Security Technology Explained

How RFID Can Be Hacked and What You Can Do to Stay Safe

Simon Batt Updated 09-06-2020

These days, RFID chips are present in all sorts of items: credit cards, library books, grocery goods, security tags, implanted pet details, implanted medical records, passports, and more. While this can be very convenient, a hacker can learn a lot about you from your RFID tags.

Advertisement

Here’s the basics of how RFID can be hacked and how to stay safe.

What Is RFID?

RFID stands for Radio Frequency Identification and it’s used for short-distance communication of information. It does not require line of sight to work, meaning that the RFID chip and the reader merely need to be within range of each other to communicate.

There are a few main types of RFID chip:

  • “Passive Tags” require a radio signal to emit from the receiver to read the tag. This also means they operate on a small distance and can’t transmit a lot of data. Examples of these can be found in credit cards and door passes.
  • “Active Tags” have on-board batteries and can therefore actively transmit their data over a larger distance. Also, they can transmit a larger amount of data than passive tags. Examples of active tags include toll passes mounted in cars.

RFID frequencies vary according to the device and country, but usually operate in this range:

  • Low Frequency RFID is <135 KHz
  • High Frequency RFID is 13.56 MHz
  • Ultra High Frequency (UFH) RFID is 868-870 MHz or 902-928 MHz
  • Super High Frequency (SHF) RFID is 2.400-2.483 GHz

How Easy Is It to Scan RFID Chips?

RFID hackers have demonstrated how easy it is to get hold of information within RFID chips. As some chips are rewritable, hackers can even delete or replace RFID information with their own data.

Advertisement

It’s not too tricky for a hacker build his or her own RFID scanner if they wanted to. It’s easy to purchase the parts for the scanner, and once built, someone can scan RFID tags and get information out of them. This creates some concern if the convenience of RFID is worth this risk.

The Number One Public Concern: Credit Card Scanning

One of the biggest public fears surrounding RFID hacking is with credit and debit cards. While your RFID card is safe in your wallet, a hacker scans the card in your pocket without you knowing. The attacker can then siphon money or steal information without you knowing about it.

This attack sounds pretty scary, and a whole market for RFID-blocking wallets What Is an RFID-Blocking Wallet? (And Which Should You Buy?) If you have cards, passports, or devices with RFID chips, then an RFID-blocking wallet could be important for keeping your data safe. Read More has sprung up to give people peace of mind. These wallets block the radio waves that RFID uses and prevents someone from stealing your details.

But here’s the interesting part of RFID-based card attacks. While there is undeniable proof that it can happen, it hasn’t actually happened; at least, not out in the wild. The Independent reports on how hackers stole £1.18 million ($2.2 million) through contactless attacks in 10 months back in 2018. While this is a shocking number, the article contains this snippet:

Advertisement

“Contactless fraud is low with robust security features in place in every card,” [a UK Finance spokesperson] added. “No contactless fraud has been recorded on cards still in the possession of the original owner.”

In short, the only scams happened when the victim lost their card in some way; not while it was still in their pocket. This means the panic surrounding RFID card scanning is bigger than the attacks themselves. Still, if the very idea of this attack being possible is enough to make you shiver, an RFID wallet can help.

How to Prevent RFID Hacking

So, if you do want to stay on the safe side, how do you block RFID signals? In general, metal and water are the best ways to block radio signals to and from your RFID chip. Once you block this signal, the RFID tag is unreadable.

Equip Your Wallet and Pockets to Stop RFID Signals

A budget-friendly way to block RFID signals is to use aluminum foil. You can use a wad of foil, or combine it with cardboard to create a home-made blocker for your wallet. However, aluminum foil doesn’t block all of the signal, and can wear out over time. As such, it’s definitely not an ideal solution.

It should also be mentioned that many sellers of RFID protection are basically just selling foil sleeves. Be wary of these as they won’t protect you fully.

Advertisement

In some countries, governments have begun to give accreditation to RFID protection that complies with certain standards. Be on the lookout for this accreditation when you purchase RFID protective wallets, passport pouches, and sleeves.

The most effective RFID-blocking sleeves, pouches, and wallets on the market are those that use a Faraday Cage within a leather exterior. Faraday cages in paper sleeves are also very effective but will be less durable. Search for protection that contains the words “Electromagnetically Opaque” and you should be on the right track.

However, it’s important to remember that an RFID wallet does not make your card impervious to scams. You can still lose the card if you’re careless, and an ATM skimmer 3 Danger Signs to Look for Each Time You Use an ATM Taking a few moments before popping your card into the ATM slot to withdraw money could be the difference between spotting it has been tampered with, and becoming penniless. But what should you look for? Read More will still steal your data. In short, continue practicing good credit card security measures even if you have an RFID-blocking wallet.

