Skip to main content

RFID-blocking products are practically worthless. Here’s why

We’ve all heard of RFID skimming right? It’s where criminals with RFID readers sneak up behind us and scan the credit card or passport in our pocket or bag to steal information they can use for fraudulent transactions or identity theft.

The threat of RFID skimming has given rise to an enormous industry of RFID-blocking products. It’s a standard feature in smart wallets, and you can even buy shirts and jeans with RFID blocking pockets built in. The question is: Are they worth buying?

Recommended Videos

“No, they’re a waste of money,” Roger Grimes, data-driven defense evangelist at KnowBe4, told Digital Trends. “You shouldn’t spend one cent. There has still to this day not been a report of a single real-world crime that an RFID blocking product would have stopped.”

Well, that puts it bluntly. But why is the RFID-blocking industry still booming? First, let’s understand how it all works.

How does RFID skimming work?

RFID or radio frequency identification is a form of wireless communication. RFID chips are sometimes used in passports, credit cards, and transport passes to allow fast scanning and contactless payments. These chips emit radio signals that anyone with a reader can potentially try to intercept.

Image used with permission by copyright holder

In theory, criminals can buy readers for less than $100 and then sneak up behind people and scan their pockets or bags to try and steal information. The supposed threat: the information they skim can then be used to steal the victim’s identity or push through fraudulent transactions using their details. But there’s a problem with this supposition.

“The information that’s actually stored and transmitted on the card is not enough to complete a transaction anymore,” Grimes said. “That changed many years ago.”

“The information stored and transmitted on the card is not enough to complete a transaction anymore.”

Nowadays, a credit card transmits a one-time transaction code that’s encrypted. It doesn’t give your name or billing address, and crucially it doesn’t include the three-digit code on the back of your card that’s needed for online transactions. The information that can be skimmed is simply not enough to enable the thief to commit another crime.

As for passports, the information that’s transmitted cannot be read without the key. Everything is encrypted and can be read only by authorized and authenticated readers. You also have to open the passport to the photo page to scan the chip, and most modern passports (issued after 2007) already have covers that block RFID signals.

A victimless crime

The purveyors of RFID-blocking products are exploiting an understandable fear people have of this kind of wireless crime. But there’s no evidence the RFID skimming they guard against is actually happening.

We contacted Action Fraud in the U.K. to ask about reported incidents of RFID skimming and they put us in touch with UK Finance. The organization confirmed that there have never been any verified reports of fraudsters taking money from someone’s contactless card just by bumping into them in the street or on public transport. It also revealed that no verified incidents of contactless fraud have ever been recorded on cards still in the possession of the original owner in the U.K.

What’s more, even if this kind of crime did occur, you’re guaranteed protection.

“Customers are fully protected against any losses and will never be left out of pocket in the unlikely event they are the victim of this type of fraud, unlike if they lose cash,” a U.K. Finance spokesperson told Digital Trends.

The situation is much the same in the U.S., according to the Identity Theft Resource Center.

NERO

Roger Grimes has been trying to track down a verifiable crime of this sort for years now. In addition to his work with KnowBe4, which offers security awareness training, he’s also a long-time columnist on computer security. Before that he served for more than 11 years as a principal security architect at Microsoft. He has written multiple articles, and given many talks and interviews on the topic of RFID-blocking products.

“To be honest I’m surprised the makers of these things haven’t paid a real-world criminal to commit a crime just to shut me up,” he said, chuckling.

Manufacturers of RFID-blocking products usually explain how RFID skimming works. Sometimes they refer to demonstrations by security experts at conferences showing that it is possible, or they quote statistics that refer to different kinds of credit card crime.

“It’s pretty much a scam,” Grimes said. “There has never been a single reported RFID crime that would have been blocked by one of these products, but even if there were 10 reported crimes, is that something that should generate a multi-million-dollar industry?”

Real crimes related to contactless cards

There is some crime related to RFID or NFC (near field communication) on credit cards and smartphones, but it’s relatively minor. It also typically occurs in situations where you use your contactless card, so blocking products would not be effective.

For example, there may be rare occasions where merchants overcharge, or a fake frontage has been fitted to a Point-of-Sale terminal or cash machine. But these kinds of incidents are quickly exposed, and customers are always reimbursed. They’re also situations where you remove your card from your wallet or pocket, so RFID blocking can’t help anyway.

