RFID sleeves

I think the universal opinion is: "This is a really good way to make money scaring people by solving nonexistent problems."

https://en.m.wikipedia.org/wiki/Wireless_identity_theft

For a dollar on eBay, I can buy ten RFID sleeves for my passport and credit cards. At the very least, they give me a sense of security and keeps them from getting dirty.

We signed up for Global Entry and our card came with one. It is a little different (thicker than the ones I have for credit cards. So, I guess Customs think they are needed.

https://travel.state.gov/content/passports/en/passports/FAQs.html#ePassport

FAQ: Will someone be able to read or access the information on the chip without my knowledge (also known as skimming or eavesdropping)?
State Dept Answer:

We have taken a number of steps prevent criminals from “skimming” data
from the chip, “eavesdropping” on communications between the chip and
reader, “tracking” passport holders, and “cloning” the passport chip.

Skimming is the act of obtaining data from an unknowing end user who
is not willingly submitting the information at that time.
Eavesdropping is the interception of information as it moves
electronically between the chip and the chip reader.

“Skimming.” We use an embedded metallic element in our passports. One
of the simplest measures for preventing unauthorized reading of
e-passports is to add RF blocking material to the cover of an
e-passport. A passport has to be physically opened before it can be
read. It is a simple and effective method for reducing the opportunity
for unauthorized reading of the passport.

“Skimming and Eavesdropping.” We have adopted Basic Access Control
(BAC) to minimize the risk of “skimming” and “eavesdropping.” A chip
that is protected by the BAC mechanism denies access to its contents
unless the inspection system can prove that it is authorized to access
the chip. “Tracking.” The chip in the e-passport uses a randomized
Unique Identifier (UID) to reduce the risk of the document bearer
being tracked.

“Cloning.” Cloning involves removing an e-passport’s chip and
replacing it with the chip from another passport. The simplest way to
counter this threat is to make sure that the chip data matches the
information on the e-passports data-page.

I think it's a waste, but that's just my opinion. None of my credit or debit cards have RFID anyway.

It's neat to know that a passport can't be scanned unless they open the book.

My BC enhanced driver's licence was also issued with an RFID protective sleeve. When I drive through the CAN-US border, the card can be read from about 10 feet away. If it is in the sleeve, the card cannot be read.

A friend in Maine told us her cards got read somewhere while she was on holiday - I really can't rem where she was - if it was in Europe or elsewhere...and did the cards really get read from afar or did someone do the old fake swipe thing (my brain is not working this morning and I can't rem what that is called...skimming?). I don't think she would make something like that up - she seems honest enough :)

I fall on the side of not really that worried about it. That being said, last time we bought something at our local luggage store, they were offering the RFID sleeves 4 for $1.50 or $2. I would have passed but hubby was doing the buying and he bought them - not something we'd use everyday, but maybe - just for peace of mind - we will use them next time we travel. He never would have paid more than that for them (because they would push them every time we went and used to want $5+ for them) but for $2, he figured...why not.

The sleeves we got only fit our credit cards. I'm just curious what kind of info people could steal that would be useful from a passport - I always hear stolen passports aren't that useful (as opposed to cc's) but I'm not clear on what would be stored on a passport with RFID...anyone know?

Important thing to remember: a chip card is not necessarily an RFID card!

The RFID sleeves only help prevent theft of the info (if they do at all) if your card has RFID capabilities. That means the one you wave in front of the terminal and the terminal picks up the info. Think Apple Pay from the iPhone - that works by RFID. A chip card you have to insert into the reader is not RFID and that covers most of the cards issued in the US.

So if you do have an RFID card and it makes you feel better to have the sleeve, go for it as long as you are not paying too much for the sleeve.

If you want to be worried about your passport and card data being read, you can add your phone to the list if it has Bluetooth capabilities.

Bluesnarfing
http://www.wisegeek.com/what-is-bluesnarfing.htm

Bluesnarfing is a hacking attack that uses a Bluetooth® connection to
access a mobile device. It is a much more serious attack than
bluejacking, which is more of a practical joke that does not alter any
data. Bluesnarfing allows the hacker to take complete control of the
device and access many of the functions and all of the data in the
device. The hacker is able to make calls and texts, listen to
conversations and remove all information without the phone’s owner
being alerted.

Mark is correct that only the RFID enabled cards can be read at a distance. You can tell if your card if RFID enabled if there is the small WiFi symbol on the card. Those cards are appropriate to put in a sleeve. Yes, they really can be read a few feet away. The bank I work for tested the technology but hasn't gone there yet.

Mark is correct that only the RFID enabled cards can be read at a distance.

