Export thread

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

How do I test RFID blocking devices?

#1

rfrazier

rfrazier

Hi all,

I haven't been here for a while so I don't know what you have been discussing recently. Maybe I can catch up. My time to be on here comes and goes. But, I'm hoping you can help me with a dilemma.

A couple of years ago, my bank sent me a replacement debit card with the little wavy symbol which indicates RFID capability. Technically, it's NFC and it uses magnetics rather than RF. Regardless, it's what allows you to just wave your card near a reader and buy things. Also regardless, it's dangerous, and it allows people to steal your credit card number just by getting near you. How likely that is is up for debate. But, the fact that it's possible is not up for debate. It's a proven fact. I will cite a number of relevant YouTube videos below.

I didn't want that feature, and I didn't ask for it. I talked to the bank and they basically said tough cookies, go pound dirt. I set the card aside and I never take it out of the house. My other main card still worked so I forgot about it. Recently, my wife got a replacement card and it had the same symbol. I talked to the bank again and got the same response. For what it's worth, Delta Credit Union told me they make their own cards and that they can make them without this feature. So, I may take my business to them.

In the meantime, I'm looking at RFID blocking devices. There are thousands out there. I think I may have found a couple of reputable products. But, I need a way to test whatever I buy to see if it works. I want to be able to buy a card reader on the open market legally and, if possible, scan my credit cards for testing purposes. I need something that attaches to a Windows 7 PC via USB and appropriate software. The product needs to be reputable and not dark web stuff that's dangerous. I do not wish to have to get a merchant account. I then wish to put the credit card into the RFID blocker and see if it can still be read. I'm OK using a simulated credit card as long as it's reliable. I'm also OK if my real credit card numbers are not read or are encrypted. But, I need to know if a hacker COULD read my card while it's in or next to the supposed RFID blocker. I really don't wish to use Android as neither my phone nor my tablet has NFC. I'd also rather not go down the Arduino or Raspberry Pi road.

Here are a bunch of YouTube videos I found and a couple of products on Amazon that appear to be legit.

Let me know what you think about how I can be sure that my RFID blocker really works. All help is appreciated. See links below.

Sincerely,

Ron

-------------------


How to remove RFID chip in Credit or Debit card quick and easily.
https://www.youtube.com/watch?v=m6TLF0kp5Ik

DEFCON 20: NFC Hacking: The Easy Way
https://www.youtube.com/watch?v=7ElZBI9PufY

RFID Credit Card Chip Extracated For Your Viewing Pleasure
https://www.youtube.com/watch?v=kI-RAMBPz6w

'Crowdhacking' Steals Credit Cards Feet Away
https://www.youtube.com/watch?v=jtXaXkIL83I

EEVblog #889 - Credit Card RFID/NFC Theft Protection Tested
https://www.youtube.com/watch?v=kp63MZ6RudE

Identity Stronghold - RFID Blocking Sleeves

TICONN RFID Blocking Cards - 4 Pack


#2

rfrazier

rfrazier

PS:


Ron


#3

Mervyn Haynes

Mervyn Haynes

In the meantime, I'm looking at RFID blocking devices.
People have the same-ish problem with keyless entry on cars. I purchased a "wallet" for the car key fob, and can say that was 100% effective. Although that was easier to test than your problem.


#4

A

AlanD

Probably the easiest way to test it is to find a friendly retailer who has a card reader and will let you try it. Alternatively, are there any unmanned outlets with card readers, e.g. car parks, where you could take your card with the blocker fitted and see if it works?


#5

Tazz

Tazz

I'd try at a self-service gas pump.

Side note: At Petro-Canada gas pumps if I use Apple Pay (connected to a VISA card) the pump starts to freak out. Non responsive and flickering lights around the display. It takes a minute or so for the pump to restart itself, or the worker inside does it.


