Skip to main content

RFID-blocking products are practically worthless. Here’s why

We’ve all heard of RFID skimming right? It’s where criminals with RFID readers sneak up behind us and scan the credit card or passport in our pocket or bag to steal information they can use for fraudulent transactions or identity theft.

The threat of RFID skimming has given rise to an enormous industry of RFID-blocking products. It’s a standard feature in smart wallets, and you can even buy shirts and jeans with RFID blocking pockets built in. The question is: Are they worth buying?

Related Videos

“No, they’re a waste of money,” Roger Grimes, data-driven defense evangelist at KnowBe4, told Digital Trends. “You shouldn’t spend one cent. There has still to this day not been a report of a single real-world crime that an RFID blocking product would have stopped.”

Well, that puts it bluntly. But why is the RFID-blocking industry still booming? First, let’s understand how it all works.

How does RFID skimming work?

RFID or radio frequency identification is a form of wireless communication. RFID chips are sometimes used in passports, credit cards, and transport passes to allow fast scanning and contactless payments. These chips emit radio signals that anyone with a reader can potentially try to intercept.

In theory, criminals can buy readers for less than $100 and then sneak up behind people and scan their pockets or bags to try and steal information. The supposed threat: the information they skim can then be used to steal the victim’s identity or push through fraudulent transactions using their details. But there’s a problem with this supposition.

“The information that’s actually stored and transmitted on the card is not enough to complete a transaction anymore,” Grimes said. “That changed many years ago.”

“The information stored and transmitted on the card is not enough to complete a transaction anymore.”

Nowadays, a credit card transmits a one-time transaction code that’s encrypted. It doesn’t give your name or billing address, and crucially it doesn’t include the three-digit code on the back of your card that’s needed for online transactions. The information that can be skimmed is simply not enough to enable the thief to commit another crime.

As for passports, the information that’s transmitted cannot be read without the key. Everything is encrypted and can be read only by authorized and authenticated readers. You also have to open the passport to the photo page to scan the chip, and most modern passports (issued after 2007) already have covers that block RFID signals.

A victimless crime

The purveyors of RFID-blocking products are exploiting an understandable fear people have of this kind of wireless crime. But there’s no evidence the RFID skimming they guard against is actually happening.

We contacted Action Fraud in the U.K. to ask about reported incidents of RFID skimming and they put us in touch with UK Finance. The organization confirmed that there have never been any verified reports of fraudsters taking money from someone’s contactless card just by bumping into them in the street or on public transport. It also revealed that no verified incidents of contactless fraud have ever been recorded on cards still in the possession of the original owner in the U.K.

What’s more, even if this kind of crime did occur, you’re guaranteed protection.

“Customers are fully protected against any losses and will never be left out of pocket in the unlikely event they are the victim of this type of fraud, unlike if they lose cash,” a U.K. Finance spokesperson told Digital Trends.

The situation is much the same in the U.S., according to the Identity Theft Resource Center.

NERO

Roger Grimes has been trying to track down a verifiable crime of this sort for years now. In addition to his work with KnowBe4, which offers security awareness training, he’s also a long-time columnist on computer security. Before that he served for more than 11 years as a principal security architect at Microsoft. He has written multiple articles, and given many talks and interviews on the topic of RFID-blocking products.

“To be honest I’m surprised the makers of these things haven’t paid a real-world criminal to commit a crime just to shut me up,” he said, chuckling.

Manufacturers of RFID-blocking products usually explain how RFID skimming works. Sometimes they refer to demonstrations by security experts at conferences showing that it is possible, or they quote statistics that refer to different kinds of credit card crime.

“It’s pretty much a scam,” Grimes said. “There has never been a single reported RFID crime that would have been blocked by one of these products, but even if there were 10 reported crimes, is that something that should generate a multi-million-dollar industry?”

Real crimes related to contactless cards

There is some crime related to RFID or NFC (near field communication) on credit cards and smartphones, but it’s relatively minor. It also typically occurs in situations where you use your contactless card, so blocking products would not be effective.

For example, there may be rare occasions where merchants overcharge, or a fake frontage has been fitted to a Point-of-Sale terminal or cash machine. But these kinds of incidents are quickly exposed, and customers are always reimbursed. They’re also situations where you remove your card from your wallet or pocket, so RFID blocking can’t help anyway.

You should be more concerned about other, verifiable crime that’s actually happening

According to U.K. Finance, fraud on contactless cards and devices remains low with 19.5 million British pounds of losses during 2018, compared to spending of 69 billion British pounds over the same period. Fraud using the contactless technology on payment cards and devices represented just 2.9 percent of overall card fraud losses.

Criminals are all about the low-hanging fruit. When they can go online to the dark web and buy credit card details, including the three-digit code, for $3 to $5 apiece why would they go to the hassle of RFID skimming?

“It’s an incredible risk for very little pay off,” Grimes said. “Using the dark web, they don’t need to worry about being close to a person or getting caught on camera.”

If you’re worried about identity theft or credit card fraud, you should be more concerned about other, verifiable crime that’s actually happening, like phishing scams. While there’s no harm in using an RFID-blocking product, it’s unlikely to help, and there’s no real need to spend money on them.

“Tin foil works just as well if not better than all of these-RFID blocking products,” Grimes said.

Editors' Recommendations

Google releases YouTube Music for Wear OS, refreshes apps with Material You design
Person holding a frisbee while holding the Samsung Galaxy watch4 classic fitness.

Alongside the launch of the Galaxy Watch 4 and Wear OS 3, Google also announced new updates coming both to the newest iteration of its wearables operating system as well as the older version that powers most of its current smartwatches. It's bringing new apps like YouTube Music to the wrist, expanding support for some older features like Google Pay, and refreshing the look of older apps like Google Messages and Google Maps with Material You.

Some of the features Google is announcing today appear limited to the Galaxy Watch 4 by virtue of being limited to Wear OS 3. With the hardware improvements being made to the Galaxy Watch 4 (and Wear OS 3 devices in general), it makes a lot of sense that the company's focusing on this device. "We’re taking what we’ve learned from Wear OS and Tizen to jointly build what smartwatch users need. Compared to previous Wear OS smartwatches, the Galaxy Watch 4 features a 2.5x shorter setup experience, up to 40 hours of battery life, optimized performance with app launch times 30 percent faster than before, and access to a huge ecosystem of apps and services," Google's Bjorn Kilburn, Director of Product Management for Wear wrote.

Read more
India’s plan to end spam texts was a colossal failure. But it’s worth revisiting
Blockchain graphic with person working on computer

For a few days in March 2021, millions of Indians suddenly couldn’t access many of the apps and services they relied on for everyday life. Every time they request a one-time passcode (OTP) to authenticate a bank transaction, retrieve a forgotten social media login, or register for a vaccine appointment, they ended up waiting forever for an SMS text that was never on its way.

Why? As it turns out, the one-time passcodes required to run these services were blocked by India’s new blockchain-powered SMS “scrubbing” system designed to cut down on spam texts.

Read more
The sound of science: Why audio is the next frontier in Mars exploration
mars 2020 perseverance rover

You've seen the photos of Mars from the surface: The red-tinted dust, the sharp mountains, the desolate rock formations. For as long as we've had rovers on the red planet, since Viking 1 rolled onto martian soil in the 1970s, we've been fascinated by imagery of this alien world.

But now there's a new way for us to experience Mars from here on Earth, and that's by listening to it. Since its arrival on Mars in February 2021, NASA's Perseverance rover has recorded sounds of itself in action and, last month, it was able to record audio of the Ingenuity helicopter in flight for the first time.

Read more