Friday, November 21, 2008

Improvised RFID Blocking Wallets: Preventing PayPass Skimming

Many credit card users do not realize that they have PayPass enabled RFID credit cards in addition to the new RFID enabled US Passports. These RFID enabled devices are easily read at distances compatible with casual contact in a crowded environment such as a subway or an airport, and various data can be gathered from them (US passports require key data to decrypt the data stream). More and more people carry fob based RFID PayPass tokens, or have PayPass cards, making the wireless exposure of their card data far more likely.

How can we combat this? The good news is that commercial RFID blocking wallets are available, and various people have created their own versions such as the duct tape and tin foil wallet. The resourceful traveler can easily replicate their functionality on an ad-hoc basis too. We have tested with a number of common objects, such as the cookie bag and tinfoil above, which worked quite nicely for our 13.56 Mhz test tags.

As you would expect, common food packaging is a very easy to obtain improvised RFID blocking material. We have not tested 125 kHz tags, so your mileage may vary if you are attempting to block RFID tags using that frequency.

Our testing was conducted using a commercially available Omnikey Cardman 5321, a USB connected RFID reader, and using Adam Laurie's RFIDIOt package. Longer ranges are possible using custom antennas and readers, with some testing on these passive tags being done at up to 30 feet by NIST - a result that worries the ACLU.

Check your wallet - you may have a PayPass enabled card without realizing that you do. To check, simply check the back of your wallet for the PayPass logo. In addition, many cards have a chip logo on the front, making them easily identifiable.

No comments: