We’ve all heard of RFID skimming right? It’s where criminals with RFID readers sneak up behind us and scan the credit card or passport in our pocket or bag to steal information they can use for fraudulent transactions or identity theft.
The threat of RFID skimming has given rise to an enormous industry of RFID-blocking products. It’s a standard feature in smart wallets, and you can even buy shirts and jeans with RFID blocking pockets built in. The question is: Are they worth buying?
“No, they’re a waste of money,” Roger Grimes, data-driven defense evangelist at KnowBe4, told Digital Trends. “You shouldn’t spend one cent. There has still to this day not been a report of a single real-world crime that an RFID blocking product would have stopped.”
Well, that puts it bluntly. But why is the RFID-blocking industry still booming? First, let’s understand how it all works.
How does RFID skimming work?
RFID or radio frequency identification is a form of wireless communication. RFID chips are sometimes used in passports, credit cards, and transport passes to allow fast scanning and contactless payments. These chips emit radio signals that anyone with a reader can potentially try to intercept.
In theory, criminals can buy readers for less than $100 and then sneak up behind people and scan their pockets or bags to try and steal information. The supposed threat: the information they skim can then be used to steal the victim’s identity or push through fraudulent transactions using their details. But there’s a problem with this supposition.
“The information that’s actually stored and transmitted on the card is not enough to complete a transaction anymore,” Grimes said. “That changed many years ago.”
“The information stored and transmitted on the card is not enough to complete a transaction anymore.”
Nowadays, a credit card transmits a one-time transaction code that’s encrypted. It doesn’t give your name or billing address, and crucially it doesn’t include the three-digit code on the back of your card that’s needed for online transactions. The information that can be skimmed is simply not enough to enable the thief to commit another crime.
As for passports, the information that’s transmitted cannot be read without the key. Everything is encrypted and can be read only by authorized and authenticated readers. You also have to open the passport to the photo page to scan the chip, and most modern passports (issued after 2007) already have covers that block RFID signals.
A victimless crime
The purveyors of RFID-blocking products are exploiting an understandable fear people have of this kind of wireless crime. But there’s no evidence the RFID skimming they guard against is actually happening.
We contacted Action Fraud in the U.K. to ask about reported incidents of RFID skimming and they put us in touch with UK Finance. The organization confirmed that there have never been any verified reports of fraudsters taking money from someone’s contactless card just by bumping into them in the street or on public transport. It also revealed that no verified incidents of contactless fraud have ever been recorded on cards still in the possession of the original owner in the U.K.
What’s more, even if this kind of crime did occur, you’re guaranteed protection.
“Customers are fully protected against any losses and will never be left out of pocket in the unlikely event they are the victim of this type of fraud, unlike if they lose cash,” a U.K. Finance spokesperson told Digital Trends.
The situation is much the same in the U.S., according to the Identity Theft Resource Center.
Roger Grimes has been trying to track down a verifiable crime of this sort for years now. In addition to his work with KnowBe4, which offers security awareness training, he’s also a long-time columnist on computer security. Before that he served for more than 11 years as a principal security architect at Microsoft. He has written multiple articles, and given many talks and interviews on the topic of RFID-blocking products.
“To be honest I’m surprised the makers of these things haven’t paid a real-world criminal to commit a crime just to shut me up,” he said, chuckling.
Manufacturers of RFID-blocking products usually explain how RFID skimming works. Sometimes they refer to demonstrations by security experts at conferences showing that it is possible, or they quote statistics that refer to different kinds of credit card crime.
“It’s pretty much a scam,” Grimes said. “There has never been a single reported RFID crime that would have been blocked by one of these products, but even if there were 10 reported crimes, is that something that should generate a multi-million-dollar industry?”
Real crimes related to contactless cards
There is some crime related to RFID or NFC (near field communication) on credit cards and smartphones, but it’s relatively minor. It also typically occurs in situations where you use your contactless card, so blocking products would not be effective.
For example, there may be rare occasions where merchants overcharge, or a fake frontage has been fitted to a Point-of-Sale terminal or cash machine. But these kinds of incidents are quickly exposed, and customers are always reimbursed. They’re also situations where you remove your card from your wallet or pocket, so RFID blocking can’t help anyway.
You should be more concerned about other, verifiable crime that’s actually happening
According to U.K. Finance, fraud on contactless cards and devices remains low with 19.5 million British pounds of losses during 2018, compared to spending of 69 billion British pounds over the same period. Fraud using the contactless technology on payment cards and devices represented just 2.9 percent of overall card fraud losses.
Criminals are all about the low-hanging fruit. When they can go online to the dark web and buy credit card details, including the three-digit code, for $3 to $5 apiece why would they go to the hassle of RFID skimming?
“It’s an incredible risk for very little pay off,” Grimes said. “Using the dark web, they don’t need to worry about being close to a person or getting caught on camera.”
If you’re worried about identity theft or credit card fraud, you should be more concerned about other, verifiable crime that’s actually happening, like phishing scams. While there’s no harm in using an RFID-blocking product, it’s unlikely to help, and there’s no real need to spend money on them.
“Tin foil works just as well if not better than all of these-RFID blocking products,” Grimes said.