Contactless credit cards, are they secure?

highfigh

highfigh

Seriously, I have no life.
Two types of RFID are available- passive and active. The range can be large or small for either, but passive is much greater. Credit cards are made for very close range because it obviously jeopardizes security if the distance from interrogator (reader) to transponder (card, tag, etc) increases.

Personally, I don't like it, never have and I would prefer that direct contact be required, but since my bank is local and I can get a replacement just by going there, it's less of a problem WHEN someone uses my card, rather than IF. It happened in March and they bought something from ATT online, then picked it up at the local store. They wouldn't let me see the video in an attempt to identify the dirtbag, due to privacy concerns. Apparently, the Police didn't subpoena the video, so any chance of catching them is gone and it's possible the turd still has my name, so they can use that against me at any time.

If we Google 'RFID transponder' and you'll find enough info to make sure nobody will ever see us again.

Unfortunately, it's also easy to spoof the tags, too. So much for 'secure'.
 
Swerd

Swerd

Audioholic Warlord
Google 'RFID transponder' and you'll find enough info…
Thanks. Wikipedia's has an informative page on Radio Frequency Identification. Here are a few tidbits from that page, relevant to my OP:

RFID tags contain electronically-stored information. Passive tags collect energy from a nearby RFID reader's interrogating radio waves. Active tags have a local power source (such as a battery) and may operate hundreds of meters from the RFID reader.

The radio frequency used for credit cards and other smart card readers is 13.56 MHz.

RFID is used in a variety of applications, such as:
  • Access management
  • Tracking of goods
  • Tracking of persons and animals
  • Toll collection and contactless payment
  • Machine readable travel documents
  • Smartdust (for massively distributed sensor networks)
  • Airport baggage tracking logistics
  • Timing sporting events
  • Tracking and billing processes
Countries that insert RFID in passports include Norway (2005),Japan (March 1, 2006),most EU countries (around 2006),Australia, Hong Kong, the United States (2007),India (June 2008),Serbia (July 2008),Republic of Korea (August 2008),Taiwan (December 2008),Albania (January 2009),The Philippines (August 2009),Republic of Macedonia (2010),Canada (2013) and Israel (2017).

RFID tags included in new US passports will store the same information printed within the passport, and include a digital picture of the owner. The US Department of State initially stated the chips could only be read from a distance of 10 centimeters (3.9 in),but after widespread criticism and a clear demonstration that special equipment can read the test passports from 10 meters (33 ft) away, the passports were designed (since 2006) to incorporate a thin metal lining to make it more difficult for unauthorized readers to "skim" information when the passport is closed. The department will also implement a PIN number system. Before a passport's tag can be read, this PIN must be entered into an RFID reader. This also enables encryption of communication between the chip and reader. There are many situations in which these protections have been shown to be insufficient, and passports have been cloned based on scans of them while they were being delivered in the mail.

Security concerns
A primary RFID security concern is the illicit tracking of RFID tags. Tags, which are world-readable, pose a risk to both personal location privacy and corporate/military security. Such concerns have been raised with respect to the US Department of Defense's recent adoption of RFID tags for supply chain management. More generally, privacy organizations have expressed concerns in the context of ongoing efforts to embed electronic product code (EPC) RFID tags in consumer products. This is mostly as result of the fact that RFID tags can be read, and legitimate transactions with readers can be eavesdropped, from non-trivial distances. RFID used in access control, payment and eID (e-passport) systems operate at a shorter range than EPC RFID systems but are also vulnerable to skimming and eavesdropping, albeit at shorter distance.

A second method of prevention is by using cryptography. Rolling codes and challenge-response authentication (CRA) are commonly used to foil monitor-repetition of the messages between the tag and reader; as any messages that have been recorded would prove to be unsuccessful on repeat transmission. Rolling codes rely upon the tag's id being changed after each interrogation, while CRA uses software to ask for a cryptographically coded response from the tag. The protocols used during CRA can be symmetric, or may use public key cryptography.

