Back in January, I wrote one of my most popular posts ever: “Why you don’t need an RFID-blocking wallet.” As the title suggests, I argued that it’s a waste of money to buy a wallet with special shielding to protect your chipped credit card from RFID scanners wielded by street criminals seeking to snatch your credit card number.
Since then, in true internet tradition, I’ve been called an idiot by dozens of people and received emails from RFID vendors saying I’m a disgrace—the latter begging me to tell people they also need a Faraday bag for their cellphones. (Tip: If you don’t want anyone tracking you via GPS, turn off your cellphone’s GPS feature.) I’ve also been emailed by people who are 100 percent sure, without any real evidence, that they were the victims of RFID-scanning criminals.
Part of the confusion stems from the fact that many, if not most, people now have chip-and-pin cards—you can see the shiny chip right on the card, which you stick into a card reader (instead of sliding the card through). People assume chip-and-pin cards are vulnerable to scanning, but they’re not. RFID cards are contactless—and very likely you don’t have one.
Every story about the risks of RFID scanners features a white hat hacker showing it can be done, but not a shred of evidence has emerged that bad guys are sitting on popular corners wirelessly stealing credit card numbers.
I still haven’t heard of a single case of real-life RFID scanning criminality. Even the wallet vendors’ websites have no verifiable links or testimonies from actual victims. To be honest, at this point, I’m surprised an RFID-protection vendor hasn’t paid a criminal to get caught, so they could point to a real-life story.
Plenty of “believers” have told me it’s obvious why the real RFID scanning criminals haven’t been caught yet—it’s a wireless crime. In their world, it’s impossible to catch wireless criminals. Never mind that we’ve been successfully tracking criminals wirelessly and prosecuting them for decades. If there were a huge contingent of RFID criminals, we would eventually catch some, and it would be such big news that it would spread like wildfire across the internet.
If someone stole a credit card number using an RFID scanner, created a counterfeit card, and got busted, as part of the plea agreement the accused would reveal exactly how the crime had been committed. This plea would have details about the scanner, the victims, and how much money had been stolen. That’s how our justice system works. Where are those stories?
Even the popular debunking website Snopes.com has commented on RFID crime, giving it a “Mixture” truth rating. Why “Mixture”? Because it can’t find any real evidence RFID theft is occurring, although it debunks at least one news source that claimed to show a real RFID criminal.
Make no mistake—criminals who want to make money know about this supposedly easy crime. Hacker researchers have been writing about the risks since RFID-enabled items first came out. Here’s an article from industry luminary Bruce Schneier from 2006.
Not cost efficient
Given all this, you might be surprised to learn I think that RFID-scanning criminals do exist. There are nearly 100 videos on the internet from all over the world showing good guy hackers demonstrating how it can be done. It’s a potential risk. But because the real-life occurrence is so rare, it’s a small risk.
Why? Because it’s not cost-efficient. Real-life criminals steal credit card numbers all the time, but they don’t sit on corners for hours hoping to catch a few dozen card numbers. They steal hundreds of thousands of cards and resell them for cheap to anyone who wants to buy them. In 10 minutes, any criminal with enough smarts to even know what RFID scanning is can spend a $100 to buy 1,000 credit card numbers off the internet from any number of illegal dealers, with far less risk of being captured on a security camera.
Focus on real threats
I have no problem with someone buying an RFID-protecting wallet or a Faraday bag for a cellphone or car keys. We all make our own risk and buying decisions on a daily basis. I’m just saying that for most people it doesn’t make much sense.
We’re each hit by a myriad of risks every day. In the computer world alone, we get introduced to somewhere around 13 to 16 new individual security vulnerabilities every day, year after year. They never stop coming.
A prudent person looks at the various risks, weighs the likelihood and potential damage of each of them against the other, and picks those to spend time and money on.
I use the example of people who visit me in Key Largo: Almost all of my visitors worry about potential shark attacks when we go snorkeling and diving. Some are so terrified they won’t get in the water. I tell them there has never been a documented, unprovoked shark attack in the history of Key Largo (at least since the 1800s, if not earlier). The risk of shark attacks worldwide is something like one in 1 million (70 to 100 deaths among hundreds of millions of potential encounters). But the odds that those same people might be killed by driving their car to my house are about 1 in 12,300. As humans, we are terrible at ranking risks, even when told the true odds.
Where I was wrong
I have one update to the original post: I said most of the credit cards in the world don’t have RFID in them. That’s still true. But in some countries, like Canada and Poland, RFID-enabled credit cards are the norm. Even in those countries, I can’t find reports of real RFID-scanning criminals.
Of course, cases of RFID-scanning criminals caught by police may simply have not made it to the web yet—but you’d think that the dozens of vendors selling RFID-protecting wallets and purses would be linking to those stories like crazy. Guess what? They haven’t.
Still, if I haven’t convinced you, go ahead and buy that RFID-protecting wallet. It’s your money and your risk decision. Me, I’ll wait until I hear that RFID crime is on the rise—or better yet, until I have an RFID-enabled credit card. Friends who have shown me their RFID wallets did so because their new credit cards came with a chip, which they assumed was RFID in nature. It wasn’t. They were carrying the regular, nonwireless, chip-and-pin cards.