How To Hack A RFID Credit Card For $8

Today’s episode of BoingBoingTV demonstrates how an $8 credit card reader bought off eBay can be used to read your credit card numbers while they’re still inside your wallet.

Nice.

Also demonstrated: A stainless steel wallet that blocks the reader. We know someone who keeps his credit cards in an Altoids tin. He now seems like a genius.

Comments

Edit Your Comment

  1. lessersiren says:

    I’ve read that even a tinfoil wrapper for your credit cards is sufficient to block RFID readers.

  2. Walrii says:

    It’s not so much a “How To” as it is a “It’s Possible” spliced in between some Verizon commercials. :(

  3. Beerad says:

    Fortunately, I tend to notice people rubbing electronics against my ass. Guess I’m just hypersensitive that way.

  4. Amelie says:

    I don’t know why they didn’t address the non RFID cards, because I assume they are a safe alternative – or the ones you’ve disabled yourself.

  5. Scalvo2 says:

    How could I boost the signal of this reader?

  6. It’s good to see Andy Dick got a job, but he doesn’t seem as zany as he used to.

  7. sharki3232 says:

    How do you know if your card has an RFID chip, will it be visable on the surface?

  8. consumersaur says:

    Tinfoil wallet for the tinfoil hat crowd! Think of the marketing possibilities!

  9. sp00nix says:

    i thought of this years ago, and its now being addressed?

  10. less_is_best says:

    RFID is for your protection. I understand that. Your either with RFID, or your against RFID. (Insert gratuitous applause from the sheeple here).

  11. Binaryslyder says:

    This is very serious and very scary. The fact that he was able to buy a reader off ebay and convert it is a massive security flaw. Like he said, all it would take would be a bigger antennae and he could scan your card without moving.

    Imagine walking by someone in a park or at a store and having them scan your card. Very scary stuff.

    So let’s talk prevention and deterrents people.

  12. arch05 says:

    @sp00nix: You’re a fucking genius.

  13. smirky says:

    If only they would imbed an RFID chip in Wal Mart receipts then we could all shop together. Imagine the harmony.

  14. jmsbmck says:

    Even more interesting? These are the same chips in the new US passports. If you’re a terrorist, I would imagine it would be pretty easy to scan a crowd for an American passport and then take action based on that knowledge… Scary.

  15. sharki3232 says:

    @Binaryslyder: Stainless steel wallets are out, they’re $80!

  16. Beerad says:

    @Binaryslyder: RFID chips have been out for a while. Have you ever heard a story of CC information being stolen like you suggest? I guess we’ll just be on the lookout for shady people pointing large antennas at people’s butts in public.

  17. MercuryPDX says:

    @consumersaur: You read my mind. I must now go and apply another layer because thoughts are leaking through!!!

  18. ClayS says:

    Wasn’t there a recommendation recently to smash the chip within the card with a hammer?

  19. Amelie says:

    @jmsbmck: Actually it was interesting news about four years ago. The security of passports with RFID chips has been discussed at length. Thank goodness I got mine renewed right before the change.
    [www.schneier.com]

  20. I’ll just tuck mine inside the tinfoil hat I wear anyways, problem solved. [It's kinda scary to think we need those for our CC's IRL.]

  21. weakdome says:

    Stainless steel wallets are apparently overpriced… reviews all seem to indicate they are “thin and delicate like silk” and fall apart within 3-8 months of normal wallet use.

  22. MercuryPDX says:

    @ClayS: Yes. WAY safer than using the microwave.

  23. PatrickIs2Smart says:

    @Scalvo2: I carry a car battery around with mine. That seems to do the trick.

  24. LostDog says:

    Whoa… Someone must be scanning my wallet.

    Yesterday I got my new Wamu issued Mastercard Debit card in the mail. The first thing I noticed was the Paypass (or whatever they call it) propaganda in the envelope and the nifty wireless signal logo in the upper corner.

    I was none too happy to see this (my expired one didn’t have it) and I quickly hopped on teh intertubes to see the potential of this being exploited.

    Damn you Consumerist! Stop pointing your card scanning device at my house!

  25. ? graffiksguru says:

    They sell sleeves for cards and passports, no need for stainless steel wallets
    [www.smartcardfocus.com]

  26. ZPM says:

    The covers of the new passports are metallic so they can’t be read unless opened.

    And it it’s the same technology why didn’t they use the reader to see what they could get off a passport? It’s because the passport has more security and can’t be read unless the mrz on the book is scanned first.

  27. overbysara says:

    [www.wired.com]

    how to disable rfid chips

  28. azntg says:

    @sharki3232: That’s a good question.

