WHO DISCOVERED THE RFID THREAT?
Early on as credit card and other companies were experimenting with various methods for payment, the ability to have a “contactless” payment form was created.
This allowed those who had cards with RFID (Radio Frequency Identification) technology to place their card close to the receiving payment device and pay for the purchase without the need to swipe their card (although swiping technology ala the magnetic strip is still there). These types of cards have marketing names on the card like <point to side of you> PayPass, PayWave, Express Pay, etc. If you had any of these on your card or a wavy logo, then you have an RFID enabled card. <act like fire on card, put down and stamp out>
Security researchers proved quickly that the RFID technology had its weakness in the close field transmission convenience it provided to users. Since it was a signal, it could be picked up by anyone with the right equipment, who could clone a card’s information and use it for fraudulent purchases. First of all the transmission was “in the clear”, meaning there was no encryption of the data being transmitted. But there’s an even bigger problem with this in real-life implementation, especially about this being a holy grail for criminals. It’s one thing to find a problem in the research lab, it’s another to see it used in the real world. In other words, this is a bust of a real-life problem.
CRIMINALS AREN’T THAT STUPID
For starters, you have to be within a few feet and sometimes inches of the transmitting card to skim it. Criminals aren’t that stupid. To start with, the percentage of credit cards with RFID transmission technology is small, statistically around zero percent right now. So would a criminal stand on the corner of a busy street for hours hoping to catch a would-be victim when the likelihood of success is so low? Probably not, they know they can spend their time more effectively doing something else. The cost of acquiring all the equipment needed to “sniff” an RFID signal is much more than the cost of just going to the underground Internet and buying bulk blocks of credit card numbers. They know how to use their time for the best return, and not waste it on something with little chance of success. But what about other RFID enabled items like Passports, ID cards, driver’s licenses, etc? Well, the best a criminal might glean from those items is an address. That information is ubiquitous and frankly, not very useful to them. So what about the risks in today’s market?
TECHNOLOGY MARCHES ON!
As technology tends to do, it advanced quickly and the use of RFID has quickly fallen out of favor as the new EMV chip cards which have been adopted. As credit cards expire, new ones are issued and as new technology advances so too are new cards issued. Some companies like American Express still offer all three options on their card; contactless, magnetic stripe and EMV chips for convenience, but with the country-wide move to EMV, vulnerable RFID has gone the way of the dinosaur, thus why the need for an RFID blocking sleeve is gone. Additionally, with the move toward mobile payments using cell phones and wearables, it has diminished the allure of an all RFID world. For example, the new metallic square chips on the new cards being issued are NOT RFID, and any new RFID cards now incorporate a chip-and-PIN protection scheme which generates a new password key between the card and the machine every time it’s used for payment which makes it near-impossible to capture and replicate. This is the same password key technology used with NFC (near field communication) that you see with phone apps that can pay by tapping.
CONTROVERSY IN A VACUUM…TIME TO MAKE MONEY!
Roger Grimes of InfoWorld wrote an article where he characterized RFID as a “scare” and is nothing but “entertainment for the paranoid”. But that in itself makes this a wonderful opportunity for companies to capitalize on the scare and make some money! We can even find the Electronic Frontier Foundation trying to sell you a an RFID blocking wallet. You will see that despite the lack of any real threat, companies have rushed to produce wallets and purses which block RFID. You have as many RFID blocking wallet choices as you do for normal wallets. The fact remains, however, that this is a marketing opportunity, there is no real threat to your wallet from RFID “skimming”. RFID wallets and purses continue to be sold at an increasing rate with nothing more to support the hype than fear. The real leather and other material lost to RFID fabric is a real shame and reduces the quality of the product you buy.
DO YOU NEED RFID BLOCKING IN YOUR WALLET?
With the low risk, evolving technology and fraud coverage from your card issuers, I’d like to hear from ANYBODY who has had their card compromised from the RFID “scare”, and if you have, what did you lose? As most of us have experienced (sometimes several times), your credit card information will be compromised, if it hasn’t already, but it won’t be via RFID thievery. It will continue to happen as website hacks are successful in harvesting millions of credit card numbers, but not via RFID. Don’t waste your money on a special RFID blocking wallet. Buy the wallet you want with quality materials forget RFID.