To Buy or Not to Buy an RFID Blocking Wallet

By Michael Roedig | Contactless Payment System

RFID Blocker

We live in a wireless world; a constant shower of unseen waves that silently flow around us in every direction we turn.  Produced by Bluetooth devices, WiFi routers, cellular networks and satellite GPS services, they stream the bits and bytes that enormously transform daily routines and benefit every aspect of modern life with an untethered convenience to entertain, inform, and communicate.        

Passive Radio Frequency Identification (RFID) exists in this wireless world and within this technology there is no bigger growth segment than its use in mobile payment transactions.  Contactless bank cards, electronic wallets, automatic toll collection, fare tickets used in public transport, even the wrist bands used by theme parks and cruise lines offer fast and easy methods of purchase and payment.   Each of these methods uses RFID. 

Yet for all the benefits and convenience, the cost for using mobile payment methods should not come with a risk of exposing personal data to nefarious attempts to access your financial information by bad actors surveilling the airwaves.   Enter the RFID blocker.

A blocker is a shield that interferes with the ability of an RFID tag to execute command protocols issued by a reader to transmit its’ data content.  It’s a barrier that inhibits external radio waves from passing through the material.   It is analogous to a Faraday cage that prevents RF emissions from entering or escaping.   In laymen terms it is a condom.  And we all know once removed, so is its’ protection.  

Those that promote the RFID blocker exploit a fear to manipulate the public’s perception into thinking RFID poses a high-risk for identity theft. They suggest account information and personal identity stored in the RFID tag is openly transmitted for any technologically savvy thief to steal.  We all have seen the videos circulating in social media: A guy comes up behind somebody with a reader aimed at their pocket and steals the card’s information from the unsuspecting victim. The threat of RFID scamming has given rise to an enormous industry of RFID blocking products. These blockers are standard feature on smart wallets, and you can even buy clothes with integrated RFID blocking pockets. But how much do we really need these security measures?

Let’s understand the history and today’s facts to dispel the BS.

More than a decade ago an early attempt was made in the U.S. to replace mag-stripe with contactless RFID for payment applications.  Mag-stripe’s failings to adequately secure data were numerous and well known.  Replacing mag stripe with RFID was the correct decision, however for sake of expediency and cost savings a decision was made to simply mirror the data stored in the mag-stripe into an RFID tag. That decision was fatally flawed.  The mag-stripe contained personal information.  This maintained the payment system’s data infrastructure and thus avoided costly, time-consuming software changes that would require the entire payment platform to be reprogrammed, tested and re-certified.  The payment system would accept identically formatted data from an RFID reader in place of data sent by the mag-stripe reader.  Simply plug in an RFID reader and as far as the payment system was concerned nothing changed. Easy-peasy, right?

Although RFID’s security features are far superior to mag-stripe, they were not fully considered in the implementation.   The inherent risk of skimming data from the mag stripe was transferred to the new technology of RFID.   When it was demonstrated that RFID transmissions were vulnerable to a live relay attack, the program was abandoned.  

Unfortunately this early attempt attached an undeserved stigma that RFID is not secure when the real fault lay in the system level implementation and failure to implement data protection methods that were available, but required the undesired change to the payment platform.  

It took years to undo the harm placed on RFID’s reputation.  In addition, other counties that successfully implemented secure chip and contactless payment systems exported the rampant amount of fraud to the United States, the only country in the world that continued with mag-stripe’s inherent risks.  The fact is that RFID offers the most secure form of data transfer when properly implemented.  In reality, RFID and the method of implementation for payment is completely secure.   

Understand there are three commonly used frequencies in RFID: Low Frequency (125kHz-134kHz), High Frequency (13.56Mhz) and Ultra-High Frequency.   Contactless payment and electronic ticketing exclusively use high frequency RFID.  Why?  One important reason is that high frequency is a close-coupled technology, meaning the tag and the readers need to be physically close to one another.  Think of it like a wireless phone charger where the phone must be placed directly on the charging pad to work.  Passive, HF RFID’s power source is provided by inductively coupling with the reader’s antenna.  As such HF RFID has a limited read range.  Consider, a best in class payment reader achieves a detection range of only ten centimeters.    

Range is one method that makes unauthorized access difficult. A person attempting to read your RFID card must get their reader very close to the card.  A second method that makes contactless payment secure is the communication protocol.  The protocol is the format of the messages sent back and forth between the RFID tag and the reader.  It’s a common language that the reader and tag use in an exchange in their dialog.   It defines the data packets for command and control, rules for checking the data integrity and of course the response data.  Hackers attempt to deconstruct and mimic this exchange.  

There are several different RFID protocols; some are secure and protect the data sent across the airwaves.  Other protocols have no security whatsoever.  The non-secure protocols are used for inventory control and asset tracking applications where data secrecy is not an issue.  Proponents of an RFID blocker would have you believe the protocols used in payment are not secure.  That’s simply untrue.  Contactless payment platforms exclusively use the most robust and secure RFID protocols.

A secure protocol differentiates itself from insecure protocols by adding an authentication command.  This is a very important element that sets them apart from insecure protocols. Before exchanging sensitive data, the tag will verify it is sending its data to an authorized reader. This is done through shared keys stored in the tag and the reader. The key is used to encrypt and decrypt the data transmissions and is implemented in public and private key pair.   Depending on which protocol is implemented, the RFID card will respond with an error response or simply remain silent to a reader query without the proper key. So even if a cleaver person were to deconstruct the protocol, they would also need to crack a 128bit AES encryption key.  To give some perspective to that, the most powerful computer in the world in 2017 was the Sunway TaihuLight in China, capable of 93 Petaflops (one thousand million-million 1015 floating-point operations per second). [1] It would take a few quadrillion years to brute force a 128-bit key.

On top of all this, the data exchanged between the card, reader and payment system is defined by EMV® Contactless, a worldwide, interoperable standard for secure payment transactions. The authentication process and data exchange is valid for a solitary payment transaction.  So, even if someone were capable of using the most advanced, quantum computer to crack the key, its’ use on a subsequent transaction is completely worthless.

By the way, it is at the highest level of the payment platform where your personal data is held, not in the RFID card’s memory.   The data stored on the card only has the meaning to point to account information.         

So, if slipping your contactless credit card into a blocker gives you peace of mind, have at it.  But, rest assured that your identify is completely secure regardless if you use a blocker or not.


[1] footnote: https://proprivacy.com/guides/aes-encryption

About the Author

Michael Roedig - Senior Product Line Manager - Payment

  • A really understandable and complete explanation. I also liked the writing style. Congratulations to the author.

  • >