Is NFC/RFID Skimming a Real Threat... Yet?
This post was originally published on 11 SEP 2020; it has been updated to include more relevant and updated information.
With the increasing popularity of NFC and RFID technology being used in smartphones as a method for delivering "wallet" payments and more credit cards use RFID technology, security issues arise.
How secure are they? Can't they be skimmed? What's the likelihood of someone stealing my info?
These might all be questions that running through your head.
The quick version of the good news is that your average person doesn't have to worry about NFC/RFID skimming - and we'll do our best to put any of your worries at ease in this post.
What is NFC?
In order to understand NFC (and also RFID) skimming, you'll need to understand what NFC and RFID actually is.
NFC stands for Near Field Communication. It is a subset of RFID, which is Radio Frequency IDentification. NFC is not considered Bluetooth.
NFC allows short-range communication between compatible devices.
It's a feature that's most commonly found on smartphones and tablets, versus laptops and desktops. Additionally, NFC is typically associated with Android phones versus iPhones, but just about all iPhones have NFC capability.
NFC functions on its own standard. NFC-enabled devices are typically separated into two groups: passive and active.
Active NFC devices can both send and receive data. Active devices require their own power source. Good examples of active devices include the iPhone 11.
Passive devices can only send data, but they don't require their own power source. Some IDs use the NFC standard to communicate with NFC readers. Other examples of passive devices can include billboards and signs.
How does NFC work?
NFC sends information by radio waves. Typically, and in most cases, this is accomplished by using Radio Frequency Identification (RFID) standard.
A big key to understanding how NFC works is by first understanding the basics about RFID, the parent technology if you will, works.
How RFID works
RFID most basic function is to allow devices to communicate via radio waves. RFID also allows the unique indetification of items via these radio waves.
At minimum, an RFID system is made up of a reader, a tag, and an atenna where:
- Tags hold the data.
- Readers "read" and decode the data held by tags.
- Atennas transmit the data between readers and tags.
RFID can also be separated into passive and active.
Passive RFID systems use tags that function without a dedicated internal power source. The tags are actually powered by the energy transmitted directly from an RFID reader. You'll typically see passive RFID tags used for the likes of access control, such as you using a key fob to gain entry to a restricted access building; or for logistics/supply chain management, which sometimes employ the use of smart labels.
Active RFID systems use tags that operate off some sort of battery power. Generally, these battery powered tags continuously broadcast a signal (when powered on) regardless of the presence of an RFID reader. Active RFId tags also have a longer read range than passive tags. This continuous and independent broadcasting makes active RFID tags and systems highly useful for real-time tracking.
Additionally, RFID technology can be separated into differing frequencies, such as low frequency and high frequency.
The basic idea with the low and high freqneyc differential is that lower frequencies transmit data at a slower speed than higher frequencies.
Back to NFC: The NFC standard allows communication between devices to happen in three different ways: peer-to-peer, read/write, and emulation.
Peer-to-peer communication is what sets NFC apart from RFID the most. It's also the type most commonly found in smartphones and tablets.
Read/write is where information is only sent one-way.
Emulation is where a device can function the same as a physical card. A good example would be an Android phone using Android Pay at a store checkout or an iPhone using Apple Pay at a store checkout.
What is NFC/RFID skimming?
Finally, with the basics down, we can get into NFC/RFID skimming.
And it's surprisingly simple, at least in theory.
NFC/RFID skimming is where hackers/skimmers/bad guys intercept the radio wave communication between devices or simply read the radio waves that a NFC or RFID enabled device puts out. Without getting into overly technical details - that's pretty much the gist of it.
In most cases, the bad guy's reader reads the data put out from your device or debit/credit card. They can then capture this information and use it for their own benefit.
For example, let's say you had an RFID-enabled credit card and were in line to purchase goods from your favorite merchant. When you get closer to the cash register to make your purchase, you may pull out your form of payment - your RFID enabled credit card - when you're next in line.
Now, let's say, the person behind you gets oddly closer to you with a strange device in their hand. Depending on both your personal settings and your card provider settings, you may have alerts for when card purchases are made. For simplicity's sake let's say you do have card purchase alerts enabled.
So when the odd person behind you gets closer to you with their strange device, let's say you get an alert that your card was just used to make a $200 purchase.
Well, in this case, you've just been skimmed.
How do the bad guys skim a card or a phone?
Typically, nefarious actors buy devices that enable them to steal the code produced from your debit/credit card or your smartphone that enables payment.
Here's a short video of someone creating an RFID or NFC skimmer:
Is NFC/RFID skimming a threat?
It certainly is. Is it a threat you're likely to face? Realistically, given the "average" threat model, probably not.
As RFID technology becomes increasingly popular -- especially in the United States -- NFC/RFID skimming does pose a potential threat, but for the overwhelming majority of people NOT a viable one.
