How do I test RFID blocking devices?

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

rfrazier

Well-known member
Sep 30, 2020
549
187
Hi all,

I haven't been here for a while so I don't know what you have been discussing recently. Maybe I can catch up. My time to be on here comes and goes. But, I'm hoping you can help me with a dilemma.

A couple of years ago, my bank sent me a replacement debit card with the little wavy symbol which indicates RFID capability. Technically, it's NFC and it uses magnetics rather than RF. Regardless, it's what allows you to just wave your card near a reader and buy things. Also regardless, it's dangerous, and it allows people to steal your credit card number just by getting near you. How likely that is is up for debate. But, the fact that it's possible is not up for debate. It's a proven fact. I will cite a number of relevant YouTube videos below.

I didn't want that feature, and I didn't ask for it. I talked to the bank and they basically said tough cookies, go pound dirt. I set the card aside and I never take it out of the house. My other main card still worked so I forgot about it. Recently, my wife got a replacement card and it had the same symbol. I talked to the bank again and got the same response. For what it's worth, Delta Credit Union told me they make their own cards and that they can make them without this feature. So, I may take my business to them.

In the meantime, I'm looking at RFID blocking devices. There are thousands out there. I think I may have found a couple of reputable products. But, I need a way to test whatever I buy to see if it works. I want to be able to buy a card reader on the open market legally and, if possible, scan my credit cards for testing purposes. I need something that attaches to a Windows 7 PC via USB and appropriate software. The product needs to be reputable and not dark web stuff that's dangerous. I do not wish to have to get a merchant account. I then wish to put the credit card into the RFID blocker and see if it can still be read. I'm OK using a simulated credit card as long as it's reliable. I'm also OK if my real credit card numbers are not read or are encrypted. But, I need to know if a hacker COULD read my card while it's in or next to the supposed RFID blocker. I really don't wish to use Android as neither my phone nor my tablet has NFC. I'd also rather not go down the Arduino or Raspberry Pi road.

Here are a bunch of YouTube videos I found and a couple of products on Amazon that appear to be legit.

Let me know what you think about how I can be sure that my RFID blocker really works. All help is appreciated. See links below.

Sincerely,

Ron

-------------------


How to remove RFID chip in Credit or Debit card quick and easily.
https://www.youtube.com/watch?v=m6TLF0kp5Ik

DEFCON 20: NFC Hacking: The Easy Way
https://www.youtube.com/watch?v=7ElZBI9PufY

RFID Credit Card Chip Extracated For Your Viewing Pleasure
https://www.youtube.com/watch?v=kI-RAMBPz6w

'Crowdhacking' Steals Credit Cards Feet Away
https://www.youtube.com/watch?v=jtXaXkIL83I

EEVblog #889 - Credit Card RFID/NFC Theft Protection Tested
https://www.youtube.com/watch?v=kp63MZ6RudE

Identity Stronghold - RFID Blocking Sleeves

TICONN RFID Blocking Cards - 4 Pack
 
Last edited:
Probably the easiest way to test it is to find a friendly retailer who has a card reader and will let you try it. Alternatively, are there any unmanned outlets with card readers, e.g. car parks, where you could take your card with the blocker fitted and see if it works?
 
I'd try at a self-service gas pump.

Side note: At Petro-Canada gas pumps if I use Apple Pay (connected to a VISA card) the pump starts to freak out. Non responsive and flickering lights around the display. It takes a minute or so for the pump to restart itself, or the worker inside does it.
 
I did a simple thing, and cut 2 1mm thick copper sheets, that are on each side of the cards. They should do a decent job of screening the RFID antenna by absorbing almost all the transmitted energy from the reader, and doing a similar attenuation of the returned data as well. Tried a few tims to tap and pay without taking the card out, and there was never a successful transaction till I took the card out. Cheap, and for me free, as the copper sheet was used sheeting from an old transformer that had a guard band around it, and more effective than just using a steel plate or a mesh.
 