You should be more concerned about other, verifiable crime that’s actually happening

According to U.K. Finance, fraud on contactless cards and devices remains low with 19.5 million British pounds of losses during 2018, compared to spending of 69 billion British pounds over the same period. Fraud using the contactless technology on payment cards and devices represented just 2.9 percent of overall card fraud losses.

Criminals are all about the low-hanging fruit. When they can go online to the dark web and buy credit card details, including the three-digit code, for $3 to $5 apiece why would they go to the hassle of RFID skimming?

“It’s an incredible risk for very little pay off,” Grimes said. “Using the dark web, they don’t need to worry about being close to a person or getting caught on camera.”

If you’re worried about identity theft or credit card fraud, you should be more concerned about other, verifiable crime that’s actually happening, like phishing scams. While there’s no harm in using an RFID-blocking product, it’s unlikely to help, and there’s no real need to spend money on them.

“Tin foil works just as well if not better than all of these-RFID blocking products,” Grimes said.

Simon Hill
Former Digital Trends Contributor
Simon Hill is an experienced technology journalist and editor who loves all things tech. He is currently the Associate Mobile…
Range Rover’s first electric SUV has 48,000 pre-orders
Land Rover Range Rover Velar SVAutobiography Dynamic Edition

Range Rover, the brand made famous for its British-styled, luxury, all-terrain SUVs, is keen to show it means business about going electric.

And, according to the most recent investor presentation by parent company JLR, that’s all because Range Rover fans are showing the way. Not only was demand for Range Rover’s hybrid vehicles up 29% in the last six months, but customers are buying hybrids “as a stepping stone towards battery electric vehicles,” the company says.

Read more
BYD’s cheap EVs might remain out of Canada too
BYD Han

With Chinese-made electric vehicles facing stiff tariffs in both Europe and America, a stirring question for EV drivers has started to arise: Can the race to make EVs more affordable continue if the world leader is kept out of the race?

China’s BYD, recognized as a global leader in terms of affordability, had to backtrack on plans to reach the U.S. market after the Biden administration in May imposed 100% tariffs on EVs made in China.

Read more
Tesla posts exaggerate self-driving capacity, safety regulators say
Beta of Tesla's FSD in a car.

The National Highway Traffic Safety Administration (NHTSA) is concerned that Tesla’s use of social media and its website makes false promises about the automaker’s full-self driving (FSD) software.
The warning dates back from May, but was made public in an email to Tesla released on November 8.
The NHTSA opened an investigation in October into 2.4 million Tesla vehicles equipped with the FSD software, following three reported collisions and a fatal crash. The investigation centers on FSD’s ability to perform in “relatively common” reduced visibility conditions, such as sun glare, fog, and airborne dust.
In these instances, it appears that “the driver may not be aware that he or she is responsible” to make appropriate operational selections, or “fully understand” the nuances of the system, NHTSA said.
Meanwhile, “Tesla’s X (Twitter) account has reposted or endorsed postings that exhibit disengaged driver behavior,” Gregory Magno, the NHTSA’s vehicle defects chief investigator, wrote to Tesla in an email.
The postings, which included reposted YouTube videos, may encourage viewers to see FSD-supervised as a “Robotaxi” instead of a partially automated, driver-assist system that requires “persistent attention and intermittent intervention by the driver,” Magno said.
In one of a number of Tesla posts on X, the social media platform owned by Tesla CEO Elon Musk, a driver was seen using FSD to reach a hospital while undergoing a heart attack. In another post, a driver said he had used FSD for a 50-minute ride home. Meanwhile, third-party comments on the posts promoted the advantages of using FSD while under the influence of alcohol or when tired, NHTSA said.
Tesla’s official website also promotes conflicting messaging on the capabilities of the FSD software, the regulator said.
NHTSA has requested that Tesla revisit its communications to ensure its messaging remains consistent with FSD’s approved instructions, namely that the software provides only a driver assist/support system requiring drivers to remain vigilant and maintain constant readiness to intervene in driving.
Tesla last month unveiled the Cybercab, an autonomous-driving EV with no steering wheel or pedals. The vehicle has been promoted as a robotaxi, a self-driving vehicle operated as part of a ride-paying service, such as the one already offered by Alphabet-owned Waymo.
But Tesla’s self-driving technology has remained under the scrutiny of regulators. FSD relies on multiple onboard cameras to feed machine-learning models that, in turn, help the car make decisions based on what it sees.
Meanwhile, Waymo’s technology relies on premapped roads, sensors, cameras, radar, and lidar (a laser-light radar), which might be very costly, but has met the approval of safety regulators.

Read more