I say this because for most criminals/hackers/whatever-you-want-to-call them, the risk versus reward is not the best. On the skimmer's end, there's a lot of effort to be put in... and the payoff really isn't there for them.
Generally, the bad guy(s) can get a bigger/better return-on-investment by trying to steal your credit card information via phishing or by hacking/cracking databases with already present security issues.
You know, like the big fat data breaches. Most nefarious actors loking to steal information - especially financial information - will target companies as they tend to store vast amounts of information about their customers. The threat actors generally find that their time/money is way better spent targeting companies and others organizations because the potential payoff is huge!
But you should be aware that the threat is always there, as with everything we do. Thankfully, it's pretty easy to protect yourself, whether this form of information stealing is on your radar (read: threat model) or not.
How can I protect myself from RFID skimming?
The obvious answer is to be aware of your surroundings.
Generally, this means when using your NFC-enabled smartphone, make sure no weird stranger with an even weirder device in his or her hand is standing too close to you; the same goes for when you use your RFID-enabled debit or credit card.
Remember that the threat of NFC (or RFID, generally) skimming is primarily a physical one; it's unbelievably hard to skim (read: damn near impossible) a NFC device or an RFID enabled card solely over the internet. It's just not feasible - so again, the threat remains more of a physical one.
Buy RFID-blocking technology
We don't necessarily believe you should go out and buy anti-RFID skimming pants or anything, but a simple wallet or sleeve that offers some protection is better than none and could prove worth it if this type of attack fits your threat model.
Opting for an RFID-blocking wallet or sleeve is also pretty set-it-and-forget it. With one of these, you would just slide the cards at risk of being skimmed into the wallet or sleeve and it should take care of the rest.
Please be aware that most people (read: you) most likely will not need dedicated NFC/RFID blocking technology. If it happens to come with the new wallet you've purchased, then that's cool. Odds are you're not going to need a heavy duty upsell into a a full blown NFC/RFID skimming kit.
Turn off NFC
For your NFC-enabled smartphone, turning off NFC is an option. This can generally be accomplished from within the system settings on your phone.
Be aware that some phones, such as iPhones (and some models of Androids), cannot outright disable NFC.
For smartphones that enable control of the NFC status, remember to turn it off when you're not using or planning to use it. You'll also want to keep in mind that you'll need to re-renable NFC to use NFC-based apps whenever you're ready to do so.
In addition to buying RFID-blocking technology, you can take my earlier advice of being aware of your surroundings when using your NFC-enabled phone or RFID enabled card and pair it with (1) putting the NFC/RFID device in your front pocket and/or (2) putting RFID cards together.
Putting the NFC/RFID device/card in your front pocket allows you to easily maintain watch over it with less effort. Overall, it's harder to secure anything in your back pocket over your front pocket.
That's pretty much why pickpockets of both the digital and physical variety go for the back pocket.
Look at it like this: it's a lot easier to run a skimmer by your back pocket without you noticing versus running it close to the front pocket.
By putting the devices or cards in your front pocket, you're taking away a low-hanging fruit opportunity with minimal effort on your end.
Also, putting the RFID cards together (if you have multiple) scrambles the signals, making things harder to skim.
There's also a 3rd option: (3) wrapping everything in aluminum foil.
This measure is drastic and can be pretty unsightly, but it is an option for those that are truly worried about their payment cards and/or smartphones being skimmed.
Aluminum foil has been shown to decrease the range where the bad guys can successfully skim your device or card, making their job of capturing your payment details even harder.
If you opt for this, you should keep in mind that the effectiveness of alumnium foil degrades quickly; you might run through aluminum foil quicker than you did before. For some, this may not be cost efficient and you run the risk of dealing with increased urges for creating a tinfoil hat...
If NFC/RFID skimming is something you're worried about or the possibility of being skimmed fits into your personal threat model, then I recommend you use a combination of the above ways to protect yourself.
The easiest way to mitigate the risks of NFC or RFID skimming happening to you is to simply be aware of your surroundings. As stated earlier, you'll want to be aware of people standing too close to you - even if you're not necessarily worried about NFC/RFID skimming. Secondly, you'll also want to be aware of any weird or stand out devices that people in your vicinity could be carrying.
Additionally mitigation efforts include putting your RFID/NFC devices together and buying a simple RFID blocking wallet or sleeve to house everything that can be potentially skimmed.
As mentioned before, this method is almost set-it-and-forget it. Which makes sense, because as I have mentioned before, there are likely other more real threats you should pay more attention to!
With that said, the real risks of NFC/RFID skimming are fairly low for most people out there. Therefore, in most cases it's probably not something you have to truly worry about when using this technology.
As always, stay safe out there!