#6

S

SeanBZA

I did a simple thing, and cut 2 1mm thick copper sheets, that are on each side of the cards. They should do a decent job of screening the RFID antenna by absorbing almost all the transmitted energy from the reader, and doing a similar attenuation of the returned data as well. Tried a few tims to tap and pay without taking the card out, and there was never a successful transaction till I took the card out. Cheap, and for me free, as the copper sheet was used sheeting from an old transformer that had a guard band around it, and more effective than just using a steel plate or a mesh.


#7

rfrazier

rfrazier

Hi all,

Y'all rock. It's cool getting replies overnight in the EDT time zone. I'll probably go with a commercial blocker once I find a suitable one for simplicity. The issue is verifying that it works.

We all know that many in the financial industry lie about security. So, asking the bank's website or employee what's up probably won't get good results. I read that credit card fraud is a $ 28 billion industry, so they obviously don't have a lid on things. I've had to replace several debit cards due to fraud although it wasn't related to RFID.

I am worried about 3 things. Here's my understanding thus far.

1) Fraudulent RFID transactions. They say this is hard to do and you need a merchant account to do it, and you can be traced, etc. I did see some info that leads me to believe it's possible. There may be nonces, crypto, and various things to make this harder. There may be spending limits, or limits on the number of transactions. But, if someone steals $ 20 from my account, that costs me far more time and hassle than the $ 20 is worth.

2) Card cloning. As I understand it, you can read the credit card number and expiration date through RFID and maybe address. They call it "public information". WHAT !?!?!? I've never made that information public in my life. I give it to specific people in specific instances for specific reasons. Sure, it can and does get out in the wild, but that's not the same as everybody that comes within 2 ft of me being able to see it. I don't wear the card around my neck so everyone can see the number. In one of the videos I saw, a white hat hacker RFID skimmed someone's card (with permission), cloned it to another card, and made a transaction. A week later they got a sweater in the mail that they had ordered with the stolen number. The new card may have been working with the mag stripe, not RFID, but it worked. Also, I routinely go to gas pumps, put in the card, say it's a credit card, and say NO when it wants my pin. This always makes me laugh and cringe. Sometimes it asks for my zip code and sometimes it just works. Don't like security? Just say NO.

3) Card information theft. Related to # 2. They can just steal your credit card number and sell it on the black market.

4) Tracking me everywhere I go. I don't want every store wirelessly reading the unique serial number in my pocket and knowing where I go.

@Steve @Leo I love the podcast and the info you share, BUT I am continually annoyed at your blase attitude toward privacy. Do I want people tracking my movements? Hell no. Tracking my location? Hell no. 20 apps on my phone tracking me? Hell no. Amazon Sidewalk? Hell no. My car calling the mother ship all the time? Hell no. People reading my credit card numbers? Hell no. People scanning my license plate? Hell no. All these things are just bad ideas. End of rant and thanks for all the other info you share.

So, the problem with using an active credit card terminal to determine if a blocker product works is that you have to initiate a transaction. And, once you "wave" the card, the transaction completes. I hate this. I want to dip the card and be forced to enter a pin. But, if I'm testing an RFID blocker, and the blocker fails, then the transaction goes through. I can only eat so many bags of potato chips or candy.

I was hoping to find a Windows based card reader that I could use to test each RFID blocker device. I saw such a thing in one video but he didn't say how he was doing it. It's true that I only need one that works, but I may buy other things from time to time. And, it's a fascinating thing to experiment with.

More later.

Ron


#8

J

JimWilliamson

Do I want people tracking my movements? Hell no. Tracking my location? Hell no. 20 apps on my phone tracking me? Hell no. Amazon Sidewalk? Hell no. My car calling the mother ship all the time? Hell no. People reading my credit card numbers? Hell no. People scanning my license plate? Hell no.
`agree with you though I was anticipating an additional item - facial recognition. Do I want private companies or public entities photoing me and looking me up in a facial recognition database? Hell no. (says Jim).


#9

rfrazier

rfrazier

Hi all,

I spent the whole day going down an RFID hacking rabbit hole. I don't have a lot of time right now for a bunch of commentary. But, I wanted to share a whole bunch of resources I've found because, well, this stuff is really cool.