Hi all,

Y'all rock. It's cool getting replies overnight in the EDT time zone. I'll probably go with a commercial blocker once I find a suitable one for simplicity. The issue is verifying that it works.

We all know that many in the financial industry lie about security. So, asking the bank's website or employee what's up probably won't get good results. I read that credit card fraud is a $ 28 billion industry, so they obviously don't have a lid on things. I've had to replace several debit cards due to fraud although it wasn't related to RFID.

I am worried about 3 things. Here's my understanding thus far.

1) Fraudulent RFID transactions. They say this is hard to do and you need a merchant account to do it, and you can be traced, etc. I did see some info that leads me to believe it's possible. There may be nonces, crypto, and various things to make this harder. There may be spending limits, or limits on the number of transactions. But, if someone steals $ 20 from my account, that costs me far more time and hassle than the $ 20 is worth.

2) Card cloning. As I understand it, you can read the credit card number and expiration date through RFID and maybe address. They call it "public information". WHAT !?!?!? I've never made that information public in my life. I give it to specific people in specific instances for specific reasons. Sure, it can and does get out in the wild, but that's not the same as everybody that comes within 2 ft of me being able to see it. I don't wear the card around my neck so everyone can see the number. In one of the videos I saw, a white hat hacker RFID skimmed someone's card (with permission), cloned it to another card, and made a transaction. A week later they got a sweater in the mail that they had ordered with the stolen number. The new card may have been working with the mag stripe, not RFID, but it worked. Also, I routinely go to gas pumps, put in the card, say it's a credit card, and say NO when it wants my pin. This always makes me laugh and cringe. Sometimes it asks for my zip code and sometimes it just works. Don't like security? Just say NO.

3) Card information theft. Related to # 2. They can just steal your credit card number and sell it on the black market.

4) Tracking me everywhere I go. I don't want every store wirelessly reading the unique serial number in my pocket and knowing where I go.

@Steve @Leo I love the podcast and the info you share, BUT I am continually annoyed at your blase attitude toward privacy. Do I want people tracking my movements? Hell no. Tracking my location? Hell no. 20 apps on my phone tracking me? Hell no. Amazon Sidewalk? Hell no. My car calling the mother ship all the time? Hell no. People reading my credit card numbers? Hell no. People scanning my license plate? Hell no. All these things are just bad ideas. End of rant and thanks for all the other info you share.

So, the problem with using an active credit card terminal to determine if a blocker product works is that you have to initiate a transaction. And, once you "wave" the card, the transaction completes. I hate this. I want to dip the card and be forced to enter a pin. But, if I'm testing an RFID blocker, and the blocker fails, then the transaction goes through. I can only eat so many bags of potato chips or candy.

I was hoping to find a Windows based card reader that I could use to test each RFID blocker device. I saw such a thing in one video but he didn't say how he was doing it. It's true that I only need one that works, but I may buy other things from time to time. And, it's a fascinating thing to experiment with.

More later.

Ron
 
Last edited:
Do I want people tracking my movements? Hell no. Tracking my location? Hell no. 20 apps on my phone tracking me? Hell no. Amazon Sidewalk? Hell no. My car calling the mother ship all the time? Hell no. People reading my credit card numbers? Hell no. People scanning my license plate? Hell no.
`agree with you though I was anticipating an additional item - facial recognition. Do I want private companies or public entities photoing me and looking me up in a facial recognition database? Hell no. (says Jim).
 
  • Like
Reactions: rfrazier
Hi all,

I spent the whole day going down an RFID hacking rabbit hole. I don't have a lot of time right now for a bunch of commentary. But, I wanted to share a whole bunch of resources I've found because, well, this stuff is really cool.

For my own purposes, I've decided that I want some RFID protection for my debit cards, that I want to test it later to determine if it works, and that I'd like to do some RFID experimenting. Here are the resources I've found today. Enjoy.

Please only use this information for White Hat hacking or personal experiments.

