RFID blockers have very limited use

I keep seeing these “RFID blockers”.

Anti RFID skimm device
Anti RFID skimm device

RFID blockers improve your security only a bit as contactless skimming is a high-risk/low-reward attack for the attacker: Contactless credit cards and electronic IDs reading distance is max ±25cm so about ±10 inches in lab conditions with 500+Watt amplifiers (this is the kind of power that causes sparks to fly!).
If you can get reading distance up to half that reliably in real world situations, you we can make a lot of money selling your skills in the reader market.

For this attack to work, someone needs to be basically rubbing up to you to talk to your card.
In the case of electronic IDs (eIDs) like passports, driver’s licenses, ID cards, that follow international ICAO norms (i.e. any European one, Americans only since a few years), that still doesn’t get the attacker anything: to talk to the chip requires some information from the front side of the card: the 3-4 lines of computer-readable text at the bottom of your passport. (In case you want to know, this is called the Machine Readable Zone (MRZ)).
Basically: you need to optically read the eID before you can electronically read it, i.e. you are already handing it over to them (ID checks at airports, rentals, hotels).

In the case of contactless credit cards, the story is a bit more complex, as it depends on what your issuing bank has configured the card for (they have a dozen or so parameters they can choose).
In general, transactions up to $25-ish to an overal total of $150-ish don’t require a PIN (for the tap-and-go payment of coffees).
As the electronic transactions with these credit cards are one-time and only-with-that-shop, a pair of attackers would need to pull of the following to pay with your card, in what I call a “contactless extension cord” attack or is often called “virtual pickpocketing”:

  1. Attacker A dry-humps you to get his card reader within those ±5 inches of your card, and
  2. Attacker B, at that exact same time, is physically at a shop with a card emulator, and about to pay to max that limit that we are talking about (i.e. max 5x$25-ish product).

This exposes both Attacker A and B to being physically caught, for $25-150 of stuff that still needs to be fenced at a much lower return value.
There are lower-risk and higher-reward kind of attacks you can do as a criminal :-). 

That said, if you want to get protection, consider adding a layer of aluminum foil in your existing wallet (reduces the read distance to 1-2 inches) or combine with the practicality of a compact wallet like Secrid.

With kind regards,
Wouter

Sinterklaas is the only real one!

Let it be known, that I am of the firm opinion that the only real celebration of the mind expanding properties of psychedelic mushrooms saint that rewards the good and punishes the bad, is the Dutch Sinterklaas, not this imposter Santa Clause.

As one of my math professors convincingly argued in a time I was still quite impressionable:

  1. 17+ Million clear headed Dutchies can not be wrong. All those cola-advertising-indoctrinated ones can.
  2. Sinterklaas is on December 5th, Santa Clause is December 25th. Clearly the first is the first.
  3. If that is not convincing, Sinterklaas existed before the American culture that promotes Santa Clause existed. Again, the first is clearly the first, is clearly the correct one
  4. The elder Sinterklaas spends his off-time in a warm climate (Spain). The elder Santa Clause goes and hides on the North pole icecap. If you could fly anywhere anytime at several times faster than the speed of sound (to deliver all the packages), without breaking the sound barrier, and you were an older gentleman, where would you go?

QED

Categories: Fun