How far a distance?

http://www.identityguard.com/identity-theft-resources/credit-fraud-and-credit-monitoring/are-these-new-rfid-credit-cards-safe/

A great many retail establishments in Europe, especially restaurants,
no longer swipe credit cards. Rather they read the chip in the card at
table side using a device held one to four inches from the card, and
essentially the card never leaves the diner's hands. You can even just
hold your wallet up to the scanner. Reports are, in some
establishments, no RFID card - you had better be prepared to pay cash.
Remember we said the card is read by a scanner held one to four inches
from the chip. That would mean a bad guy would have to get his scanner
within four inches of your card. Some argue this would be possible by
a scammer bumping into you in a crowd and running a wand over where
your wallet is - pocket or purse. The current generation of RFID cards
represents not only an ease of use for both the merchant and the card
holder, but also an advance in protective technology. Most RFID card
now being issued encrypts the cardholder’s information. So even if the
card is read by a remote scanner, to even access personal information,
the scammer must also be able to break the card issuer’s encryption
code. Moreover, RFID cards also create a new authentication code for
each transaction. Unlike a magnetic stripe card a thief can use over
and over until the card is shut down, with a single authentication
code it is pretty much a one and done situation for the scammer.

MrsEB

It really is easy. As I drive through the border, I stop at the sign that says to display my RFID enhanced driver's licence to the scanner which is about 10 feet away. If the sacnner reads my card, the big red LED display turns from 0 to 1. If I leave my licence in the protective sleeve, the scanner cannot read it and stays 0 no matter how long i stay there or wave my licence in front of the scanner. The scanner can only read the card when i pull it out of the sleeve.

I have also tested the protective sleeve with my building security elevator card. Without the sleeve, the scanner will read the card at about a foot away. With the sleeve on, i have to actually rub the card against the scanner and linger to make it work. The sleeves are obviously not foolproof, but do provide a significant measure of barrier protection.

We have tap credit card scanners up here in Canada. If I remember next time, i will try to test tap with the sleeve on my credit card to see if the sleeve prevents it from being read and will report back.

If i read the articles correctly, RFID theft is low mostly because there are currently still so many easier and more profitable ways to steal information on a large scale. Thieves are still making lots of money easily scanning and cloning magnetic strip cards which are still so popular in the US. Thieves will always take the path of least resistance. But as more and more cards are changed over to RFID, organized thieves will come up with ingenious ways to bypass the newer technologies to steal your info. How secure will payment by NFC be in the future? Or Apple Pay?

I really have no idea what information is on my various RFID (driver's licence, credit cards, passport etc) which is actually kind of scary, or how much harm can be caused if the information is copied or stolen. I do believe that thieves are smart enough to come up with ways to steal this information eventually if it is worth their while. If i can take take a few easy steps to prevent this from happening, then why not?

I did find putting each card in a sleeve to be cumbersome to use and bulky in my wallet. So instead, I just inserted two protective sleeve in both sides of my wallet and put my cards in the normal slots. When the wallet is closed, the sleeves form a protective sandwich with all my cars in between. No need to spend big dollars on a special wallet or purse. The sleeves are really cheap on ebay. If you want an even cheaper home remedy, use Reynolds wrap (aluminum foil).

I wish we had them.

Most all chain stores and a lot of vending machines in the Northeast of the US, accept RFID credit/debit cards. I use them on a daily basis.

I have never bought sleeves for my credit cards. I laminated foil pieces and put them in my wallet. I have one in front and one in back so my cards are protected on both sides. I made the pieces the size of an American dollar bill and they fit just fine in my wallet.

From the same article Edgar linked to:

"Much of the studies cited as showing the danger of RFID cards are several years old and were based on what can be characterized as first generation cards. Today's cards are much more sophisticated than those issued three and four years ago."

And this article is also almost 3 years old. They seem to have confused and commingled the details of CHIP cards and RFID cards as well. As stated previously, those are two different things and while they can both be present in the same card it is not a given. I have never seen the wave as primary option for credit cards in European restaurants. They almost always do bring a reader to the table, but it is one where you have to dip the chip and enter a PIN.

And yes, if you have two or more RFID cards in your wallet, the reader will not get a clear read of any one resulting in useless info to the scammer or a merchant you are trying to pay. You have to remove the card you want to use and wave it or tap it on the terminal. And if you carry multiple RFID items in your wallet (or even just one), there are wallets available that have embedded wire mesh within the fabric or leather that makes the cards unreadable while in the wallet for maximum security. Theses wallets also set off the metal detectors at airports. :-)

So that is what set off the metal detector! And I thought it was the coins...

