How do I test RFID blocking devices?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

rfrazier

Well-known member
Sep 30, 2020
240
78
Hi all,

I haven't been here for a while so I don't know what you have been discussing recently. Maybe I can catch up. My time to be on here comes and goes. But, I'm hoping you can help me with a dilemma.

A couple of years ago, my bank sent me a replacement debit card with the little wavy symbol which indicates RFID capability. Technically, it's NFC and it uses magnetics rather than RF. Regardless, it's what allows you to just wave your card near a reader and buy things. Also regardless, it's dangerous, and it allows people to steal your credit card number just by getting near you. How likely that is is up for debate. But, the fact that it's possible is not up for debate. It's a proven fact. I will cite a number of relevant YouTube videos below.

I didn't want that feature, and I didn't ask for it. I talked to the bank and they basically said tough cookies, go pound dirt. I set the card aside and I never take it out of the house. My other main card still worked so I forgot about it. Recently, my wife got a replacement card and it had the same symbol. I talked to the bank again and got the same response. For what it's worth, Delta Credit Union told me they make their own cards and that they can make them without this feature. So, I may take my business to them.

In the meantime, I'm looking at RFID blocking devices. There are thousands out there. I think I may have found a couple of reputable products. But, I need a way to test whatever I buy to see if it works. I want to be able to buy a card reader on the open market legally and, if possible, scan my credit cards for testing purposes. I need something that attaches to a Windows 7 PC via USB and appropriate software. The product needs to be reputable and not dark web stuff that's dangerous. I do not wish to have to get a merchant account. I then wish to put the credit card into the RFID blocker and see if it can still be read. I'm OK using a simulated credit card as long as it's reliable. I'm also OK if my real credit card numbers are not read or are encrypted. But, I need to know if a hacker COULD read my card while it's in or next to the supposed RFID blocker. I really don't wish to use Android as neither my phone nor my tablet has NFC. I'd also rather not go down the Arduino or Raspberry Pi road.

Here are a bunch of YouTube videos I found and a couple of products on Amazon that appear to be legit.

Let me know what you think about how I can be sure that my RFID blocker really works. All help is appreciated. See links below.

Sincerely,

Ron

-------------------


How to remove RFID chip in Credit or Debit card quick and easily.
https://www.youtube.com/watch?v=m6TLF0kp5Ik

DEFCON 20: NFC Hacking: The Easy Way
https://www.youtube.com/watch?v=7ElZBI9PufY

RFID Credit Card Chip Extracated For Your Viewing Pleasure
https://www.youtube.com/watch?v=kI-RAMBPz6w

'Crowdhacking' Steals Credit Cards Feet Away
https://www.youtube.com/watch?v=jtXaXkIL83I

EEVblog #889 - Credit Card RFID/NFC Theft Protection Tested
https://www.youtube.com/watch?v=kp63MZ6RudE

Identity Stronghold - RFID Blocking Sleeves

TICONN RFID Blocking Cards - 4 Pack
 
Last edited:

AlanD

Well-known member
Sep 18, 2020
218
75
Rutland UK
Probably the easiest way to test it is to find a friendly retailer who has a card reader and will let you try it. Alternatively, are there any unmanned outlets with card readers, e.g. car parks, where you could take your card with the blocker fitted and see if it works?
 

Tazz

Not my real name.
Sep 18, 2020
51
18
Nova Scotia, Canada
I'd try at a self-service gas pump.

Side note: At Petro-Canada gas pumps if I use Apple Pay (connected to a VISA card) the pump starts to freak out. Non responsive and flickering lights around the display. It takes a minute or so for the pump to restart itself, or the worker inside does it.
 

SeanBZA

Member
Oct 1, 2020
18
4
I did a simple thing, and cut 2 1mm thick copper sheets, that are on each side of the cards. They should do a decent job of screening the RFID antenna by absorbing almost all the transmitted energy from the reader, and doing a similar attenuation of the returned data as well. Tried a few tims to tap and pay without taking the card out, and there was never a successful transaction till I took the card out. Cheap, and for me free, as the copper sheet was used sheeting from an old transformer that had a guard band around it, and more effective than just using a steel plate or a mesh.
 

rfrazier

Well-known member
Sep 30, 2020
240
78
Hi all,

Y'all rock. It's cool getting replies overnight in the EDT time zone. I'll probably go with a commercial blocker once I find a suitable one for simplicity. The issue is verifying that it works.

We all know that many in the financial industry lie about security. So, asking the bank's website or employee what's up probably won't get good results. I read that credit card fraud is a $ 28 billion industry, so they obviously don't have a lid on things. I've had to replace several debit cards due to fraud although it wasn't related to RFID.

I am worried about 3 things. Here's my understanding thus far.

1) Fraudulent RFID transactions. They say this is hard to do and you need a merchant account to do it, and you can be traced, etc. I did see some info that leads me to believe it's possible. There may be nonces, crypto, and various things to make this harder. There may be spending limits, or limits on the number of transactions. But, if someone steals $ 20 from my account, that costs me far more time and hassle than the $ 20 is worth.

2) Card cloning. As I understand it, you can read the credit card number and expiration date through RFID and maybe address. They call it "public information". WHAT !?!?!? I've never made that information public in my life. I give it to specific people in specific instances for specific reasons. Sure, it can and does get out in the wild, but that's not the same as everybody that comes within 2 ft of me being able to see it. I don't wear the card around my neck so everyone can see the number. In one of the videos I saw, a white hat hacker RFID skimmed someone's card (with permission), cloned it to another card, and made a transaction. A week later they got a sweater in the mail that they had ordered with the stolen number. The new card may have been working with the mag stripe, not RFID, but it worked. Also, I routinely go to gas pumps, put in the card, say it's a credit card, and say NO when it wants my pin. This always makes me laugh and cringe. Sometimes it asks for my zip code and sometimes it just works. Don't like security? Just say NO.