    In the case of credit cards, there is usually a proprietary logo marked on the card itself. The Mastercard Paypass logo, a picture of waves eminating from a triangle, Chase’s “blink” logo, etc. are some examples. For some American Express cards, you can see the chip outright (and the Expresspay logo at the back of the card).

    Also, an alternate way to check for RFID chip is to lift the card up to a bright light source. Usually, most RFID tagged cards will have a small square “bump” on the surface of the card. It’s hard to feel the “bump”, so you have to look for it with your own eyes.

  29. ViperBorg says:

    *sigh* Great, now we’re one step away from scanning my car key and stealing my car. (RFID Key on my Nissan, I like it never to leave my pocket, but it looks like I’m going to have to get a car with a traditional key.)

  30. ivealwaysgotmail10 says:

    [www.amazon.com]

    Heres an RFID blocking wallet that looks a little less like a tin foil hat, Faraday Material inside instead of aluminum. Blocks all communication! i have one!

    Not that i would have a hard time noticing that guy wiping invisible crumbs off everyones ass

  31. LostDog says:

    I’m curious… Has anyone who “accidentally” smashed their passport with a hammer gone through customs? Any issues with the RFID being disabled?

    • TheRedDuke says:

      @LostDog: I nuked my passport. Hammer wasn’t working. 2 seconds will do you if you want to take the risk of burning the whole thing up. (I renewed my passport right before the change-over, but instantly lost it. Obviously, that’s a worse threat to my info being stolen than any chip . . .)
      I have been to Mexico and France with it no prob. It looks scorched, though, if you open it to the back cover! Suppose I’ll just say I left it on the radiator if ever asked.

  32. crabbyman6 says:

    @LostDog: From what I read when I got my new RFID enabled passport, the RFID chip is for convenience, its not a necessity. They even mention in the documentation that if its broken its not a big deal. You can just flash your passport like the good ol’ days, the RFID is there so you can just quick scan it at a reader or so you can have your SSN stolen by some dude with a card reader and a booster.

  33. mike says:

    @Binaryslyder: There are silver-lined wallets that are out there. Its not solid metal. The silver is actually embedded in the fabric.

    I still don’t think this is a big deal. I’m more worried about the people in TGIFriday’s writing my card number.

  34. katylostherart says:

    so don’t put the tinfoil on your head, put it in your underpants.

  35. ViperBorg says:

    @katylostherart: Mind the sharp edges!

  36. katylostherart says:

    @ViperBorg: ok well just outside the underpants then.

  37. racerchk says:

    can’t you just poke the rfid with a pin to damage/disable it?

  38. forgottenpassword says:

    and this is why I REFUSE to have rfids in anything i own [not including the ones that are already manufactured & hidden in certain products (like shoes)].

    YUP!…RFIDs in passports is a GREAT idea! /sarcasm

    …. now where did I put that hammer?……

  39. dorkins says:

    @katylostherart: next to the tinfoil-wrapped cucumber?

  40. appsbyaaron says:

    @ Beerad (3rd post)….

    This is just the beginning. They’ll strip out the reader and jam it all into an old cell phone case and just collect the data onto a 64 gig sd chip. Then while your at in line at the theater for opening day of Saw XVI the ticker taker will be scanning everyone who walks through the line so he can get a bigger bonus that year.

    Or what about major sporting events where there are masses of people? Or 3 hour lines at Six Flags? Or an black van driving around your neighborhood? Shoot. I just found out that my house is in Google Maps’ Street View. That guy could have been reading every RFID card in my house while he drove by.

  41. Hawk07 says:

    Didn’t the X-Files address the government putting in that thin film strip that says the value of the bill as a ways of tracking how much money people have on them at any given time?

  42. hhole says:

    Since so many are chatting up the stainless steel cases, I’ve had one for several years that I bought from Kyle Designs. It was about $30. I had a choice between a cheap Asian case or a German made case and went with the more expensive option.

    Checked to see if blocked my RFID CC and it worked just dandy. Also blocks my apartment entry and work entry cards as well.

    Stainless steel rocks!

  43. lanshark says:

    Paypass security is good enough for me.. a counter stored on the RFID chip must match one stored on the Paypass network. Both are protected by decent hash-based security. So, if you have never used your credit card for RFID payments, there is a chance someone out there is using it to fill their car with Tim Hortons coffee or drink gasoline on your tab.

    In which case, you might want to drill a 0.5 cm hole through the upper left corner of your card (about 2 cm down, and 1 cm to the left)

  44. el_smurfo says:

    find an old cigarette case at a thrift store and use it as a wallet.

  45. @ivealwaysgotmail10:What is “Faraday Metal”? According to the review, it is aluminum inside. A Faraday cage is traditionally made out of a mesh type material. So do they use a brass or copper mesh?