Double-Check Your RFID Security

You can also ensure your security plan does not rely on RFID only. For instance, contact your credit card issuer and see if they will disable RFID-only purchases on your card. Then if someone were to clone the RFID tag in your card you would still be safe from theft. Another example would be to not rely on RFID door passes for your office and to ensure there is another robust security system in place.

Advertisement

If you are paranoid about your RFID presence, you could make your own RFID reader and regularly check your household to see what is readable and check how well your RFID protection is working. For the extremely paranoid, you could do periodic sweeps to see if anything has changed.

Staying Safe From Invisible Attacks

As hackers have demonstrated, RFID is not impervious from attacks. There are cheap ways to build a scanner, at which point they can scan tags for sensitive information. While the panic around this form of attack may outshadow the actual chance that you’ll encounter it, it’s still worth knowing how to defend yourself in case of future developments.

Now that your RFID is secure, why not learn how Bluetooth can be a security risk? Why Bluetooth Is a Security Risk and What You Can Do About It Bluetooth is useful, and makes connecting to PCs, cars, and other devices convenient. But are you aware of the security risks while using Bluetooth, even on the latest devices? Read More

Related topics: Data Security, Online Security, RFID, Security Risks, Security Tips, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Lucas DoCarmo
    February 10, 2018 at 2:56 am

    Many people are thinking of implanting these chips into their bodies. How would they defend from hacking in this situation?

    • deko
      November 9, 2018 at 8:35 am

      what is there to hack ?
      I have a nfc implants and the distance required to read the chip hasn't be less than 1cm. I've tried with various readers and never able to read with 1+CM.

      also even if "they" hack my chip, what use could they have ? to track me with this tag is a silly thought as well, how would one know it is ME who has the chip, cause there are no visual clues on my hand to reveal that I have a implants.

      if people are so scared of surveillance and privacy they they really need to rethink the causes. ones mobiles are constantly being tracked, visa and MasterCards with nfc contain more damageble data (from theft POV) and so on.
      not to.mention all the cookies our browsers store and can be tracked down to what we have searched on the web and which wites we have been visiting.

      so honestly, there are more risks in our general everyday-behaviours than these implants :)

  2. D. Mc
    April 20, 2016 at 4:37 pm

    I have personally found that a neodymium magnet (found in hard drives) completely disable RFID when physically pressed together.

  3. Mary Blacksheep
    March 16, 2016 at 8:25 pm

    I am a Leather Smith and would like to find the right product that I can incorporate into my wallets to protect people from this sort of theft If anyone know anything about using the right material to help protect people from this mess please send me a reply thank you..

    • Jona Marie
      July 30, 2016 at 9:05 pm

      Mary:
      I was looking for a product for my own personal wallets/bags, after researching just what works and doesn't. The article above concurs with what I've found from multiple sources.
      After knowing what to look for, I found this:
      Kryptronic Technologies, Munich, Germany
      Produces a sheet product called CryptAlloy. http://www.cryptalloy.de/en/cryptalloy/
      They seem to answer all questions, and provide a quasi-Faraday cage and electromagnetic reflection/attenuation product. Reading all the pages on the site will give you a great knowledge of the topic.
      The bad news is they show no dealers in the Americas, I wrote, but no response.
      Perhaps someone should ask who can speak German?
      Let me know if you track down any source where we can buy in small supply, please.
      You can write me at KnowHound and the domain is AOL com.

  4. Christopher Webb
    November 29, 2012 at 8:42 pm

    So, what is stopping criminal from using devices similar to skimming on ATMs to steal info?

    • Angela Alcorn
      November 30, 2012 at 3:14 pm

      ATM skimming relies on you actually putting the card into a slot and having the magnetic strip or chip read. But similar devices could easily be built for the RFID chips in credit cards, for sure. That's precisely why you need to protect all your RFID chips.

  5. Priya
    November 2, 2012 at 4:41 am

    Thanks for the informative article.

  6. Douglas Mutay
    October 31, 2012 at 9:57 am

    These pretty cool things are not yet among us in Africa...but they sound awesome!

    • Jona Marie
      July 30, 2016 at 9:07 pm

      Why do they sound "awesome" - the article was a cautionary tale. Are you amongst the nasty buggers in Nigeria always trying to find new ways to rip off the law-abiding world?

      • Douglas Mutay
        July 30, 2016 at 9:18 pm

        I was talking about the RFID protective wallets. Did you read the whole article or where you just going through the comments to find out about the subject?! And for your info I'm not from Nigeria but stop thinking that low about this country. These "nasty buggers" are everywhere in the world. Thanks.

  7. Joy2b
    October 30, 2012 at 5:49 pm

    Accessory shops sell small metal wallets quite cheaply. The small ones are about the size of a stack of six cards, and could fit in a large wallet. I was surprised when I started getting compliments on mine, as I thought of it as just functional.

    • joy2b
      October 30, 2012 at 6:06 pm

      By the way, think twice before destroying your rfid chips, or preventing them from being used for transactions.
      You may wish to disable your debit card's rfid, but keep a rfid credit card, so you can do small transactions while you travel. In Europe and Japan, you may be assumed to have one of these.

