1984

An RFID chip does not transmit the account number. It is pretty much sending back a reflection of a radio signal that is sent out by the readers. These only work within a few inches of the chip. If your card is just sitting in your wallet, it's not transmitting anything. It is, AFAIK, also encrypted, so some random person can't just make a random RFID reader that will be of much use.

I think the link needs fixing

@bonzombiekitty: Sadly, you are incredibly wrong, BonZombieKitty. I have read accounts of people building RFID readers that worked across several meters of distance... and the encryption probably isn't worth much. Stealing credit card information is big business in the underworld - so big that it is worth the time and money of crime syndicates to hire or coerce people into cracking encryptions and coming up with methods to procure more card numbers.

There have been numerous demonstrations of how insecure RFID is, yet the financial instituions are just blindly in love with the commercials where people are practically sprinting through stores, swiping cards on the go as they take their loot home.

Or keep it in a Faraday-cage wallet.

RFID can work at a distance of several feet -- it's how I get past our traffic gates and in our machine room -- I just need to drive walk within a couple of feet of the sensor by the gate/door and the card in my wallet unlocks the door.

ah good now. Can't you make your own rfid reader dishes in the same way that people get their wireless to work over miles and miles to steal credit card numbers from tj maxx?

I believe it is the power of the reader is what determines the range of the card, not the chip itself. So if someone wants to play collect the encrypted data, they could do it from a fair distance. Why do we keep having to make payment easier anyway? Cash, it's slow and secure (providing no one robs you.)

I can't honestly say I'm overly concerned about the RFID chip in my credit card. I'm not liable for any fraudulent charges, and they can't really use my credit card number for identity theft anyways. Now the RFID chip inside my passport that'll hopefully come soon... that I'm concerned about. I plan on keeping it in aluminum foil.

did some googling of my "citi-dividend platinum select" card & found out that mine is not chipped, BUT the one they tried to upgrade (force upon) me with (before I called to specifically opt out of) DOES have a chip. Think it was called the "city dividend world mastercard". I hate the whole rfid idea. I think new passports have them as well. Read something about banging the chip with a hammer will destroy it when it comes to the passport chips (I still have my old non-chipped passport)

It really has nothing to do with making payments "easier". They'll eventually turn this into Minority Report-esque targeted advertising. They'll have sensors which will recognize your account via RFID and will tailor advertising to your specifically. Tailored ads will allow the company using the RFID chip to charge advertisers more.

@omerhi: You're right. I worked for a company that was planning to do exactly that. It was really scary, and I was happy to get out of there.

I wrote a blog post about how to get rid of the chip in your passport (smash it with a hammer) and all the commentors apparently thought I was a gun-totin', anti-government freak, rather than someone who was simply concerned about her personal security.

[www.nytimes.com]

It's possible to lift information off an RFID chip

I just realized that I use a gun in my little icon thingie there. I don't actually have a gun. :)

Thanks for the info on this! I'll be de-BORGifying my credit card tonight. It will keep me from having to pull my transit card (also RFID) out of my wallet to get into the subway station.

RE: the passports. I got a new one in March and no RFID, though I got it through a consulate (which is REALLY quick by the way, took 1 week with no expiditing) so that might change things.

@AnnieGetYourFun: It bugs the crap out of me when people seem to think that anything the government does in the interests of "national security" should just be accepted and if you don't accept it, you're some kind of wild-eyed crazy anti-government psycho. I prefer not to avoid anything to be known about me that I don't have to. And I certainly won't allow advertisers to misuse (hell, even *use*) information about me.

I'm paranoid enough that I have to submit a thumb print when I take the LSAT in September.

wow. I went to Jack in the Box and I thought I was buying a spicy crispy chicken sandwich...

when in reality I was selling my soul to the New World Order.

    My card's not RFID, although Chase is rolling out Visa's in New York and Philly, evidently. Do not want. Getting your card number stolen is a hassle, even if you don't have to pay for the fraudulent charges.

    We've used RFID ID badges at work for several years, for various door scanners. Any pressure near the chip will break it, unfortunately. I do have a physical master key, because RFID locks don't open when the power goes out.

I got my new passport in April, and it has a chip.

