RFID skimming

RFID skimming is a method to unlawfully obtain someone's payment card information using a RFID reading device.

How RFID skimming is performed

Modern payment cards have a built in chip that transmits the cards' information wirelessly. This is because it is necessary in order to enable contactless payments, which has become increasingly popular during recent years. Criminals can take advantage of this new technology by using a scanner that wirelessly scans the victim's payment card in the same way that a cash register scans it, when making a contactless payment. These scanners are legal and can be bought in regular electronics stores.

Most modern mobile phones running Android OS have a built in NFC reader that can be used to unlawfully scan contactless payment cards. A criminal can hide the scanner e.g. inside a glove or a bag, and then place it close to the victim and wirelessly steal the victim's payment card information.

With the wirelessly obtained payment card information, the criminal can use it to make fraudulent purchases online. This is called card-not-present fraud.

Methods similar to RFID payment card skimming may also be used for copying other RFID-based proximity cards, such as those used for keycard locks. 125 kHz RFID and other systems relying on a unique identifier number (UID) are vulnerable to this.

Incidence

Card-not-present fraud has increased rapidly between 2012 and 2016. In the United Kingdom an increase could be seen in card not present fraud - from 750,200 reported cases in 2012, to 1,437,832 reported cases in 2016. However, there are no statistics available regarding RFID skimming, as it is difficult to determine the method of card fraud.

RFID skimming compared to other types of skimming

In contrast to other types of skimming such as ATM skimming or hacking an online merchant's web page, RFID skimming requires little or no technical expertise. In order to execute ATM skimming, the criminal needs to custom build a device, then place that device inside an ATM and later pick up the device after the victims have used it. Hacking online merchants' web pages requires substantial computer knowledge.

Myths

A common myth that is often mentioned by card issuers is that a criminal can only steal the maximum amount that is allowed for contactless purchases. This sum is usually between
US$30–50 and is different for each country. This has been proven wrong in a test by British consumer magazine ''Which?''. In the test they successfully used wirelessly obtained payment card information to make an online purchase of over .

Methods for preventing RFID skimming

Metal foil

Shielding is possible by wrapping the payment card in aluminum foil. However aluminium foil tends to wear out quickly. Informal tests found that the shielding effect was not 100% effective, though it did very much reduce the maximum range for reading, from about to .

Permanent disabling of RFID functionality

RFID functionality can be disabled permanently by cutting internal wires; the use of a microwave oven has also been reported successful, according to informal reports. Cutting requires location of the internal wires, followed by cutting, drilling, or heating. Methods that visibly damage the card may lead to it being rejected as a payment method when presented to a retailer in the normal way.

RFID Blocking materials

There are RFID-blocking wallets, purses, sleeves, and cards. Wallets, purses, and sleeves work by acting as a Faraday cage which creates a screen around contactless cards, which stops electromagnetic fields interacting with the cards.

RFID Blocking/Scrambling Cards

An RFID Blocking Card is an RFID-blocking device which operates without a battery by receiving the RFID signal from a card reader/skimmer and scrambles the RFID signal making it unreadable by any device. Where most RFID Wallets try to stop the electromagnetic fields interacting with RFID cards where as RFID Blocking cards use 'Active Jamming Technology' to interrupt the communication.

References

{{Reflist

Contactless smart cards
Identity theft