Passports
In an effort to standardize and make it easier to process passports, several countries have implemented RFID in passports, despite security and privacy issues. The encryption on UK chips was broken in under 48 hours. Since that incident, further efforts have allowed researchers to clone passport data while the passport is being mailed to its owner.

Shielding
In an effort to prevent the passive “skimming” of RFID-enabled cards or passports, the US General Services Administration (GSA) issued a set of test procedures for evaluating electromagnetically opaque sleeves. For shielding products to be in compliance with FIPS-201 guidelines, they must meet or exceed this published standard. Shielding products currently evaluated as FIPS-201 compliant are listed on the website of the US CIO's FIPS-201 Evaluation Program. The US government requires that when new ID cards are issued, they must be delivered with an approved shielding sleeve or holder.

There are contradicting opinions as to whether aluminum can prevent reading of RFID chips. Some people claim that aluminum shielding, essentially creating a Faraday cage, does work. Others claim that simply wrapping an RFID card in aluminum foil only makes transmission more difficult and is not completely effective at preventing it.

Shielding effectiveness depends on the frequency being used. High frequency HighFID tags (13.56 MHz—smart cards and access badges) are sensitive to shielding and are difficult to read when within a few centimeters of a metal surface.

Sorry for the length, see the Wikipedia link for more details.
 
Last edited:
highfigh

highfigh

Seriously, I have no life.
Thanks. Wikipedia's has an informative page on Radio Frequency Identification. Here are a few tidbits from that page, relevant to my OP:
.
That reads a lot like the Power Point I did for my networking class- we had a topic, had to create the presentation and go up in front of the class to talk about it. I assume it's now only similar to what it was when I had to research it twelve years ago.

WiFi was something we only touched on and I think the class should have spent more time on it, but it was only at the 802.11b/g level at that time- 802.11n was still being hammered out and ac/k/r/ax etc hadn't even been discussed, AFAIK.

Here's some new RFID and WiFi info-

https://www.networkworld.com/article/3215907/mobile-wireless/why-80211ax-is-the-next-big-thing-in-wi-fi.html

https://www.networkworld.com/article/3215907/mobile-wireless/why-80211ax-is-the-next-big-thing-in-wi-fi.html
 
H

Hobbit

Audioholic Chief
Thanks. Wikipedia's has an informative page on Radio Frequency Identification. Here are a few tidbits from that page, relevant to my OP:


Security concerns
A primary RFID security concern is the illicit tracking of RFID tags. Tags, which are world-readable, pose a risk to both personal location privacy and corporate/military security. Such concerns have been raised with respect to the US Department of Defense's recent adoption of RFID tags for supply chain management. More generally, privacy organizations have expressed concerns in the context of ongoing efforts to embed electronic product code (EPC) RFID tags in consumer products. This is mostly as result of the fact that RFID tags can be read, and legitimate transactions with readers can be eavesdropped, from non-trivial distances. RFID used in access control, payment and eID (e-passport) systems operate at a shorter range than EPC RFID systems but are also vulnerable to skimming and eavesdropping, albeit at shorter distance.

A second method of prevention is by using cryptography. Rolling codes and challenge-response authentication (CRA) are commonly used to foil monitor-repetition of the messages between the tag and reader; as any messages that have been recorded would prove to be unsuccessful on repeat transmission. Rolling codes rely upon the tag's id being changed after each interrogation, while CRA uses software to ask for a cryptographically coded response from the tag. The protocols used during CRA can be symmetric, or may use public key cryptography.



Shielding
In an effort to prevent the passive “skimming” of RFID-enabled cards or passports, the US General Services Administration (GSA) issued a set of test procedures for evaluating electromagnetically opaque sleeves. For shielding products to be in compliance with FIPS-201 guidelines, they must meet or exceed this published standard. Shielding products currently evaluated as FIPS-201 compliant are listed on the website of the US CIO's FIPS-201 Evaluation Program. The US government requires that when new ID cards are issued, they must be delivered with an approved shielding sleeve or holder.