For my own purposes, I've decided that I want some RFID protection for my debit cards, that I want to test it later to determine if it works, and that I'd like to do some RFID experimenting. Here are the resources I've found today. Enjoy.

Please only use this information for White Hat hacking or personal experiments.

Ron

--------------------

I have the following on order:

D-Logic µFR Nano NFC Credit Card (Visa, MasterCard.) Reader

RFID Toys: Cool Projects for Home, Office and Entertainment (ExtremeTech) 1st Edition

I may also order the Proxmark3, which seems to be the king of the hill in RFID hacking.

It also appears to be very hard to use.

These people also promote and sell RFID implants, which fall into my hell no category.




The T5577 chip is awesome! (dangerousthings)

RFID Diagnostic Card

Here's a bunch more YouTube Videos

Credit card cloning is too easy!

Testing The RFID Sleeves For Credit Cards Using A Raspberry Pi 4 And RFID Reader

MagSpoof - magnetic stripe spoofer / credit card magstripe emulator

Cloning and Emulating RFID cards with Proxmark3

Hacking your money: Cloning credit cards, stealing bitcoin and spoofing Verified by Visa
https://www.youtube.com/watch?v=zgbGuZCm2ag

Hacking High Security Cards ?? Proxmark 3 RDV2 - RFID - PROX
https://www.youtube.com/watch?v=9Px3IG9y5Zg

Hackers Are Breaking Contactless Payment Limits On Visa Cards | Forbes
https://www.youtube.com/watch?v=Xu_R4G1qDEk

How to bypass many Mifare classic based door access systems
https://www.youtube.com/watch?v=OXfUTRRl-Y8

Phantom Keys - Cloning RFID easy access to buildings
https://www.youtube.com/watch?v=CKmHb4OxE6E

[12] Cloning Credentials with the Proxmark3
https://www.youtube.com/watch?v=vfRC-ijIg6s

Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523
https://www.youtube.com/watch?v=k8rNQ3mBZQ4

Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524
https://www.youtube.com/watch?v=UAVYZvd0ACQ

Real-time RFID Cloning in the Field


#10

P

PHolder

I'm late to this topic, so just some random observations. First, the distances involved here are very small. Even if someone uses a high power transmitter targeted at the card, the card itself just doesn't have the means to respond back beyond a short distance. Since the card has to collect energy from an incoming signal to work, any Faraday cage type device that blocks signals should work fine. I have and use one of these wallets, and quite like it: https://secrid.com/en-us/wallets/ Different banking systems in different countries work differently, of course, but here in Canada the transactions are also limited in value (maximum is around $200Cdn here) and after too much spending, they will require the PIN. It's not perfect, but it should be enough to prevent someone going crazy. My bank offers the option to not authorize wireless transactions, so it's obviously possible. Is it possible to ask your bank to set a lower wireless transaction limit (maybe even as low as $0) for your cards?


#11

rfrazier

rfrazier

Hi All. I wanted to give an update here. As mentioned previously, I ordered some protective devices and a card reader from Amazon. Regardless of reviews on Amazon, I wanted to actually TEST the protective devices. Rather than standing around gas pumps looking suspicious, I ordered the card reader. I got the following from Amazon.

D-Logic µFR Nano NFC Credit Card (Visa, MasterCard.) Reader 13,56 MHz RFID + Free Software SDK and 5 Cards/key fobs - $ 69.99




Identity Stronghold - RFID Blocking Sleeves, Set of 20 (16 Credit Card Sleeves + 4 Passport Sleeves) - Passport and Credit Card Protector Sleeves - Anti RFID Identity Theft Protection - $ 9.99



TICONN RFID Blocking Cards - 4 Pack, Premium Contactless NFC Debit Credit Card Passport Protector Blocker Set for Men & Women, Smart Slim Design Perfectly fits in Wallet/Purse (4) - $ 9.99


The first item is the card reader. This device is not really for consumers and is intended for hobbyists and developers. So, I had to delve into their SDK a bit to get some software working. They specifically say that attempting credit card fraud with the product will void the warranty. But, I found a Fast Card Reader Lazarus / Free Pascal app that I was able to do some testing with.

