Unmasking RFID Blocking Wallets
Do you need RFID card blocking wallets? NO, but is RFID sniffing a threat? Maybe, but not really. Let’s dive into the specifics of RFID history, technology, scanning, skimming, shimming and blocking. In the end you might want to block RFID, but you won’t want to do it with a wallet. And RFID blocking wallets are still a scam.
RFID blocking material built into wallets is a total scam. Yet, there is a little bit more to it. Two years ago I published a video about the absurdity of RFID blocking that is built into wallets. Many were confused with the message I gave and over that time has created a lot of additional questions, with those questions deserving a follow-up.
The True Focus: RFID, Wallets, and Necessity
But let me be clear that this is not about whether RFID is good, it is about wallets and whether or not you need to buy an RFID blocking wallet. RFID is great and I use it almost every day along with NFC, which is another mechanism for near field communication, and that is what its name stands for.
Understanding RFID and NFC
The question we’ll be exploring is if RFID protection built into a wallet is necessary?
Well, we will hold off on that and address first a few things that will provide context as we answer this question, because simply, we cannot answer the question properly until we know how credit cards operate and the types of theft that occur on them.
RFID and NFC in Everyday Life
If your card has a chip and a stripe on it, then its information can be stolen via several mechanisms, but it is due to the stripe and not the chip. Before jumping into that topic, we need to talk about cryptography and dive into the different types of stripe, chip, and pin cryptography. These are not all the same and it is relevant to know what you have in your wallet. A card can have a chip and pin with no stripe, a chip and signature, a swipe and pin, or just a swipe. The security is highest with a chip and pin with no stripe, and lowest with a card with just the stripe. Stripes are the biggest weakness and as long as we have them on our credit cards as backup for merchants and terminals that have not converted to a chip reader system, this will increase the chances for theft of our information. There exist edge cases non-related to credit cards, for example, transit cards, access cards, et cetera, where sniffing could pick up that information. You would be concerned about whether you need to block that as part of personal risk evaluation that likely relates to where you live, how you travel, and likely if you have anyone who may want to harm you for some strange reason. Now we are talking about blocking and whether it is needed in the wallet itself, or the other alternative is to add it, which is possible and we will talk about that. It is important to understand the technology a little bit. How did we get a chip anyway? Well, it all started by a consortium of companies, known as EMV, which stands for Europay, MasterCard and Visa. the consortium made this technology in the form of the pin, or the chip. The United States has been very slow in adopting EMV technology. This technology was only adopted in 2015 in the United States, while it has been around since 1994 in Europe. The positive progress is that as of 2023 the vast majority of merchants in the United States have EMV enabled terminals.
The Spectrum of Credit Card Theft – Physical and Digital
The theft we are talking about can be categorized as physical, digital, and the one that everyone is talking about, sniffing theft. Physical theft is easy to get our minds around, it happens when someone jots down your card information as you hand your card to, someone steals your wallet, or thieves install a skimmer onto equipment. A new method is seeing growth due to increasing complexity from chip and pin, it is an arms race type thing.
Physical Theft: Skimmers, Shimmers, and the Cat-and-Mouse Game
The more protections we put into a card, the more creative thieves get to try and steal that information. Skimmers and shimmer devices, installed on a machine such as an ATM or gas pump readers to pull all your info from the stripe as it reads the transaction, do not qualify as open-air sniffing, more on this later. A physical reader skimmer or shimmer will pick up your integrated communication of the card verification value, or the CVV, the three-digit number you are familiar with from the stripe on the back of your card along with your card number and expiration date, but the new integrated circuit card verification value, or iCVV, is not transferred and is contained in the chip, NOT on the stripe. Let’s say you insert your card into a gas pump that has a skimmer on it. It will read all the information from the stripe of your card, including the CVV.
Successful Card Stripe Cloning?
However, if the thief clones the card and tries to use it in a card present transaction, meaning the thief is trying to purchase something at the local grocery store, the bank will check the submitted CVV against the iCVV to ensure the transaction is valid, and so there is no fraud risk. That is the crosscheck that occurs, but it can be bypassed with a swipe because the card is inserted without the chip, therefore no crosscheck, and which point, there is a small percentage of banks that still do not check the CVV to the iCVV in their backing systems. And as result, that transaction will be approved.
If someone tries to use the card information for an online purchase, however, there is a number of hurdles that we know about when you try to purchase things, it asks for a zip code, and also requires shipping information, and gas pumps require zip codes as well. These are validations on the business rules and the artificial intelligence on the back end to ensure that the person making that transaction is the owner. It is hard to protect against physical card theft. If a server steals your credit card information at a restaurant, there is not much you can do about it. If a skimmer is installed on your ATM or your gas pump, there is not much you can do about it, except maybe try and recognize that something with it does not look right. But how often do we really do that? Probably we should do it more often.