There are contradicting opinions as to whether aluminum can prevent reading of RFID chips. Some people claim that aluminum shielding, essentially creating a Faraday cage, does work. Others claim that simply wrapping an RFID card in aluminum foil only makes transmission more difficult and is not completely effective at preventing it.

Shielding effectiveness depends on the frequency being used. High frequency HighFID tags (13.56 MHz—smart cards and access badges) are sensitive to shielding and are difficult to read when within a few centimeters of a metal surface.

Sorry for the length, see the Wikipedia link for more details.
According to Visa/MC, the RFID cards are less vulnerable to fraud. I doubt they would go to a less secure system.

It's my understanding that these types of cards generate a new CVV for every transaction. If someone manages to swipe your card a CVV will be generated. If they now try and use that information the CVV that was obtained wouldn't be valid.

Even if they weren't using that technology, most the theft comes from magnetic strip scanners. Those seem pretty easy for criminals to get a hold of and simply insert at a gas station pump, for example. That's unbelievably common.

I do question the efficacy of the RFID sleeves. At least the thin wallet size one. Though I suppose it might mean the criminal needs to get that much closer before their reader works.
 
S

Spdmn256

Junior Audioholic
You should always be on the lookout for skimmers attached ATMs, gas station pumps etc. if something looks like it shouldn’t be there you can definitely give it a little wiggle and see if it comes loose. If it’s really supposed to be a part of the machine it won’t come off easily.
7442A5C1-1512-4B93-A61F-5F3E4AC57313.jpeg


8B47FE51-6367-4EDA-A878-42DA22586F5C.jpeg
 
Swerd

Swerd

Audioholic Warlord
most the theft comes from magnetic strip scanners
Thanks for the explanation about the CVV code. I have heard that before, but it makes more sense in the context of unauthorized scanning.

That warning about magnetic strip scanners probably was true in the past, but technology marches onward. Since I first posted this thread, Google's adaptive advertising has started showing me ads for personal long-range RFID scanners. Just the thing for tech savvy thieves, only $2,000.
 
H

Hobbit

Audioholic Chief
Thanks for the explanation about the CVV code. I have heard that before, but it makes more sense in the context of unauthorized scanning.

That warning about magnetic strip scanners probably was true in the past, but technology marches onward. Since I first posted this thread, Google's adaptive advertising has started showing me ads for personal long-range RFID scanners. Just the thing for tech savvy thieves, only $2,000.
I meant skimmers... lol! Yeah, it's scary what the internet knows about my and my habits. The other day my friend was talking about Vuarnet sunglasses. Next thing I know that's what I'm seeing ads for. I swear my phone is listening....
 
ryanosaur

ryanosaur

Audioholic Overlord
I meant skimmers... lol! Yeah, it's scary what the internet knows about my and my habits. The other day my friend was talking about Vuarnet sunglasses. Next thing I know that's what I'm seeing ads for. I swear my phone is listening....
o_O
:eek:
;)
Google news feed has Audioholics articles popping up in the "For You" section.
 
Verdinut

Verdinut

Audioholic Spartan
o_O
:eek:
;)
Google news feed has Audioholics articles popping up in the "For You" section.
That's why surfing on the web in private mode is of utmost importance, as well as using an ad blocker. the "AdBlocker" which is a free software is very useful. I use it and I don't give a damn if the website asks me to disable it, I normally don't. Don't forget that some ads contain phishing programs and even some other malware.
 
Swerd

Swerd

Audioholic Warlord
That's why surfing on the web in private mode is of utmost importance, as well as using an ad blocker. the "AdBlocker" which is a free software is very useful. I use it and I don't give a damn if the website asks me to disable it, I normally don't. Don't forget that some ads contain phishing programs and even some other malware.
That's good advice, but it takes all the fun out of seeing how long it takes for adaptive ads to appear.