  46. Beerad says:

    @appsbyaaron: “Then while your at in line at the theater for opening day of Saw XVI the ticker taker will be scanning everyone who walks through the line so he can get a bigger bonus that year.”

    Oh, you mean just like all the cashiers who get busted every year for adding an extra card reader that logs your CC data when they swipe it for you? You know, like the ATM scam-reader thingys? If you haven’t seen a rash of crime like that, why would this be any different? Seems like a lot harder than lifting everyone’s CC data by handling the card.

  47. bearymore says:

    If you think this is bad, wait until the RFID cellphone is released. According to the LA Times [www.latimes.com],1,231371.column
    the automatic charge cell phone is coming. The idea is that when you are ready to pay for your stuff at Best Buy, all you have to do is walk by the reader, and your cellphone will contact the bank and pay for you automatically. Of course, as the article points out, anyone within 300 feet will be able to access your data as well as your exact location. Big Brother is with us.

    The good news is that the California legislature just passed a law making it illegal for employers to compel employees to have RFID chips implanted beneath their skin.

    Have we all gone insane??

  48. snowmentality says:

    Hmmm, can you accidentally microwave your CCs and still have them work? I know I, er, might accidentally microwave my new passport. I often microwave my pants with stuff still in the pockets, you know.

  49. theblackdog says:

    Well thanks to the massive numbers of people who were waiting until the last minute to get their passport before a trip, I got a passport that had no RFID chip in it, and now I won’t have to get one for the next 10 years :-D

    However, my workplace is in the process of issuing new IDs with a special RFID in them, and they will include a special holder so that a person can’t just walk up and scan my crotch to get the information.

  50. Grrrrrrr, now with two buns made of bacon. says:

    I didn’t even have an RFID chip in my ATM card, and Hannaford supermarket managed to expose my account information…no high-tech gadgets required! Just as a precaution, though, starting today I’m going to start wrapping my @$$ in tinfoil every morning.

    I think RFID chips have their uses, but not in credit cards or passports. I mean, come on, is it that much work to remove a card from one’s wallet? What’s next…a giant bar-code on everybody’s forehead?

  51. rlee says:

    @graffiksguru: Thanks for the link. They appear to be a UK company, though. The US source for these items appears to be: [www.idstronghold.com]

    And this RFID-blocking card case appears to be available from many vendors: [bags-totes.daytimer.com]

  52. TXchainsaw says:

    those 2 should toooooooodally hook up OKAYYYY!!????

  53. flatlinebb says:

    This video just popped my BoingBoingTV cherry and I have to say that Xeni is hot. I’d get close to her ass anytime – even without an RFID reader.

  54. christoj879 says:

    I’m not seeing this for $8 on eBay, the only place that has these PayPass adapters looks to be a scummy place advertising their merchant account.

  55. jamar0303 says:

    @bearymore: Japan’s had RFID cellphones just fine. The key is security. I have one- it’ll prompt me when something tries to read from it and I have to physically confirm. In fact, it prompts me for my cellphone lock code to allow anything to read from it.

  56. bluewyvern says:

    All I’m thinking is I want that jacket. [/shiny]

  57. malgwyn says:

    Wasn’t this explained years ago by 2600 (The Hacker Quarterly)? “Mythbusters” obviously stole it from 2600, they are a bunch of engineering yobs, not particularly focused on exploits. Xeni Eraserhead and Boing Boing (started as a badly produced ‘zine) were always poseurs on that scene .

  58. deadspork says:

    The credit card company I work for (which shall remain unnamed :) allows you to opt out of the RFID feature, just call and ask for a non-RFID card. I’m sure most will be able to oblige.

  59. redkamel says:

    I cant wait 30 years until Wired has to have an article about how to disable the chips installed in your head at birth.

  60. ROCKYLIFE says:

    Pointless story.

    Uh, they invented the little 3 digit security code (CCV2) on the BACK of your card YEARS ago. Amazing what a good idea that was, and how good it works. The generation process has never been cracked, and it’s illegal for merchants to store it.

    It doesn’t get transferred over RFID, and isn’t included in the mag stripe information.

    There are very few websites, and certainly no major ones, that don’t REQUIRE the security code, so the other information is useless. So online purchases are out.

    Now try going up to a merchant in person and buying something, without your credit card, AND without the CCV2 code. That’s not going to happen either.

    The ONLY stolen credit card scams that are working at all are those that trick users into entering ALL of that information into a FAKE merchant website, which then has ALL of the pertinent details. Or those thieves that swipe multiple transactions when the HAVE your credit card in hand. Everything else is scaremongering.

    Next story please.