In a cash-free economy, contactless scanning is the key to fast, streamlined transactions. For many, however, the increasing prevalence of non-physical payment methods raises new security concerns. Could criminals use their own card readers to steal your identity and empty your bank account?
Feb 09, 2021 · 4 min read
RFID blocking products promise a solution to these problems, with wallets and passport covers that limit RFID scanning, but it’s worth taking a closer look at how effective the technology really is. What is RFID blocking, and do you need it to stay safe?
RFID stands for ‘radio frequency identification’. Credit cards and passports use RFID technology to allow machines to scan them from a short distance. It's this system that facilitates contactless payment and that some worry could be vulnerable to criminal manipulation.
Some users worry that a bad actor standing nearby could surreptitiously access their card's RFID function. In so-called “skimming” attacks, a thief can theoretically withdraw money from the victim’s account as they walk by in the street or wait in a store line.
Another risk is that of identity theft, a crime that can haunt victims for years after their details are initially stolen. Could a silent attacker scan your passport or credit card for sensitive information and then impersonate you online? Companies selling RFID products claim to have the solution.
RFID blocking materials can effectively prevent the scanning function on a card or passport, and the range of products that boast this feature is steadily growing.
Everything from wallets to waterproof fanny packs now support RFID blocking capabilities. A layer of carbon fibre or aluminium can protect you from contactless attacks, and that’s a key selling point for some items.
You don't have to invest in a designer handbag with integrated aluminium sheeting, of course. Studies suggest that a thick layer of tinfoil from your kitchen will be effective too. But whether you’re buying an RFID blocker or making your own, the question remains: do you actually need it?
You might have seen reports claiming that “contactless crime” can result in huge financial losses, and that's absolutely true. The problem is, the studies used to support these claims don't make a compelling case for RFID blocking specifically.
If a victim loses money in a “contactless-related” event, it's almost always because their card was physically stolen from them. Even if that happens, the damage rarely escalates because purchases made with contactless cards are capped at a relatively low sum.
Data from both Action Fraud and UK Finance suggests that the threat currently posed by skimming attacks is minimal. In a 2018 report, UK Finance found no record of any contactless theft occurring that year while a card was still in the possession of its owner.
The technology and techniques used by criminals are always evolving, but for now there’s little evidence that skimming is an imminent threat.
Anxiety around identity theft is understandable. The idea that an attacker could scan nearby credit cards for sensitive information seems plausible. If your card numbers or passport details get into the wrong hands, it can be impossible to undo the damage.
That's a valid concern, but in most cases it's not one that RFID blocking will help with, at least for the time being. While it’s worth regularly reassessing threat levels, neither your passport nor your credit card are particularly vulnerable to contactless interference.
For card users, there are four key reasons why this kind of attack is unlikely:
It's a similar story for passports. The information available via RFID is completely encrypted; manufacturers know how sensitive it is. In the majority of cases, the data is accessible only to the kind of verified scanners you'll encounter at airports and other official checkpoints.
If you still have any doubts, there's one more thing you should know. Most passports issued in the last decade already contain layers of RFID blocking material. Adding further physical protection won’t do much for security; the real threats are online.
Today's criminals know that if they want to extract money and sensitive data from their victims, they don't need to do it in person. From the social engineering of a phishing email to the insidious probing of an extortion kit, there are plenty of reasons to be concerned.
You need a different kind of protection, one that actually responds to the challenges you face. NordVPN provides powerful encryption, strengthening security and enhancing personal privacy.
Instead of covering your credit card in tinfoil, NordVPN can wrap your browsing activity in layers of secure encryption.