If organized crime came up with an ingenious way to scan and decrypt your personal info from the latest RFID cards, do you think they would publish an up-to-date peer reviewed article to let everybody know how they pull it off?

MrsEB, I went to pick up pizza tonight and tried to tap my credit card while it was still in the sleeve. Cashier was just as curious as me. The credit card could not be read until i took it out of the sleeve.

(Just thought of this, i should try tapping the card through leather or cloth next time).

PS. I just checked eBay. You can buy ten RFID credit card sleeves for a dollar.

"....(Just thought of this, i should try tapping the card through leather or cloth next time)....."

For me that is the convenience of having an RFID card. I never need to take it out of the wallet. Just smack wallet against the reader and I'm on my way. Having a sleeve defeats the whole purpose of the chip. In the unlikely event that some bad guy somehow hacks the card, that's the banks problem not mine.

Sorry to keep posting on this. However, when i see a potential problem which can be solved by a solution that costs a dime, i cant help myself.

If the RFID card can be read without taking it out of your wallet or pocket, you see convenience, I see vulnerability. You get bumped or jostled in a crowd. You check your jacket or hip pocket and feel that your wallet is still there and move on. Meanwhile, your card could be scanned during that bump.

You can say so what, the best they can do is a one time transaction because of the some special transaction encryption. But even with skimming and cloning of old tech magnetic strip cards, the thieves often only got one or two transactions before the compromised card got shut down. That is why they usually use it on a big item. For example, go to Bestbuy and purchase a big screen tv for $2000. This is not Leonard Di Caprio living with a false identity for six months in Catch Me If You Can. It is a big volume crime. Copy lots of cards from lots of different people, make a big purchase which can be resold for cash and discard the cards.

Finally what is the big deal, the bank or credit card company pays for it. Wrong, banks make huge profits off of consumers. We all end up paying for it through transaction fees and higher interest.

I have had a magnetic credit card skimmed and cloned in the past. Fortunately, the bank reversed the charge against me and i did not personally lose. Still, I was pretty pissed off. If i can do any thing to prevent some gang, terrorist, gypsy or punk suburban kid with too much time on his hands from profiting, i'll do it.

Finally what is the big deal, the bank or credit card company pays for
it. Wrong, banks make huge profits off of consumers. We all end up
paying for it through transaction fees and higher interest.

The losses are literally spread out over hundreds of millions of other consumers. The impact to me via higher fees is undetectable. The banks and CC companies designed the cards, the chips, the encryption, and the hardware used to read them. They knew what the risks were long before they were made available to the public. Boohoo for the banks.

And we have identified the problem.

The RFID does not actually transmit a long way. SO the real time it's a risk is... when you are using it. And it will be out of it's safe container. LOL! These things protect you when you are at the lowest risk of compromise.

Yes, RFID works through leather wallets. I use my CTA card all the time by just slapping the wallet near the reader.

If people want to buy sleeves for their cards and passports, let them. If it makes people feel better or more secure, then fine. But the question was whether they are necessary. The overwhelming evidence is that the risk of your RFID enabled credit card (if you even have one) or passport being scanned and copied for fraudulent use is incredibly low.

MrsEB
i was able to tap and pay at Costco today, while my RFID credit card was still in my (fake?) leather wallet without the RFID protective sleeve.

I used to get into my office by waving my leather purse (ID card in a wallet inside) near the ID reader at the door. That's what RFID is meant to do. That, and keep you from walking out with products you haven't bought.

You do realise, eh, that there is a difference between RFID and NFC? NFC is the one on your card (or not) RFID is the one in the store?

Different kettle of fish.

You do realise, eh, that there is a difference between RFID and NFC?
NFC is the one on your card (or not) RFID is the one in the store?

The underling technology is the same. Radio waves from a transmitter read information from a chip which performs an action: opening a door, authorizing payment, lifting a toll barrier, or setting off an alarm at the entrance/exit of a store.

From How Things Work:

"RFID tags contain an antenna and a memory chip that stores data. ...

The tags are embedded into retail products to help stores keep tabs on inventory. ... But these tags can do much more. They're stuck under your dog's skin so that the dog catcher can identify Fido if he gets lost. The RFID highway toll tag in your car automatically identifies you to the toll reader, even at top speed, which bills you later. ... And RFID appears in so-called smart passports and credit cards, as well as identification badges that let employees access secure areas.

RFID often works well at distances of many feet; ... And RFID is a one-way communication system, in which data flows from tags to the reading equipment.

NFC technology is a newer, more finely honed version of RFID. It operates at a maximum range of about 4 inches (10 centimeters) and can be set up for one- or two-way communications."

I don't really believe in it, but when my credit union sent me a new card, with a chip, they sent it in an RFID sleeve.