Ron

--------------------

I have the following on order:

D-Logic µFR Nano NFC Credit Card (Visa, MasterCard.) Reader

RFID Toys: Cool Projects for Home, Office and Entertainment (ExtremeTech) 1st Edition

I may also order the Proxmark3, which seems to be the king of the hill in RFID hacking.

It also appears to be very hard to use.

These people also promote and sell RFID implants, which fall into my hell no category.




The T5577 chip is awesome! (dangerousthings)

RFID Diagnostic Card

Here's a bunch more YouTube Videos

Credit card cloning is too easy!

Testing The RFID Sleeves For Credit Cards Using A Raspberry Pi 4 And RFID Reader

MagSpoof - magnetic stripe spoofer / credit card magstripe emulator

Cloning and Emulating RFID cards with Proxmark3

Hacking your money: Cloning credit cards, stealing bitcoin and spoofing Verified by Visa
https://www.youtube.com/watch?v=zgbGuZCm2ag

Hacking High Security Cards ?? Proxmark 3 RDV2 - RFID - PROX
https://www.youtube.com/watch?v=9Px3IG9y5Zg

Hackers Are Breaking Contactless Payment Limits On Visa Cards | Forbes
https://www.youtube.com/watch?v=Xu_R4G1qDEk

How to bypass many Mifare classic based door access systems
https://www.youtube.com/watch?v=OXfUTRRl-Y8

Phantom Keys - Cloning RFID easy access to buildings
https://www.youtube.com/watch?v=CKmHb4OxE6E

[12] Cloning Credentials with the Proxmark3
https://www.youtube.com/watch?v=vfRC-ijIg6s

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523
https://www.youtube.com/watch?v=k8rNQ3mBZQ4

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524
https://www.youtube.com/watch?v=UAVYZvd0ACQ

Real-time RFID Cloning in the Field
 
Last edited:
I'm late to this topic, so just some random observations. First, the distances involved here are very small. Even if someone uses a high power transmitter targeted at the card, the card itself just doesn't have the means to respond back beyond a short distance. Since the card has to collect energy from an incoming signal to work, any Faraday cage type device that blocks signals should work fine. I have and use one of these wallets, and quite like it: https://secrid.com/en-us/wallets/ Different banking systems in different countries work differently, of course, but here in Canada the transactions are also limited in value (maximum is around $200Cdn here) and after too much spending, they will require the PIN. It's not perfect, but it should be enough to prevent someone going crazy. My bank offers the option to not authorize wireless transactions, so it's obviously possible. Is it possible to ask your bank to set a lower wireless transaction limit (maybe even as low as $0) for your cards?
 
  • Like
Reactions: rfrazier
Hi All. I wanted to give an update here. As mentioned previously, I ordered some protective devices and a card reader from Amazon. Regardless of reviews on Amazon, I wanted to actually TEST the protective devices. Rather than standing around gas pumps looking suspicious, I ordered the card reader. I got the following from Amazon.

D-Logic µFR Nano NFC Credit Card (Visa, MasterCard.) Reader 13,56 MHz RFID + Free Software SDK and 5 Cards/key fobs - $ 69.99




Identity Stronghold - RFID Blocking Sleeves, Set of 20 (16 Credit Card Sleeves + 4 Passport Sleeves) - Passport and Credit Card Protector Sleeves - Anti RFID Identity Theft Protection - $ 9.99



TICONN RFID Blocking Cards - 4 Pack, Premium Contactless NFC Debit Credit Card Passport Protector Blocker Set for Men & Women, Smart Slim Design Perfectly fits in Wallet/Purse (4) - $ 9.99


The first item is the card reader. This device is not really for consumers and is intended for hobbyists and developers. So, I had to delve into their SDK a bit to get some software working. They specifically say that attempting credit card fraud with the product will void the warranty. But, I found a Fast Card Reader Lazarus / Free Pascal app that I was able to do some testing with.

I plugged the device into the USB port and let Windows add the drivers. A LED light on the device starts flashing slowly. I was unable to update the firmware, but it worked as is. When you bring an RFID / NFC card near the device, the LED starts flashing rapidly. I started the Fast Card Reader app and clicked "Open Reader". It found the reader without a problem.

