Because I’m a computer security guy, I have friends who like to show off their new RFID-blocking wallets and purses. "Look what I got for Christmas!" they say. My lack of response should be telling, but they don’t seem to pick up on it.
They've seen the TV ads about malicious hackers who can “stand on any street corner” and wirelessly steal their credit card and other identity information. I've seen similar demonstrations at Black Hat and other computer security conferences for nearly a decade now. They never fail to wow the audience.
An entire, multi-billion-dollar RFID-blocking industry has emerged. You can get RFID blocking for almost any object you own. Some of my friends have so much faith in RFID-blocking products that they buy expensive, customized purses and wallets. These are the same people who drive extra miles to save a few cents on gas.
It goes to show that humans don’t evaluate risk very well.
The RFID fallacy
RFID technologies have been around for a long time, and they're now included in more and more items. Yes, your RFID products can possibly be read from a distance. Yes, a hacker might be able to read your credit card information remotely as you pass by. But before you buy an RFID-blocking product, ask yourself if you're worrying about the right things.
First and foremost, does your credit card actually have an RFID transmitter? The vast majority does not. Have you ever been told you can hold up your credit card to a wireless payment terminal, and without inserting your card, pay for something? For most of my friends, and the world in general, the answer is no.
Most RFID-enabled credit cards are heavily marketed as capable of being used wirelessly. They have names that imply wireless payment: PayPass, Blink, PayWave, Express Pay, and so on. Usually they bear a little RFID/contactless payment logo.
Hint: The new little golden metallic square on your new credit card does not indicate RFID. Also, many new contactless payment cards will have chip-and-PIN protection -- or will use the chip to securely protect even RFID communications.
If you look at the number of credit cards with RFID, you can’t even represent it statistically. It’s not 0 percent, but it’s so far below 1 percent that it might as well be 0 percent. Part of the problem is that every major credit card vendor came out with its own version, so vendors and merchants had to physically support the same standards. Most people don’t want to have to figure out which vendors support which wireless cards and go get that specific card type.
On top of that, most of the world is going to wireless payments using your mobile device. Apple Pay had more users and adopters in its first day in the market than all active users of RFID credit card products combined. Apple Pay works with every credit card you have, as long as your vendor supports Apple Pay. Did I mention that Apple Pay is far more secure in almost every way?
RFID cards are coming with chip-and-PIN protections, and the lessons learned from Apple Pay (and other mobile phone wireless payment solutions) are migrating to credit cards. The days when a bad guy can sit on a corner and sniff your credit card information out of thin air are numbered.
Entertainment for the paranoid
But did that bad guy ever sit on the corner in the first place? Sure, I’ve seen the demos, but I’ve yet to hear of one criminal who was caught using an RFID sniffer or who admitted to stealing credit card info wirelessly. We know about all sorts of cyber crime. Why not the theft of RFID credit card information if the risk is so high?
Here's why: It would be a lousy use of a criminal mastermind’s time. Today’s smart criminals break into websites and steal hundreds of thousands to tens of millions of credit cards at a time. Why would a criminal go to the effort and expense of stealing credit card info one card at a time when you can steal a million in one shot?
If a criminal wants a credit card or even your specific credit card, he or she can buy it for a few bucks from several places on the Internet. In fact, it's significantly cheaper than buying all the necessary RFID attack equipment and sitting in a public square (which is likely to have one or more security cameras trained on it these days).
Still worried? If you actually have an RFID-enabled credit card, it turns out aluminum foil does the same job, if not better, than an expensive RFID-blocking sleeve. I know I’m going to get email from RFID-blocking vendors saying their products protect better than aluminum foil. No doubt that's true in some cases.
But if you're worried about that, you should also be wrapping your car keys in aluminum foil. Now we're in the paranoid zone. I’ve heard from readers who have -- I’m not making this up -- removed every electronic product in their house due to hacking fears. They’ve sold their new cars with embedded computers and gone back to older models without any. I can’t tell if I’m dealing with regular paranoid people or true paranoid schizophrenics.
If you have a credit card, there’s a huge risk it will be hacked, but not by a guy sitting on a corner sniffing for your card as you walk by. The former is a fact of life. In the latter case, you might have a better chance of winning the lottery.