3) Card information theft. Related to # 2. They can just steal your credit card number and sell it on the black market.

4) Tracking me everywhere I go. I don't want every store wirelessly reading the unique serial number in my pocket and knowing where I go.

@Steve @Leo I love the podcast and the info you share, BUT I am continually annoyed at your blase attitude toward privacy. Do I want people tracking my movements? Hell no. Tracking my location? Hell no. 20 apps on my phone tracking me? Hell no. Amazon Sidewalk? Hell no. My car calling the mother ship all the time? Hell no. People reading my credit card numbers? Hell no. People scanning my license plate? Hell no. All these things are just bad ideas. End of rant and thanks for all the other info you share.

So, the problem with using an active credit card terminal to determine if a blocker product works is that you have to initiate a transaction. And, once you "wave" the card, the transaction completes. I hate this. I want to dip the card and be forced to enter a pin. But, if I'm testing an RFID blocker, and the blocker fails, then the transaction goes through. I can only eat so many bags of potato chips or candy.

I was hoping to find a Windows based card reader that I could use to test each RFID blocker device. I saw such a thing in one video but he didn't say how he was doing it. It's true that I only need one that works, but I may buy other things from time to time. And, it's a fascinating thing to experiment with.

More later.

Ron
 
Last edited:

JimWilliamson

Active member
Nov 15, 2020
26
8
Do I want people tracking my movements? Hell no. Tracking my location? Hell no. 20 apps on my phone tracking me? Hell no. Amazon Sidewalk? Hell no. My car calling the mother ship all the time? Hell no. People reading my credit card numbers? Hell no. People scanning my license plate? Hell no.
`agree with you though I was anticipating an additional item - facial recognition. Do I want private companies or public entities photoing me and looking me up in a facial recognition database? Hell no. (says Jim).
 
  • Like
Reactions: rfrazier

rfrazier

Well-known member
Sep 30, 2020
240
78
Hi all,

I spent the whole day going down an RFID hacking rabbit hole. I don't have a lot of time right now for a bunch of commentary. But, I wanted to share a whole bunch of resources I've found because, well, this stuff is really cool.

For my own purposes, I've decided that I want some RFID protection for my debit cards, that I want to test it later to determine if it works, and that I'd like to do some RFID experimenting. Here are the resources I've found today. Enjoy.

Please only use this information for White Hat hacking or personal experiments.

Ron

--------------------

I have the following on order:

D-Logic µFR Nano NFC Credit Card (Visa, MasterCard.) Reader

RFID Toys: Cool Projects for Home, Office and Entertainment (ExtremeTech) 1st Edition

I may also order the Proxmark3, which seems to be the king of the hill in RFID hacking.

It also appears to be very hard to use.

These people also promote and sell RFID implants, which fall into my hell no category.




The T5577 chip is awesome! (dangerousthings)

RFID Diagnostic Card

Here's a bunch more YouTube Videos

Credit card cloning is too easy!

Testing The RFID Sleeves For Credit Cards Using A Raspberry Pi 4 And RFID Reader

MagSpoof - magnetic stripe spoofer / credit card magstripe emulator

Cloning and Emulating RFID cards with Proxmark3

Hacking your money: Cloning credit cards, stealing bitcoin and spoofing Verified by Visa
https://www.youtube.com/watch?v=zgbGuZCm2ag

Hacking High Security Cards ?? Proxmark 3 RDV2 - RFID - PROX
https://www.youtube.com/watch?v=9Px3IG9y5Zg

Hackers Are Breaking Contactless Payment Limits On Visa Cards | Forbes
https://www.youtube.com/watch?v=Xu_R4G1qDEk

How to bypass many Mifare classic based door access systems
https://www.youtube.com/watch?v=OXfUTRRl-Y8

Phantom Keys - Cloning RFID easy access to buildings
https://www.youtube.com/watch?v=CKmHb4OxE6E

[12] Cloning Credentials with the Proxmark3
https://www.youtube.com/watch?v=vfRC-ijIg6s

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523
https://www.youtube.com/watch?v=k8rNQ3mBZQ4

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524
https://www.youtube.com/watch?v=UAVYZvd0ACQ

Real-time RFID Cloning in the Field
 
Last edited:

PHolder

Well-known member
Sep 16, 2020
668
2
328
Ontario, Canada
I'm late to this topic, so just some random observations. First, the distances involved here are very small. Even if someone uses a high power transmitter targeted at the card, the card itself just doesn't have the means to respond back beyond a short distance. Since the card has to collect energy from an incoming signal to work, any Faraday cage type device that blocks signals should work fine. I have and use one of these wallets, and quite like it: https://secrid.com/en-us/wallets/ Different banking systems in different countries work differently, of course, but here in Canada the transactions are also limited in value (maximum is around $200Cdn here) and after too much spending, they will require the PIN. It's not perfect, but it should be enough to prevent someone going crazy. My bank offers the option to not authorize wireless transactions, so it's obviously possible. Is it possible to ask your bank to set a lower wireless transaction limit (maybe even as low as $0) for your cards?
 
  • Like
Reactions: rfrazier