OK, LETS TALK ABOUT TOILETS. Its now 11 pm EST 1 January 2019. How long till we see ads appear for porcelain facilities?
 
sholling

sholling

Audioholic Ninja
I’ve seen wallets that are designed specifically to block the rfid signal from being read by “a bad actor.” But let’s understand what that might entail: a person following close enough that they can use a scanner to read your information. So, a busy airport or such, a very dedicated person, and maybe they get lucky? Not suggesting there isn’t a risk, but if you are concerned in the slightest, shop Amazon for rfid secure wallets. ;)
I've carried a Big Skinny Hipster style RFID blocking wallet for years.

https://www.bigskinny.net/rfid-blocking-hipster.html

OP,

I rarely use credit or debit cards in-store anymore. There are way too many card skimmers and clerks with hand skimmers out there. Plus all of the hacked point of sale machines and cases hacked servers with saved card numbers for me to trust them. I prefere phone based payment systems such as Samsung Pay or Android Pay.

From Samsung:

Is it secure?
Samsung Pay does not store the account or credit card numbers of cards on the device, instead using tokenization for transactions. Each time a purchase is made, the Samsung Pay handset sends two pieces of data to the payment terminal. The first is a 16-digit token that represents the credit or debit card number, while the second piece is a one-time code or cryptogram generated by the phone's encryption key.
 
Verdinut

Verdinut

Audioholic Spartan
I've carried a Big Skinny Hipster style RFID blocking wallet for years.

https://www.bigskinny.net/rfid-blocking-hipster.html

OP,

I rarely use credit or debit cards in-store anymore. There are way too many card skimmers and clerks with hand skimmers out there. Plus all of the hacked point of sale machines and cases hacked servers with saved card numbers for me to trust them. I prefere phone based payment systems such as Samsung Pay or Android Pay.

From Samsung:

Is it secure?
Samsung Pay does not store the account or credit card numbers of cards on the device, instead using tokenization for transactions. Each time a purchase is made, the Samsung Pay handset sends two pieces of data to the payment terminal. The first is a 16-digit token that represents the credit or debit card number, while the second piece is a one-time code or cryptogram generated by the phone's encryption key.
The RFID Blocking Wallet is an interesting product, but couldn't someone use an aluminum sheet in his wallet at a cheaper cost?
 
ryanosaur

ryanosaur

Audioholic Overlord
Like the lady showing up at our local city council meetings with a foil wrapped bicycle helmet complaining about the PGE smart meters? :p
 
sholling

sholling

Audioholic Ninja
The RFID Blocking Wallet is an interesting product, but couldn't someone use an aluminum sheet in his wallet at a cheaper cost?
Or you can use mylar or mylar lined RFID pouches. I like the thinness of Big Skinny Hipster wallets and don't want to stuff anything extra inside.
 
Swerd

Swerd

Audioholic Warlord
It's now 2023, longer than 4 years since I started this thread. Here's a follow up on this subject:

I eventually did go to the UK in the fall of 2019, several months before the pandemic broke out. For the trip, I bought a RFID shielded leather wallet, about $20. It was large enough to hold my passport, up to 7 credit cards (I carried 2 credit card & driver's license), plus cash. It apparently did it's job, and I had no problems with passport or credit cards.