I brought one of the provided sample RFID cards near the reader and clicked "Card Info" in the app. It printed some header information including a 4 byte ID code. I clicked "Read Card" and it produced 1 KB of gibberish. That particular card hasn't been programmed. Then, I brought one of my debit cards near the reader. I clicked "Card Info" and, again, I was able to get some header information including a 4 byte ID code. Interestingly, that seems to change each time it's read. I clicked "Read Card" and it just said wrong card type. However, I'm pretty sure a hacker with the right other program could read the credit card number based on research. I don't know what else they can get. They call it "Public Information". Maybe the expiration date and the name as well. I've NEVER considered that "Public Information". I am also pretty sure from research that a hacker with special gear could probably read a card from at least a meter away. Some of the videos I linked to above are spooky.

But, the point is that the reader was successfully talking to the debit card and reading the header.

The 2nd product I bought is credit card / debit card / RFID card / passport protection sleeves. I put the debit card in one of the sleeves and brought it near the reader. The LED did NOT flash rapidly. That's a good sign. I clicked "Card Info". The app said NO CARD. I tried this a number of times. I was never able to get any info from the card with the card in the sleeve. So, while I may do further testing, I believe that these particular protection sleeves DO work.

The 3rd product I bought is an RFID protection CARD. It's not a sleeve. It's a jammer. The theory is that the card reader's NFC field activates the jammer and that the cards you're trying to protect can't talk to the reader. I put the jammer next to my debit card and brought the pair next to the reader. The LED did NOT flash rapidly. That's a good sign. I clicked "Card Info". The app said NO CARD. I tried this a number of times with the jammer card at various distances from the debit card. It's supposed to work up to 1" away. I was never able to get any info from the debit card with the jammer card next to it. So, while I may do further testing, I believe that these particular jammer cards DO work.

I've placed a jammer card in my wallet. I haven't yet decided whether I'll use a sleeve in addition to the jammer card. My wife is using a sleeve. These have a foil lining inside. Note that if they get excessively crinkled or creased, they should be replaced.

It's possible that some restaurants, etc. may be tapping the debit cards wirelessly rather than dipping them (using the chip). It's just my preference, but I'd rather they didn't do that. So, as @PHolder suggests, I may be able to get my bank to disallow wireless transactions. I've been playing phone tag with someone at corporate headquarters but so far no luck.

Hope this info is helpful.

May your bits be stable and your interfaces be fast. :cool: Ron
 
I bought and have been using a Ridge wallet. I haven't actually tested it yet, but if I remember I will give it a test at work. What I did try a while back is a Faraday cage pouch called 'Black Hole'. It has what appears to be a fine silver mesh on the inside for the actual shielding. I did run some tests on the pouch using a cell phone. It appeared to block incoming phone calls, but when a text message was sent to the shielded phone after an unusually long delay the message was received. I was driving during the tests, so I assume along the way I got close enough to a cell tower for some signal to leak in. I believe RFID scanners use far less power, and since the card gets it's power from 'outside' the pouch should shield cards- but I haven't checked that.

While the cell phone tests using the pouch (bought on Amazon) did not completely block cell signals it would probably block RFID type cards, although this pouch is too large for carrying your credit cards around for daily use. When I first bought the Ridge wallet I wasn't sure about the elastic that keeps the two plates together to hold the cards in place, but so far it has held up quite well. Working from home I haven't had many chances to test the Ridge with the security cards at work, but I suspect it will work well. There are two side plates plates made of aluminum (if I am not mistaken), and I opted for the titanium finish which puts a second metal plate screwed into the aluminum plates.

Has anyone tried making a card shield by making a pouch out of heavy aluminum foil, or better yet copper or silver foil?
 