@AnnieGetYourFun: so you're the one that wrote the infamous "how to illegally manipulate a precious piece of government property". lemme just check your IP...annnnnnd...the black vans are on their way!

@formergr: Has it had a ride in your microwave oven yet?

In 2004 aliens abducted me for 24 hours and when I was 'returned' I had a chip in my brain. Can I use this same system to drill a hole in my head and deactivate the chip?

@ElPresidente408: i would've gotten away with it too, if it wasn't for those meddling kids!

my favorite part of that article:

"This is an interesting technical exercise," said Brian Triplett, senior vice president for emerging-product development for Visa, "but as a real threat to a consumer - that threat really doesn't exist."

As the I found out the hard way courtesy of BOA, fraudelent charges on your card can be a real pain to dismiss. As for reading RFIDs, my local tollway can do it from 20 feet in the air at 80mph!

The distance that RFID works depends on both the reader AND card. Yes, the reader supplies the power, but the antenna configuration on the card is also a factor.

For most of America, I don't see RFID credit cards as being a major problem, but for those who live in cities, where everyone is in close proximity to each other (like walking on the streets of NYC), I'd be worried. Granted, someone could conceivably hide a reader inside the checkout line of a 7-11 or pharmacy (both have merchandise in front of the counter, at waist-height), which could skim the numbers.

Overall, RFID = bad idea as implemented. Now, if they wanted to do an RFID + Mag Stripe deal where the RFID chip and mag stripe were both needed to process the transaction, then you might have some security. Much more difficult to fake an RFID than mag-stripe. Of course, mag-stripe credit card + pin would provide a huge security improvement over what currently exists (nothing).

Best way to fix these in credit cards or passports is the same: Percussive Maintenance.

See Gizmodo deom December of last year:
[gizmodo.com]

Sure - it'll illegal to do this to a passport (doubtful the same is true for a credit card), but sometimes to just can't help 'accidental' damage.

I seem to remember reading somewhere though how it is a crime to tamper with the RFID chips.

If you want to block the RFID just use a blocking wallet such as [www.RFIDBlockr.com] It creates a faraday cage just like your tin foil hat!

Scary stuff. One distinction people should be making is that between passive and active RFID. AFAIK my FasTrak unit uses active (the chip has a power source to boost range by quite a bit) and can be read going 85mph at a fair vertical height. I have a special lined bag that I keep it in when not using the tollroads. :) "Normal" RFID (passive) range is purely based on the reader, as others have said. The reader is actually a transmitter and a receiver, "bouncing" a signal off of the chip. Security is virtually nonexistent on these, and any Joe could read information stored on the chips.

According to the DHS's own study on RFID, the technology was deemed unsuitable for secure transmissions. As far as I'm concerned, that gives me the legal right to tamper with them as much as I want.

The powers that be know the American people well, make them afraid (as in Identity Theft) and they will accept anything!

I had an experience with this a few months ago. I emailed Chase about the Freedom card and getting a non-RFID version. Ends up they do offer that. It's another card, but the same account type. They had no problem doing it. Just mailed me a replacement which I activated. No big deal. I wrote it up on my blog for anyone who wants more detail.

I was really surprised they didn't hassle me. It's not like I had a long history with them. I had the card for a day or two.

I want to work for the government, and I find these things quite scary. I'm glad that my passport is good through 2015, though--hopefully, by then, laws requiring the chips will either be repealed or laws about disabling them will be. Either way. Idealistic, I realize, but isn't that the requirement for someone wanting to work for the government: utter idealism or a desire to control the masses via thoughtwaves?

@Her Grace: i too thought karl rove resigned, but now i realize that texas is just a better geopolitical location to harness sheeple brainwaves.

@bonzombiekitty: Higher power RFID readers can read stuff from 100 feet away, possibly more. Stores use those for identifying trucks with shipments to tell what merchandise is onboard.

I don't know- I find myself in favor of RFID for payments, but only in the Japanese style. RFID in your frequent flier card so that it functions as your boarding pass (JAL and ANA does this), an RFID-based prepaid cash card to use at various shops (they call it Edy), and RFID in subway/bus passes (but America already does that).

