These days, RFID chips are present in all sorts of items: credit cards, library books, grocery goods, security tags, implanted pet details, implanted medical records, passports, and more. While this can be very convenient, a hacker can learn a lot about you from your RFID tags.
Here’s the basics of how RFID can be hacked and how to stay safe.
What Is RFID?
RFID stands for Radio Frequency Identification and it’s used for short-distance communication of information. It does not require line of sight to work, meaning that the RFID chip and the reader merely need to be within range of each other to communicate.
There are a few main types of RFID chip:
- “Passive Tags” require a radio signal to emit from the receiver to read the tag. This also means they operate on a small distance and can’t transmit a lot of data. Examples of these can be found in credit cards and door passes.
- “Active Tags” have on-board batteries and can therefore actively transmit their data over a larger distance. Also, they can transmit a larger amount of data than passive tags. Examples of active tags include toll passes mounted in cars.
RFID frequencies vary according to the device and country, but usually operate in this range:
- Low Frequency RFID is <135 KHz
- High Frequency RFID is 13.56 MHz
- Ultra High Frequency (UFH) RFID is 868-870 MHz or 902-928 MHz
- Super High Frequency (SHF) RFID is 2.400-2.483 GHz
How Easy Is It to Scan RFID Chips?
RFID hackers have demonstrated how easy it is to get hold of information within RFID chips. As some chips are rewritable, hackers can even delete or replace RFID information with their own data.
It’s not too tricky for a hacker build his or her own RFID scanner if they wanted to. It’s easy to purchase the parts for the scanner, and once built, someone can scan RFID tags and get information out of them. This creates some concern if the convenience of RFID is worth this risk.
The Number One Public Concern: Credit Card Scanning
One of the biggest public fears surrounding RFID hacking is with credit and debit cards. While your RFID card is safe in your wallet, a hacker scans the card in your pocket without you knowing. The attacker can then siphon money or steal information without you knowing about it.
This attack sounds pretty scary, and a whole market for RFID-blocking wallets has sprung up to give people peace of mind. These wallets block the radio waves that RFID uses and prevents someone from stealing your details.
But here’s the interesting part of RFID-based card attacks. While there is undeniable proof that it can happen, it hasn’t actually happened; at least, not out in the wild. The Independent reports on how hackers stole £1.18 million ($2.2 million) through contactless attacks in 10 months back in 2018. While this is a shocking number, the article contains this snippet:
“Contactless fraud is low with robust security features in place in every card,” [a UK Finance spokesperson] added. “No contactless fraud has been recorded on cards still in the possession of the original owner.”
In short, the only scams happened when the victim lost their card in some way; not while it was still in their pocket. This means the panic surrounding RFID card scanning is bigger than the attacks themselves. Still, if the very idea of this attack being possible is enough to make you shiver, an RFID wallet can help.
How to Prevent RFID Hacking
So, if you do want to stay on the safe side, how do you block RFID signals? In general, metal and water are the best ways to block radio signals to and from your RFID chip. Once you block this signal, the RFID tag is unreadable.
Equip Your Wallet and Pockets to Stop RFID Signals
A budget-friendly way to block RFID signals is to use aluminum foil. You can use a wad of foil, or combine it with cardboard to create a home-made blocker for your wallet. However, aluminum foil doesn’t block all of the signal, and can wear out over time. As such, it’s definitely not an ideal solution.
It should also be mentioned that many sellers of RFID protection are basically just selling foil sleeves. Be wary of these as they won’t protect you fully.
In some countries, governments have begun to give accreditation to RFID protection that complies with certain standards. Be on the lookout for this accreditation when you purchase RFID protective wallets, passport pouches, and sleeves.
The most effective RFID-blocking sleeves, pouches, and wallets on the market are those that use a Faraday Cage within a leather exterior. Faraday cages in paper sleeves are also very effective but will be less durable. Search for protection that contains the words “Electromagnetically Opaque” and you should be on the right track.
However, it’s important to remember that an RFID wallet does not make your card impervious to scams. You can still lose the card if you’re careless, and an ATM skimmer will still steal your data. In short, continue practicing good credit card security measures even if you have an RFID-blocking wallet.
Double-Check Your RFID Security
You can also ensure your security plan does not rely on RFID only. For instance, contact your credit card issuer and see if they will disable RFID-only purchases on your card. Then if someone were to clone the RFID tag in your card you would still be safe from theft. Another example would be to not rely on RFID door passes for your office and to ensure there is another robust security system in place.
If you are paranoid about your RFID presence, you could make your own RFID reader and regularly check your household to see what is readable and check how well your RFID protection is working. For the extremely paranoid, you could do periodic sweeps to see if anything has changed.
Staying Safe From Invisible Attacks
As hackers have demonstrated, RFID is not impervious from attacks. There are cheap ways to build a scanner, at which point they can scan tags for sensitive information. While the panic around this form of attack may outshadow the actual chance that you’ll encounter it, it’s still worth knowing how to defend yourself in case of future developments.
Now that your RFID is secure, why not learn how Bluetooth can be a security risk?