Has anyone tried making a card shield by making a pouch out of heavy aluminum foil
My RFID enabled drivers license with "passport feature" came from the government in an aluminized envelope sized to just fit the DL. (It still fits in a wallet mostly like it wasn't in an envelope.) Unfortunately the government changed and the new government decided not enough people were using these "passport in a car" features, so when I renew my license I won't have the option to stick with one I can use in a car at the border.

In any case, I presume the government must have tested prior to deciding to provide them, but I have not. They're similar to these ones (I can't find them available on the Amazon US site but Amazon Canada lists them for a reasonable price https://www.amazon.ca/BQLZR-Credit-Blocking-WaterProof-Protector/dp/B00RMCHPZC/ )
 
I thought the foil had to be grounded for it to really work and was skeptical when the local news said to simply wrap them in foil. The tin foil hats actually do work. Wrapped in foil, the car wouldn't unlock when walking up to it and pressing a button had no impact. I ordered faraday pouches to replace the foil.
People were using remote relay attacks to engage in acts of petty-theft.
 
I thought the foil had to be grounded for it to really work and was skeptical when the local news said to simply wrap them in foil. The tin foil hats actually do work. Wrapped in foil, the car wouldn't unlock when walking up to it and pressing a button had no impact. I ordered faraday pouches to replace the foil.
Nifty. ...but for the "hats" were you using Tin foil (element Sn, atomic number 50 / atomic mass 118.71u / Empirical atomic radius 145pm / density 7.287g per cubic cm / melts at 231.93 °C.) or Aluminium foil (element Al, atomic number 13 / atomic mass 26.981538u / Empirical atomic radius 125pm / density 2.70 g per cubic cm / melts at 660.323 °C.)?

...and did the Faraday Bags work?
 
RFID cards use a coil of wire sandwiched inside the plastic. The chip uses this coil to power it. For those never wanting to use the card as handsfree payment method all you have to do is to drill a few holes along the length of the card. Just one break in the wire and job done. To test your efforts, first buy something really cheap and pay using handsfree. Go home, drill away, then try to pay hands free once again. If the payment doesn’t go through job done.

My main concern is the magnetic strip which allows the card to be skimmed. A an unscrupulous waiter, or hotelier, can take your card skim it a second and hand it back. So I take my trusty angle grinder and grind off the magnetic trip. Removing this strip stops the card from being used in ATMs, the machine spits it out immediately- horrifying that it doesn’t use the chip, even though the data is unencrypted. This feature of no magnetic strip I think is a very good thing indeed.

I got an RFID door lock which I use as a night latch. My commercially made anti RFID bum bag does prevent my card from working and it also stops my credit cards from working in shops, so that’s gives me confidence in stopping people from skimming my cards in my wallet.

But my place of work has RFID door locks. This professional door locks use a different frequency and I found that my bum bag didn’t stop the door card from working. So I made my own screens. By experiment I found that 5 layers of aluminium cooking foil, superglue between each layer, sandwiched between that sticky heat melt plastic covering that all offices have works a treat against the professional door locks. You need to make two of these foil shields and put your cards in between them both. Also you need to make the foil half an inch wider than the credit cards all round, so you need a larger than the average sized wallet to put these larger shields and your stack of cards in to it.
 
@danlock - hehe, I did forget to put "aluminum" in front of foil... and capitalize the first letter of the "Faraday" proper noun. Yes the pouch works quite well with the car remote.

A really fun site for comparing elements BTW...

1625555994950.png

1625556081832.png



EDIT:
Went offsite for Critical Temp...
1625556591142.png

(-453℉)
1625556618962.png

(8720 - 15,380℉)

...I think I see why they didn't graph that. 😉
 
Last edited:
  • Love
Reactions: danlock
IIRC my payment card is a couple of years old and doesn't have RFID. It does have a chip along with the strip. Many payment machines try to force the use of the chip and require two or three failures before reverting back to swipe. After my wallet got damp riding the motorcycle, I spent the next week having to periodically scrape off the (lightly oxidized) contacts using a key before it would read. Was about to request a new card until the rejects suddenly quit occurring.