      • Angela Alcorn
        November 3, 2012 at 3:51 pm

        Good point! Thanks for sharing.

  8. Gabriel Barron
    October 27, 2012 at 5:19 pm

    they want to put this into peoples arms???

    • zolar1
      November 2, 2012 at 2:22 am

      yes, in your right hand or forehead.

      Those without can't buy or sell anything nor do banking or hold a job.

      As soon as the next global disaster hits, nearly everyone will have to have one for food rationing...

    • Angela Alcorn
      November 9, 2012 at 10:37 am

      I know. Nuts, isn't it?

  9. Tim Brookes
    October 27, 2012 at 1:49 am

    Really interesting article Ange. I find that the best way to block an RFID chip from being read is to store all your RFID cards together. Whenever I try and get on a tram or train by touching my RFID-enabled pre-paid card, at least 50% of the time I will get an error because my bank card is too near it and the signals interfere...

    I'm not sure whether this actually counts as "blocking" or even security but it definitely prevents the card from being read.

    • Angela Alcorn
      November 3, 2012 at 3:53 pm

      It would certainly muddle the signal, but you're not guaranteed safety this way. If you lined your wallet with foil as well, the two things together would be better. Still not 100% though!

    • Eric
      January 19, 2017 at 1:21 pm

      Putting cards together is not protecting you from hackers. Each card can still be read individually. A hacker will choose to read all the information from all the cards. The reason that tram or train devices don't read multiple cards at the same time is a choice they made when they wrote the software on the device. This is so that tram/train company don't have to pick a card to use and then they possible use the 'wrong' card.

    • Eric
      January 19, 2017 at 1:36 pm

      Putting multiple cards together does not do anything to prevent a hacker from reading cards. The hacker can read all the cards individually even when they are together. The reason why the cards don't work on a train /tram validator is because they chose to implement their software that way. The train company want to be sure they take money from the correct card.

  10. Keith D.
    October 27, 2012 at 1:08 am

    Great article Angela! Very informative yet very troubling. Thank you & thank MakeUseOf.com for publishing you! By the way, I live in Alcorn County, Mississippi. The county in which the city I really live is located, was named to honor the first Republican Gov of the state - his last name was Alcorn! Enough on the history already!

  11. Igor Rizvi?
    October 26, 2012 at 9:04 pm

    Very interesting stuff.Point taken,thanks for sharing this.

  12. Alex Perkins
    October 26, 2012 at 7:25 pm

    A metal credit card holder in a wallet would help.

  13. Efi Dreyshner
    October 26, 2012 at 5:08 pm

    The thinking about hacking RFID is just scary XD

  14. kendall sencherey
    October 26, 2012 at 1:51 pm

    that is good to know we will keep our eyes open.thanks a lot

  15. Kaashif Haja
    October 26, 2012 at 12:11 pm

    Advanced Technology! With it's pros and cons.
    Nice Article. Thanks

  16. Vivek Kumar
    October 26, 2012 at 10:11 am

    very useful info thanks../

  17. Anonymous
    October 26, 2012 at 9:07 am

    Grate and useful, thanks 'makeusof'.

  18. Adrian Rea
    October 26, 2012 at 8:07 am

    A very interesting article, thank you. I am glad that I prefer to use older style authentication methods for my banking now :) but as said above, no system is perfect. Vigilance and awareness of possible risk helps promote safety. Beep! now what rfid set that off?!!

  19. Stephanie w
    October 26, 2012 at 3:07 am

    This is really useful information to have. Would the Sony Smart Tags have rfid chips in them?

    • Angela Alcorn
      November 3, 2012 at 3:54 pm

      I don't know exactly what you mean by Sony Smart Tags, sorry. By the sounds of the name though, it is an RFID tag. Keep it protected!

    • Daniel Mclean
      November 7, 2012 at 1:36 am

      yes they have

  20. Achraf Almouloudi
    October 26, 2012 at 1:04 am

    Getting an Arduino costs more than $65 and it's not that easy to deal with, so probably, not REALLY everyone could be reading your cards .

    • Angela Alcorn
      November 3, 2012 at 3:55 pm

      Not everyone, but certainly plenty of people are capable. :)

    • random
      February 27, 2013 at 9:56 pm

      you can buy the chip for $2, get a programmer for $10, wolah, cheap arduino.

  21. Ahmed Khalil
    October 26, 2012 at 12:56 am

    their is no system 100% safe, all the system has a weak point, the different is how to hide it

  22. Jesse Manalansan
    October 26, 2012 at 12:49 am

    Thanks for sharing us this info .

  23. RG
    October 25, 2012 at 10:48 pm

    Distance is moot, the fact that it's possible is an issue in itself

  24. Javier Vega
    October 25, 2012 at 10:39 pm

    wow...so useful nowadays, thanks.