I plugged the device into the USB port and let Windows add the drivers. A LED light on the device starts flashing slowly. I was unable to update the firmware, but it worked as is. When you bring an RFID / NFC card near the device, the LED starts flashing rapidly. I started the Fast Card Reader app and clicked "Open Reader". It found the reader without a problem.

I brought one of the provided sample RFID cards near the reader and clicked "Card Info" in the app. It printed some header information including a 4 byte ID code. I clicked "Read Card" and it produced 1 KB of gibberish. That particular card hasn't been programmed. Then, I brought one of my debit cards near the reader. I clicked "Card Info" and, again, I was able to get some header information including a 4 byte ID code. Interestingly, that seems to change each time it's read. I clicked "Read Card" and it just said wrong card type. However, I'm pretty sure a hacker with the right other program could read the credit card number based on research. I don't know what else they can get. They call it "Public Information". Maybe the expiration date and the name as well. I've NEVER considered that "Public Information". I am also pretty sure from research that a hacker with special gear could probably read a card from at least a meter away. Some of the videos I linked to above are spooky.

But, the point is that the reader was successfully talking to the debit card and reading the header.

The 2nd product I bought is credit card / debit card / RFID card / passport protection sleeves. I put the debit card in one of the sleeves and brought it near the reader. The LED did NOT flash rapidly. That's a good sign. I clicked "Card Info". The app said NO CARD. I tried this a number of times. I was never able to get any info from the card with the card in the sleeve. So, while I may do further testing, I believe that these particular protection sleeves DO work.

The 3rd product I bought is an RFID protection CARD. It's not a sleeve. It's a jammer. The theory is that the card reader's NFC field activates the jammer and that the cards you're trying to protect can't talk to the reader. I put the jammer next to my debit card and brought the pair next to the reader. The LED did NOT flash rapidly. That's a good sign. I clicked "Card Info". The app said NO CARD. I tried this a number of times with the jammer card at various distances from the debit card. It's supposed to work up to 1" away. I was never able to get any info from the debit card with the jammer card next to it. So, while I may do further testing, I believe that these particular jammer cards DO work.

I've placed a jammer card in my wallet. I haven't yet decided whether I'll use a sleeve in addition to the jammer card. My wife is using a sleeve. These have a foil lining inside. Note that if they get excessively crinkled or creased, they should be replaced.

It's possible that some restaurants, etc. may be tapping the debit cards wirelessly rather than dipping them (using the chip). It's just my preference, but I'd rather they didn't do that. So, as @PHolder suggests, I may be able to get my bank to disallow wireless transactions. I've been playing phone tag with someone at corporate headquarters but so far no luck.

Hope this info is helpful.

May your bits be stable and your interfaces be fast. :cool: Ron


#12

Tazz

Tazz

Ridge Wallet - https://ridgewallet.ca/

When you started this thread I couldn't remember the name. A few of the YouTubers that I watch have them as sponsors now and then.
Seems legit.


#13

R

Ralph

I bought and have been using a Ridge wallet. I haven't actually tested it yet, but if I remember I will give it a test at work. What I did try a while back is a Faraday cage pouch called 'Black Hole'. It has what appears to be a fine silver mesh on the inside for the actual shielding. I did run some tests on the pouch using a cell phone. It appeared to block incoming phone calls, but when a text message was sent to the shielded phone after an unusually long delay the message was received. I was driving during the tests, so I assume along the way I got close enough to a cell tower for some signal to leak in. I believe RFID scanners use far less power, and since the card gets it's power from 'outside' the pouch should shield cards- but I haven't checked that.

