification) is that they exchange public keys with either the point of sale (POS) terminal or with the Visa/Mastercard system, and then encrypt everything after that. Not only that, but the transaction ID is unique for each transaction - the actual card number, expiration date, CVV, and holder's name is never transmitted.
I did a bit of research on this and there were no reports of card theft by skimming the RFID.
The people who design these systems are plenty smart. The specification is done in a standards meeting and when a proposal is made, many other people try to break it. It was considered a status symbol if you could break another company's submission. That doesn't mean that there can't be holes, but I haven't heard of any on RFID credit cards. If there were, the technique would spread very quickly and we'd all hear about it. And the credit card companies would replace all our credit cards.
[I participated in standards meetings when I was working - mostly communications. International standards are mostly done through the United Nations but there are a few other groups that develop standards that are adopted internationally. I think the credit cards are done in ISO.]
Mike
[I believe the technique is essentially the same for contact cards and for contactless cards - and very similar for Apple Pay and Google Pay. The credit card people introduced the RFID technique to combat Apple Pay and Google Pay. People were not even carrying their cards any more - they just used their phone.]
[Credit card fraud for in-person transactions is essentially gone, except for stolen physical cards, as long as the chip is used in the transaction, not a swipe. The fraud now is on the Internet.]
Last edited by Mike Henderson; 12-31-2022 at 11:07 AM.
Go into the world and do well. But more importantly, go into the world and do good.
Contributor
Yes, in that case you were sold a bill of goods. Car fobs are profoundly different from RFID credit cards. They have their own on-board power source (the battery) and are designed to work from a distance. So, the signal you are trying attenuate is much, much stronger than in RFID, and the faraday "cage" (probably a bag) has to more reliably radiation tight. A lot of them aren't, and if you have a tear, hole, significant wear, or simply don't close them properly, even the good ones will fail.
Cars also have much poorer security in the handshake between the fob and the car, than do credit cards between the card, the reader, and the bank, although newer models are getting better. But fundamentally, they are not very secure and most are eminently hackable. You can find instructions on the interwebs for how to build a hacking device that works on most cars.
Also, it matters that hackers aren't after your fob, the way they are after your credit card. They want your car, and your fob protector does nothing to make it more secure.
Last edited by Steve Demuth; 12-31-2022 at 1:53 PM.
Contributor
The hackable car key fobs use a fairly simple technique. Both the car and the fob have a pseudo random number generator and both use the same seed - so both will generate the same sequence of "random" numbers. It's essentially impossible to know the next number if you don't know the seed. And it's almost impossible to determine the seed from a couple of the random numbers.
In older cars, you had to press an "unlock" button to unlock your doors (or a "lock" button to lock the doors). When you pressed the button, the fob generated the next random number and sent it to the car. The car would look at the next several random numbers that it generated (because you could have pressed the key away from the car, and generated a random number then). The number of numbers used to be 250 numbers. If the number from the fob matches any of those 250 random numbers, the car would open (or lock). (if you exceeded 250 button presses away from the car, the fob would have to be reprogrammed to the car.)
Those systems could be hacked but it was difficult. The way you'd hack it is to have a device that received the signal from the fob but blocked the ability of the car to receive it. The car would not respond because it didn't receive any signal. So the owner presses the key again and a new random number is generated. This number is also received and stored, and the first random number is sent to the car, which responds to it and opens the doors. This gives the hacker the second number to use to open your car in the future, assuming you don't press the key button again. Once a number in the sequence is used, only future numbers are valid. So if you get into your car and drive it off, then lock the car at some other site, the stolen number will not work. This would only be of use when you're locking your car and walking away.
To do this hack requires the hacker to be very close to your car WHEN you are attempting to open or lock the doors - ideally between you and the car.
But newer cars do things differently - you don't have to press a button. For this system to work, the car has to be transmitting the next "random" number (just one number, not running the sequence) over and over. When the fob gets close enough, it receives the signal, checks the number to see if it is in the allowed future sequence and, if so, it sends back a number in the sequence to the car.
To hack this system, the hacker depends on your fob being some distance from your car, maybe in another part of the house, or in your pocket as you walk away. The device they have will receive the number from the car, and send it to your fob. It will be valid and the fob will respond with the correct response. But the fob will be too far from the car for the car to receive it.
The hacker can then replay the fob's response to the car and the car will open. But if an additional number sequence is required to start the car they will not be able to start it. It's almost impossible to know what the next number in the sequence is without the seed. They can steal things from your car that way. If the system doesn't require another number to start the car, they can steal your car.
The question is whether there's enough value to the hacker to do this - can they steal enough from your car to make it worth while?
At least that's my understanding of how these things work.
Mike
Last edited by Mike Henderson; 12-31-2022 at 8:47 PM.
Go into the world and do well. But more importantly, go into the world and do good.
Moderator
Fred, if you end up looking for a conventional bi-fold wallet, the Hanks Leather Goods wallet is hard to beat.
My wife uses the RFID sleeves. I don't worry too much about it.
Contributor
I bought one of the Ridge Carbide card wallets, as I was looking for a smaller form factor to carry my cards in my front pocket. I tried a no-name brand that cost less than $20 for a couple of months, to see if I liked the format, and I found I did, so I ordered the more expensive Ridge Carbide. It's advertised as RFID blocking, and I believe it. There are times when the wallet shifts to lay on top of my key fob when it is in my pocket. When this happens, my car will not detect the fob (the dreaded "Key not detected" when trying to start the car) and I have to shift the wallet over so it is not on top of the key fob. Other than that, I have no complaints. I don't know if the Ridge Carbide is worth that much more money than the knock-off, but it has held up for about a year now with no signs of wear.
Contributor
There’s a big difference between rfid and NFC which is what’s in your wallet. Both use the same underlying idea. A powered device (the initiator) transmits some sort of challenge to your card (the target). Your card receives just enough power in that challenge to transmit its response.
RFID is fairly long range. I have an Easy Pass in my car to pay tolls up and down the eastern seaboard. It’s used by stores to thwart shoplifters.
NFC runs on a different frequency than RFID. It’s range is very limited, maybe 6”. The most common use these days is credit cards but there are all sorts of neat applications. You can move a lot of data if you want to. You just do it 16 bytes at a time. I proposed to a friend at harming that they partner with the state and national parks. You tap a spot on a map and the trail route is downloaded to your gps.
Im not too worried about someone getting my card, true, they could transmit a challenge from far away but they would need to be close to receive a response.
Contributor
Since this thread has been rejuvenated I've learned a little.
The "Faraday cage" holder came without instructions. There is a pocket on the top of the pouch that when opened appears to be where one would hold the fob. There is what is almost a secret compartment that wasn't found until much later when trying to decide what to do with this thing.
Now it is used all the time to hold my vehicle's fob.
jtk
"A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty."
- Sir Winston Churchill (1874-1965)
Posting Permissions
Reply With Quote
Please help support the Creek.