That wallet was too large to carry in my back pocket, as I usually do. Instead, I wore cargo pants, and actually used a cargo pocket for that wallet. That turned out to be useful on an airplane or driving a car. At the Tower of London, a British Army sergeant, in full Beef Eater Yeoman Warder's uniform, gave us tourists a talk about the Tower's history, and a brief warning about pick-pocket security. He saw me, wearing cargo pants, and called me up to join him as he demonstrated why pick-pockets prefer men who carry their wallets in their back pocket. His talk was full of mild insults & jokes, and as much as he tried, he couldn't aim one of those barbs at me. He was surprised to find that I actually carried my wallet in a cargo pocket, and commented how he liked them as their 2 buttons were much slower to open than the usual zipper or velcro closures. I asked him if he thought the purse he had as part of his uniform was as useful as cargo pants. He had a quick answer for that too – it allowed him to carry all his makeup kit more comfortably than under his hat.
1680875354966.png


While in the UK, I saw that nearly everyone used their phones instead of a credit card to pay for most everything. Stores & shops did have credit card readers, but rarely used them. I had thought to get International phone service for that month, but I hadn't set up my phone to pay for things. I did inform my credit card companies of my travel plans, and had no problem using my credit cards.
 
Last edited:
highfigh

highfigh

Seriously, I have no life.
No idea about security, but I would expect the battery to fail at just the wrong time and sooner than expected. Sounds like gratuitous complexity to me and to be condemned on that count alone.
What battery? This is RFID- the keypad/reader is called the interrigator and the chip is the responder, with a small antenna for receiving the signal and making it more sensitive. The reader sends out a weak RF signal and the chip reacts to it, allowing the reader to receive the data. It's encrypted, so it's secure unless a device is in place at close distance, for snooping.

The good thing about this is that nobody can watch over the cardholder's shoulder to see the pin that would have been entered.
 
highfigh

highfigh

Seriously, I have no life.
It's now 2023, longer than 4 years since I started this thread. Here's a follow up on this subject:

I eventually did go to the UK in the fall of 2019, several months before the pandemic broke out. For the trip, I bought a RFID shielded leather wallet, about $20. It was large enough to hold my passport, up to 7 credit cards (I carried 2 credit card & driver's license), plus cash. It apparently did it's job, and I had no problems with passport or credit cards.

That wallet was too large to carry in my back pocket, as I usually do. Instead, I wore cargo pants, and actually used a cargo pocket for that wallet. That turned out to be useful on an airplane or driving a car. At the Tower of London, a British Army sergeant, in full Beef Eater Yeoman Warder's uniform, gave us tourists a talk about the Tower's history, and a brief warning about pick-pocket security. He saw me, wearing cargo pants, and called me up to join him as he demonstrated why pick-pockets prefer men who carry their wallets in their back pocket. His talk was full of mild insults & jokes, and as much as he tried, he couldn't aim one of those barbs at me. He was surprised to find that I actually carried my wallet in a cargo pocket, and commented how he liked them as their 2 buttons were much slower to open than the usual zipper or velcro closures. I asked him if he thought the purse he had a part of his uniform was as useful as cargo pants. He had a quick answer for that too – it allowed him to carry all his makeup kit more comfortably than under his hat.
View attachment 61269

While in the UK, I saw that nearly everyone used their phones instead of a credit card to pay for most everything. Stores & shops did have credit card readers, but rarely used them. I had thought to get International phone service for that month, but I hadn't set up my phone to pay for things. I did inform my credit card companies of my travel plans, and had no problem using my credit cards.
A friend was walking along a street where we have a lot of bars and restaurants. As a group passed, one of them said "Nice purse" and after a few seconds, he yelled back "It's a man bag!".
 
mtrycrafts

mtrycrafts

Seriously, I have no life.
What battery? This is RFID- the keypad/reader is called the interrigator and the chip is the responder, with a small antenna for receiving the signal and making it more sensitive. The reader sends out a weak RF signal and the chip reacts to it, allowing the reader to receive the data. It's encrypted, so it's secure unless a device is in place at close distance, for snooping.

The good thing about this is that nobody can watch over the cardholder's shoulder to see the pin that would have been entered.
And it seems to be very fast, faster than the push in chip only.
 

Latest posts

newsletter

  • RBHsound.com
  • BlueJeansCable.com
  • SVS Sound Subwoofers
  • Experience the Martin Logan Montis
Top