While the cell phone tests using the pouch (bought on Amazon) did not completely block cell signals it would probably block RFID type cards, although this pouch is too large for carrying your credit cards around for daily use. When I first bought the Ridge wallet I wasn't sure about the elastic that keeps the two plates together to hold the cards in place, but so far it has held up quite well. Working from home I haven't had many chances to test the Ridge with the security cards at work, but I suspect it will work well. There are two side plates plates made of aluminum (if I am not mistaken), and I opted for the titanium finish which puts a second metal plate screwed into the aluminum plates.

Has anyone tried making a card shield by making a pouch out of heavy aluminum foil, or better yet copper or silver foil?


#14

P

PHolder

Has anyone tried making a card shield by making a pouch out of heavy aluminum foil
My RFID enabled drivers license with "passport feature" came from the government in an aluminized envelope sized to just fit the DL. (It still fits in a wallet mostly like it wasn't in an envelope.) Unfortunately the government changed and the new government decided not enough people were using these "passport in a car" features, so when I renew my license I won't have the option to stick with one I can use in a car at the border.

In any case, I presume the government must have tested prior to deciding to provide them, but I have not. They're similar to these ones (I can't find them available on the Amazon US site but Amazon Canada lists them for a reasonable price https://www.amazon.ca/BQLZR-Credit-Blocking-WaterProof-Protector/dp/B00RMCHPZC/ )


#15



tits_are_a_type_of_bird

If the NFC/RFID chip is a separate chip from the real (EMV) chip, a drill bit would put all concerns to rest..

Edit:
What's inside a credit card - Hacker's ramblings (hqcodeshop.fi)

Maybe not a drill, but a scissor and cut off a corner of the card...


#16

I

Intuit

I thought the foil had to be grounded for it to really work and was skeptical when the local news said to simply wrap them in foil. The tin foil hats actually do work. Wrapped in foil, the car wouldn't unlock when walking up to it and pressing a button had no impact. I ordered faraday pouches to replace the foil.
People were using remote relay attacks to engage in acts of petty-theft.


#17

danlock

danlock

I thought the foil had to be grounded for it to really work and was skeptical when the local news said to simply wrap them in foil. The tin foil hats actually do work. Wrapped in foil, the car wouldn't unlock when walking up to it and pressing a button had no impact. I ordered faraday pouches to replace the foil.
Nifty. ...but for the "hats" were you using Tin foil (element Sn, atomic number 50 / atomic mass 118.71u / Empirical atomic radius 145pm / density 7.287g per cubic cm / melts at 231.93 °C.) or Aluminium foil (element Al, atomic number 13 / atomic mass 26.981538u / Empirical atomic radius 125pm / density 2.70 g per cubic cm / melts at 660.323 °C.)?

...and did the Faraday Bags work?


#18

S

squirrel

RFID cards use a coil of wire sandwiched inside the plastic. The chip uses this coil to power it. For those never wanting to use the card as handsfree payment method all you have to do is to drill a few holes along the length of the card. Just one break in the wire and job done. To test your efforts, first buy something really cheap and pay using handsfree. Go home, drill away, then try to pay hands free once again. If the payment doesn’t go through job done.

My main concern is the magnetic strip which allows the card to be skimmed. A an unscrupulous waiter, or hotelier, can take your card skim it a second and hand it back. So I take my trusty angle grinder and grind off the magnetic trip. Removing this strip stops the card from being used in ATMs, the machine spits it out immediately- horrifying that it doesn’t use the chip, even though the data is unencrypted. This feature of no magnetic strip I think is a very good thing indeed.

I got an RFID door lock which I use as a night latch. My commercially made anti RFID bum bag does prevent my card from working and it also stops my credit cards from working in shops, so that’s gives me confidence in stopping people from skimming my cards in my wallet.

But my place of work has RFID door locks. This professional door locks use a different frequency and I found that my bum bag didn’t stop the door card from working. So I made my own screens. By experiment I found that 5 layers of aluminium cooking foil, superglue between each layer, sandwiched between that sticky heat melt plastic covering that all offices have works a treat against the professional door locks. You need to make two of these foil shields and put your cards in between them both. Also you need to make the foil half an inch wider than the credit cards all round, so you need a larger than the average sized wallet to put these larger shields and your stack of cards in to it.