Of course, Japan's version of RFID is much more useful, because cellphones can download a Java program and be able to use the features of a given card. Less load on the wallet because you just carry your cellphone with you and it automatically knows what program is needed for what RFID reader.

RFID is going to be everywhere and transmitting all sorts of person info in a few year's time. Why delay the inevitable and ruin a perfectly good credit card? For example: some country are putting mandatory RFID chips on passports now that will transmit all your personal info. What are you gonna do? Burn your passport?

Can you use magnets to short out an RFID chip? Obviously that wouldn't be so good to use on a credit card, but it might help on the passport without leaving obvious smashy marks. I have a couple of rare-earth magnets that would do the trick.

For those who think RFID can only be read at short distances, whats stopping someone from building a small RFID reader, bumping into your and wirelessly "picking" your RFID enabled cards. A single person can probably grab hundreds of cards a day just walking around a large city.

AVIATIONWIZ
In Reply to wrapping your passport in aluminum foil.

all your doing there is increasing it's range.
What you want to do is wrap it in a Faraday's cage.
[en.wikipedia.org]
A small one will suffice enough to scramble up a simple RF reader and garble any attempts to activate the chip (the chips pull there power from the signal from the reader.)

Here's a wallet all redy for ya :)
[gizmodo.com] Faraday Cage Passport Wallets: Jams RFID-Chipped Travel Docs

the key is the mesh (woven) and copper is the preferred metal all tho a really good one uses gold.

I worked for a processor who encoded credit cards.

Although the RFID will add a layer of security to transactions, this is a cheap solution to a problem that would virtually disappear if they invested in chip cards and readers universally.

The problem? The cost of encoding/embossing (punching out names and numbers) a typical mag stripe card is less than a dollar. For the cheapest chip card (embedded microchip) it was well over $3, with the typical cost over $4. BUT...even if the issuing banks and Visa/MC would bite the bullet, it would require hundreds of millions of dollars (one estimate I read was $2 BILLION) in cost to the merchants. The Point Of Sale terminals cost (three years ago) $200 EACH. A POS is the thing you swipe your card on. For a chip reader, you would insert the card and the chip would be read. It would be impossible for your chip card to be read unless it was inserted into a reader.

Imagine how much Wal*Mart would have to pony up to replace all of their POS terminals! Ain't gonna happen.

So....the powers that be decide to take the cheap route, which involves a level of risk to the customer. If and until fraud constitutes an unacceptable risk to the issuers (banks), we will not see universal chip cards/readers. We will see stopgap measures such as RFID.

I live in the UK. Here is London we have RFID only in our Oyster cards (the card we use to get on the tube and buses). We have a chip/PIN deal on our credit/debit cards. It's a pain in the ass, but it is secure.

@radleyas: Fellow Londoner, wait till Brown pushes through the mandatory ID scheme which takes its cues from US-style RFIDs.

Even just the Oystercard can be used to harvest data about your travel patterns, payment patterns, and even address details if you're dumb enough to register it. My wife and I swap our Oystercards out every couple of months or so.

the timing of this post is fantastic.

I have just received my "PAY PASS" Master Card from my bank (KEY BANK-CLEVELAND)

And while it has this chip in it, it appears the RFID chip appears to very near the "swipe" bar.

::big sad face::

@shoegazer: Yeah I somehow messed up registering my Oyster card and I never bothered to fix it. I felt that if tfl wanted that info so bad they had to send me a letter informing me of my fuck up then I definitely wasn't going to correct my mistake.

@shoegazer - Credit Card companies know where you spend your money anyway & RFID won't make much of a difference in that regard. I got a new UK passport last year and it has an RFID tag in it so you don't need to wait for GB to push it through - I'm sure driving licenses will be next . . . .

RACCETTURA: I wanted to confirm your positive experience with CHASE. The CS rep didn't know what I meant by RFID, but as soon as I asked for a card without BLINK (their branded name for RFID "service"), she immediately confirmed my address and said I'd have a new, non-BLINK card within 3-4 business days.

@radleyas:
Are those pneumatic tubes like we use at the drive up windows at the bank? Sounds fun if it is.

this is really easy to do with a Blue from AmEx card... seeing as the chip is part of the cutesy design