Prevent Electronic Pickpocketing: Security Measures for RFID and NFC Credit Cards
Near-field communication cards (NFC) and radio frequency identification (RFID) tags are now embedded in many of our everyday items, including credit cards, debit cards, driver’s licenses, ID cards, passports, subway fare cards and more. NFC and RFID chips are also used in pharmacies, tracking, shipping and toll gates. NFC and RFID are used for automatic identification and tracking, using wireless radio signals to transfer data.
These technologies allow people to use their cards by scanning them rather than swiping, since RFID and NFC work even without contact. But RFID and NFC have also introduced a whole new set of vulnerabilities, that without proper security measures, make it easier for thieves to steal valuable information. NFC and RFID have had some unexpected security loopholes ever since they were first introduced in the market, so there are a lot of concerns regarding how easy it might be to hack the signals from these cards and use it to steal information as well as to clone cards.
Electronic pickpocketing, or e-pickpocketing, is a new term coined for stealing information from a card without even touching it. Because RFID signals work wirelessly and can be read even when they are out of sight, the information can be lifted by somebody from a few feet away using a portable scanner. Because the information is lifted electronically, cards that have been cloned are seen by the reader as identical. Contactless RFID readers that can pull information from a credit card 1 to 3 inches away can easily be purchased on eBay for around $50 while long range readers can be built for as little as $100. Information retrieved from RFID chips can be used to commit identity theft or to make purchases. They also pose a risk to corporate and military security as well as personal location privacy.
Because of e-pickpocketing, researchers are coming up with new security features to keep RFID cards safer. Let’s look at some of the innovative ways they have come up with.
If you are inclined to do-it-yourself (DIY) solutions, you can use either of the two kinds of materials that can impede radio signals: water and metal. Theoretically, water effectively blocks radio signal, but in reality this is tricky to implement. Metal is so much easier, since something like aluminum foil is readily available and cheap to buy. An aluminum foil at least 27 microns is enough to block RFID and NFC signals. To protect a card from being read, simply wrap the card in aluminum foil. Just take it out of the aluminum foil before using. This method might earn you a few weird looks but it is pretty effective.
RFID Protection Sleeves and Blocking Wallet
For a more stylish option, you can also purchase ready-made protection sleeves and wallets that block RFID signals. Companies such as Identity Stronghold sell various accessories that can protect cards from e-pickpocketing. The US government now requires similar protection sleeves for most of the ID cards used by government employees.
Cryptography can be used to prevent cloning of RFID and NFC tags. A one-time code or a rolling code that changes after each scan can be used to prevent eavesdroppers from recording transactions and replaying them. When the one-time use code is stolen, it cannot be reused.
For more sophisticated devices, challenge-response authentication can also be used in cases where the tag interacts with the reader. In this kind of authentication, the reader gives a challenge to the tag, which answers with a secret encrypted value that can be based on symmetric or public key cryptography. The information is not sent over the insecure communication channel between reader and tag if using this protocol.
Credit Card Switch
In Pittsburgh Swanson School of Engineering, researchers have devised a way to stop RFID snooping by using a credit card switch that turns the card on or off when holding a part of the card while it is read.
Professor Marlin Mickle, Professor of Engineering and executive director of the RFID Center for Excellence in the Swanson School, said the new technology “enables the RFID or NFC credit card to be disabled if left in a pocket or lying on a surface and [makes it] unreadable by thieves using portable scanners.” The card is impossible to read unless someone turns it on.
“Our new design integrates an antenna and other electrical circuitry that can be interrupted by a simple switch, like turning off the lights in the home or office,” said Mickle. “The RFID or NFC credit card is disabled if left in a pocket or lying on a surface and unreadable by thieves using portable scanners. This solution is simple and very inexpensive to integrate into the RFID and NFC credit card manufacturing process. We have filed a patent application and hope to see the technology quickly adopted, once approved.”