#19

I

Intuit

@danlock - hehe, I did forget to put "aluminum" in front of foil... and capitalize the first letter of the "Faraday" proper noun. Yes the pouch works quite well with the car remote.

A really fun site for comparing elements BTW...

1625555994950.png

1625556081832.png



EDIT:
Went offsite for Critical Temp...
1625556591142.png

(-453℉)
1625556618962.png

(8720 - 15,380℉)

...I think I see why they didn't graph that. 😉


#20

I

Intuit

IIRC my payment card is a couple of years old and doesn't have RFID. It does have a chip along with the strip. Many payment machines try to force the use of the chip and require two or three failures before reverting back to swipe. After my wallet got damp riding the motorcycle, I spent the next week having to periodically scrape off the (lightly oxidized) contacts using a key before it would read. Was about to request a new card until the rejects suddenly quit occurring.


#21

danlock

danlock

@danlock - hehe, I did forget to put "aluminum" in front of foil... and capitalize the first letter of the "Faraday" proper noun. Yes the pouch works quite well with the car remote.

A really fun site for comparing elements BTW...

View attachment 430
View attachment 431


EDIT:
Went offsite for Critical Temp...
View attachment 432
(-453℉)
View attachment 433
(8720 - 15,380℉)

...I think I see why they didn't graph that. 😉
Yeah. I know I'm continuing this OT discussion of metals, but I neglected to include that Aluminum is the most common metal in the earth's crust (uh... what about silicon? It must be because Al occurs in so many different molecules, though it was once obtained via electrolysis of cryolite (Potassium Aluminum Sulfate), a method which isn't as cost-effective as some others these days, and Sn is usually (?) found in cassiterite (Tin dioxide).




My most-recent card has chip, swipe, and near-field methods present, and it's a few years old. There are too many places where the swipe is required because either 1. the "dip" (stick it in the bottom front, wait, remove when told) method is not working or 2. I'm using a gift card which has only magnetic strip or manual entry of digits. I guess that "new" card also can be used by manually entering the digits, giving it four methods of operation.


#22

S

SeanBZA

The only places by me that still uses magstripe are the post office, and toll roads. For toll roads though I will rather pay by cash, as the chances of the card being cloned there are way too high, and this fraud is common. Post office bcause they still use XP, and the POS system is stuck being unable to handle NFC or chip, despite the terminals often being newer types that will support this, but the back end only is looking for magstripe data.

Aluminium as a shield is good, though you really need more than 1mm of thickness, to get the attenuation down enough that the card cannot harvest enough power to operate, and also attenuate the return signal to the reader. I just used some copper plate that was 1mm thick, on both sides of the card carry spot, to provide a shield, and so far just tapping the cards in the wallet on the reader has proved useless, as it has never read or even detected a card being present. Just cut the copper sheet to the same dimensions as a card, and used them in place of the top and bottom card.

As to manual card number entry, that likely only is used for on phone ordering, where you speak the card number to thestore, who enter it, along with the CVV, as a card not present transaction, though that is becoming very rare due to all the on line order apps now having the card number stored in them, and doing a direct debit off your account, so the store does not get the number, only a confirmed paid order with the order and delivery address, and the driver will collect it in x minutes.


#23

C

CredulousDane

As I read along this thread I started wondering if my wallet was with RFID protection so began searching for answers.

Here in Denmark we have a creditcard sized travel card to use in public transportation and I've often wondered WHY it won't work when putting my wallet up to the check-in/out devices.

So this is why - the wallet has RFID protection.

You could - if you have other cards with RFID test those instead of flashing you credit cards.

As for finding out at home I don't really have any suggestions other than maybe borrowing an Android device from a friend, I mean, many people have saved their 'older' phones (which probably aren't old - just not the newest one) - and it's rare that a mobile phone is used until it doesn't work at all anymore ;)