Successful Card Chip Cloning?
That was a dive into the physical theft regarding the stripe on the back of the card. Can the information on the chip side be stolen? Well, I am sure it can somehow, but it would take equipment worth hundreds of thousands of dollars to break the crypto and frankly, to crack the key of the receiving systems (Point of Sale device), or understand how you can marry an iCVV number to a CVV electronically. The truth is thieves are lazy and this is not an easy way and would require significant capital to do it. And, once again, due to sophisticated software business rules at banks, the card might work once, then it’s blocked. The reward for the effort isn’t there, it’s not worth it. So what does make sense? Digital theft.
Digital Theft: the REAL threat
With physical threats explained and taken care of, we move to the largest threat of someone stealing your credit card information, which is digital theft. This is most commonly seen when your credit card company contacts you asking if a recent charge or transaction was done by you or not, it could be a text or a phone call. I am sure many have received them. This is so common that my credit card, before I could even use it once, was charged from somewhere across the country and it was fraudulent. As a matter of fact, it happened recently. The fraudulent charge was in Kentucky, and I have not been to Kentucky in years, that was a result of my credit card being stolen through digital theft. This is more of a problem for banks than consumers beyond an inconvenience of replacing a card. Why is this a bigger problem for banks?
Banks’ Role and Protection Laws
With non-liability consumer protection laws in place in the United States and many countries, any theft and fraud is now the responsibility of the banks, not the cardholder. This liability shift means the banks lose billions of dollars every year in fraud, so to combat the problem and reduce the loss, they have built very sophisticated business rules and artificial intelligence to detect fraudulent card usage. They track your purchasing behavior, utilize cross-data relationships with travel providers, associated banking systems, and your purchase history to build a profile on each customer to know if they are using their card in the way that is expected of them. Back in the day, you would have to call your credit card provider to inform them if you are traveling so they would expect to receive charges from the country you are traveling to. Nowadays, don’t bother calling, they already know, based on these data relationships, that you have scheduled air travel and hotels, therefore, you do not have to call them. So whether your banking institution has suffered a hack or a number of any hundreds of stores you have made a transaction with has been hacked, and your information stolen, the results are the same. The information from my last video has not changed and continues to be the case. Digital theft of credit card information is still the largest risk over any other method.
Dispelling the Myth of RFID Sniffing
You would believe due to the RFID marketing fanatics that theft by “sniffing” rampant worldwide. Where people with sophisticated equipment are standing around in crowd to nefariously slide up next to you and via the RFID and/or NFC signals coming from your card, can be cloned and taken.
Can it happen? Yes. It’s been proven in a lab.
Does it happen in the wild? No. There’s no data that shows this is a problem in real life situations.
But whoa, are you sure mark? because my friend had his card compromised on a business trip, and all my friends on Reddit have friends who know that they have had their card information stolen, and it just had to be through sniffing
Theft happens worldwide through two primary means, physical and digital. The last physical theft thing is you lose your wallet. That happens quite often and when that does, a quick call to your bank cancels your cards and gets them all that back to you. And even if your card is, assumingly compromised in some way or another, the biggest hassle you have is to reset all of your auto pays that you have ongoing because you will have a new card.
Conclusion and Future Outlook
Back to the original question. Do you need RFID blocking material in your wallet? To answer that, we need to examine the cases we just discussed one by one.
First, will RFID blocking material in your wallet protect you from online, digital hacking? The answer is no.
Second, do you need RFID blocking material built in to your wallet to protect you from someone stealing your wallet or copying your card information when you hand it to them? The answer is no.
Third, will RFID blocking material in your wallet protect you from skimmers or shimmers? That is also a no.
Finally, are open air sniffers a reality in the world of chip and pin? Not really, not beyond people trying to prove they exist via demonstrations in labs with no published data of real world threat.
Do you NEED RFID in your wallet?
In the world of RFID blocking in wallets, do you really NEED it? No. But is it okay if you like the idea of having protection? Of course! That’s what choice is about, but don’t be fooled that due to rampant theft, that you’re openly exposed to an immediate threat. It’s simply not the case. That is why marketing of RFID blocking in wallets remains a scam. However, if you are still unsure, I would suggest getting an RFID blocking card or a sleeve to put into your wallet, which provide protection, while not limiting your wallet selection options. Walletopia makes RFID blocking cards and sleeves for this purpose, so you can find the wallet you really want, and still feel comfortable if you’re still concerned.
I will keep tracking this technology and will makes updates if anything changes and if it turns out to be a bigger problem, I will be happy to tell you about it.
Protects credit cards and other important documents with an electromagnetically lined opaque shield to block signals from high-tech pickpockets & unauthorized electronic scanning devices