Does your credit card need a tinfoil hat to keep it safe on the train?

Do you travel on the London Underground? The Boston Subway? The Paris Metro? Oxford buses? The San Francisco BART? Sydney Trains? Tokyo’s Yurikamome Line?

Perhaps you’re crushed up against other passengers right now on your morning commute as you read this very article on your mobile phone?

Perhaps you’re waiting for a flight, after rushing through a crowded airport to get to your departure gate in time?

If so, I bet you’ve worried that having a wireless debit card could lead to you being digitally pickpocketed.

Or that having an RFID-enabled passport could lead to your passport details being sniffed out while your documents are safely stashed in your backpack or bumbag.

I tried various freely-available Play Store apps on an Android phone, and I could reliably retrieve the following data from a passport and a debit card, all done wirelessly via NFC:

  • Debit Card: Long card number, Expiry date.
  • Passport: Surname, Given name, Nationality, Gender, Date of birth, Picture, Passport number, Date of expiry.

Be careful if you try this at home. Even if a Play Store app is open source, reviewing the source code to make certain that it doesn’t save or send out your data inapproriately – whether by accident or design – is not easy. I used a test phone that I kept offline while reading the data; I wiped the phone afterwards; and I used expired passports and cards (with the owners’ permision, of course).

Being in the IT security industry, I find I naturally gravitate towards assuming the worst – even if some people call me paranoid or a fan of tinfoil hats.

So, when I got drawn into a recent pub conversation about the necessity of RFID signal-jammers for your wallet – tinfoil hats for your credit cards, in other words – my interest was aroused.

Initially, I scoffed at the idea, having seen a friend try to use an RFID blocking wallet on a wireless building pass, and fail.

But hearing this punter in the local pub insisting that that RFID blocking wallets were not just a good idea but a necessity, I decided to investigate further. Being a stubborn individual with a determination to prove my pub acquaintance wrong, my mission was clear…  

…I set about buying various RFID blockers – three different sorts – and started to test.

Technology 1: RFID blocking credit card case (brand: Kinzd)

Technology 2: RFID/NFC blocking card (brand: Attenuo)

Technology 3: RFID blocking sleeve (brand: Tenn Well)

The first two of these products are the size of a payment card – only the last one came in a passport-sized sleeve as well – but you’ll be glad to know that the data on your passport isn’t easy to read without you realising it.

Passports use RFID Basic Access Control (BAC) protection to protect passport data. This protection is weaker than using a password (as you do to to log into your laptop or mobile phone, for example), but means that you can’t read digital data from the passport’s chip without first having some data specific to the document.

Only if you provide passport number, expiry date and date of birth up front can you negotiate a BAC session, which then encrypts data travelling between reader and passport.

Loosely speaking, this means that anyone who wants to read the chip on your passport needs to open it at the picture page first, so they can’t just wander through the airport reading off passports that are inside bags, wallets, suitcases and so on.

This protection works because you don’t need to produce your passport very often, and when you do, it’s usually so that an official can scrutinise it physically and digitally at the same time.

Debit and credit cards with contactless payment chips don’t need any sort of authenticated setup before agreeing to pass across information.

The Tube test

How bad could this be?

On a crowded Tube (London Undergound) train, could a malicious individual gather your credit card details through your trousers and wallet whilst holding their phone nearby? 

My tests say, “Yes.”

An NFC-enabled mobile phone can accurately scan and record the long card number and expiry date of a debit card that’s stashed in your pocket.

You have to get the phone really close up – but how often do you bump into or brush up against your fellow travellers on busy trains and buses?

So how does this test fare when using the three RFID blocking technologies listed above? 

The good news is that in my (admittedly unscientific) experiments, all three blockers prevented my mobile phone from reading the cards, no matter how close I got, and no matter how creepily inappropriately my antics would have been if I were trying to read data from strangers’ pockets on public transport.

Even when I rubbed the card and the phone right up against each other, I couldn’t read anything off the card.

The technicalities

So why is it that my friend’s building pass wasn’t shielded by his RFID blocking wallet? 

RFID, short for Radio Frequency Identification, works at a range of different radio frequencies: low, at around 125kHz; high, at 13.56MHz; and ultra-high, at around 900MHz.

NFC, short for Near-field Communication, is a subset of RFID intended for close-up use, and NFC chips use the high-frequency band at 13.56MHz.

RFID readers emit just enough electromagentic energy to induce enough current in the antenna of an RFID or NFC tag (your passport or credit card, for instance) so that the chip can power up, perform calculations and send data.

The antenna thus serves as a medium not only only for transmitting data, but also for transferring power – Nikolai Tesla style.

Many RFID door locks are low-frequency systems running at a higher power, so they’re harder to block with lightweight blocking devices: the low frequency means a longer radio wavelength, which generally means better penetration.

So communication blockers aimed at credit cards and passwords won’t always work to shield building passes, door locks and other low-frequency RFID kit.

What to look for

In case you’re wondering if you do indeed have an RFID enabled passport, check for this symbol. If it’s on your passport then your passport is chip-equipped:

On an NFC-enabled pament card card, you’ll see this symbol:

What to do?

As far as I can tell, rogue NFC transactions initiated by strangers on the train are very rare, so the risk can be considered minuscule – but such attacks are nevertheless technically possible, as a quick test with a mobile phone should convince you.

To my pleasant surprise, all the shielding devices I tried – as well as the homemade approach of using tinfoil, by the way! – seemed to work, at least in my basic, unscientific tests.

However, proving a positive – “can my phone read my credit card through my jeans pocket?” – is easy; proving a negative – “will this RFID wallet always shield my credit card” – is much harder.

So, by all means use an RFID wallet shield – I do, so that guy in the pub won in the end – but don’t stop checking your statements for rogue transactions.

After all, RFID isn’t the only way for your account to get hacked…