how effective are RFID wallets?

I use one of these aluma wallets mainly to keep my credit cards from bending and splitting as they do in leather wallets.
I was wondering just how effective it is at blocking the scanners. Does anyone have any test results I could look at?

I would add a question.

Can anyone get details from my cards by scanning from a distance?

I have one and I also would like to know if it really works or is just scare/woo/marketing.

I bought it because it was the form I wanted and wasn’t any more expensive than a “plain” wallet.

Truly, the Day of the RFIDs has arrived. In an era where consumer financial data may as well be publicly posted, worries about someone scanning your butt are almost… well, I was about to say “touching” but that would be inappropriate, right?

I’ve wondered this lately, too. I recently got a NEXUS card, and it comes in a special sleeve that is supposed to render it unreadable.

I investigated my RFID driver license - all it contains is a number. I guess if someone scanned it they would have to hack the state database to get my name and address (already in the phone book) and my DL number (which is on every check I cash).

Not worried. I tossed the foil envelope they gave me at the DOL.

If the CC companies were worried about someone remotely scanning the card while it’s in your wallet, they would have given you specific storage instructions.

That’s the point, are credit cards being remotely scanned, or is this an urban myth, and do the Aluma wallets block the scan?

I think that remote scanning is more myth than reality. Since banks typically eat most of the money lost to credit card scams, ISTM they would be quite cautious with new tech. Also, I have read that a scanner will be confused by signals from two cards, so as they become popular - they may end up protecting each other.

I worry more ably the minimum wage wait staff that takes my card out of my sight…

If it is indeed made out of aluminum, then the RFID blocking is extremely good. The title says “alumina” but the description says “aluminum”. Alumina is aluminum ore. Not all that great for structural purposes, but probably dense enough to stop moderate radio waves. That might just be a typo or something.

The concern, given the weirdness of the description, is that it might not actually be made out of metal, but a plastic or some such with a metallic-looking finish. Depending on the nature of the finish, there might be a small to excellent amount of radio wave blocking.

As to the reality of remotely scanning/cracking RFID and other embedded chips, there are bascially three levels of concern.

  1. Just reading the RFID data, possibly still encrypted.
  2. Reading and decrypting the data.
  3. Modifying the data. Let’s call this a rare enough possibility and drop it.

Reading the RFID data is easy enough to do from some distance. I’ve seen stories on Slashdot where people claim distances as much as 30 feet.

Note, that with unencrypted data, this might be a concern. E.g., our library has RFID tags in their books. Someone could scan the info about what books you checked out of the library as you walk across a parking lot. This might be an issue for certain people in certain situations.

Even if the data is encrypted, the tag is unique and someone could track you or ID the type of RFID tag it is. E.g., stores could monitor your movement around the store, noting the places you stopped for a while and matching that with you when you check out. Lot’s of good data about you can be obtained that way (and later sold or stolen).

US passports now contain chips which can be easily spotted with the right gear. So wandering thru a crowd in Rome and there might be someone who can spot you as a US tourist. They don’t even need to break (which is doable) the encryption to just do only this.

Encryption is a crap shoot. A lot of it is poorly done. The encryption for passes on the Atlanta MARTA transit system has been cracked and people are selling “unlimited” transit passes. Lots of stories like that.

AFAIK, the encryption of chip credit cards has been cracked only with very specialized equipment in a lab. But that is “outside” the system. A modified legitimate card scanner can be used to scan a card from a passerby and ring up a bogus charge. The tech for this is on the same level as the ATM skimmers.

This is an American thing - right?

I don’t believe that any of the half-dozen cards in my pocket, or my passport or driving licence has one.

Some banks are now issuing contactless cards, which I assume are RFID. They have very limited credit and are intended for minor purchases. I prefer cash.

This is surprising. Pin-and-chip credit and debit cards are now the norm in Europe as well as several other countries. The US is odd for having magnetic stripe cards still widely used.

Note that just because you don’t know that a chip is on one of your cards doesn’t mean it isn’t there. RFID tags could be anywhere. There have been plans to put RFID tags in consumer goods such as tennis shoes for inventory tracking and loss prevention. (Not just on the box, but inside the actual item.)

Don’t assume you aren’t tagged. Don’t assume that someone isn’t tracking you. Don’t assume that the tracking data will be secure.

Some banks are moving into contactless payment but so far it is entirely voluntary for the user. My bank does not yet have them, and I have no need for it in any case.

New UK passports do have them.

My previous work, which is about as serious as it gets about security and has strong expertise in the subject, issues RFID protectors for badges.

:confused: This was precisely my point: you may regard the bank’s indifference to the issue as strong evidence that it’s not a serious threat.

I find this logic quite shaky. Corporations have done many things that turned out to be stupid because they didn’t think it through. The assumption that scanning RFID data is not a threat could well be blown sky-high because some Russian or Korean mob figures out a way to do it cheaply and efficiently.

That said, the evaluation of the threat is probably reasonable. Yes, some people will end up losing some critical information to a scan of their RFID credit cards, ID, etc. The real threat with things like RFID is not in theft of the data, which is already stolen by the bucketload elsewhere. (We had two cards compromised by the breach; one was only discovered because it was used for a fraudulent StubHub purchase.)

But as I understood it, the European-standard chip-and PIN cards are NOT the sort of “contactless” RF system some US firms are trying out, where just having it in the general vicinity of the terminal suffices – they still require contact with the reader device. Verification, please, Euro-dopers or Dopers from the industry?

I think US-side banks have experimented with chipped credit cards for a while. Wasn’t there one - maybe an Amex variant? - that had the chip visible in a transparent section of the card?

I don’t know how many chip readers were ever put into service (vs regular mag-stripe readers). But I’m pretty sure the number of both cards and readers here is non-zero.

Oh, sure, I have right here in the lockbox a Chase card with the little )))) glyph indicating it has a RF chip. But it is not the “Smartchip” that’s used for chip-and-PIN or chip-and-signature European-standard cards; it seems to be intended for some sort of “touch and pay” or “wave and pay” functionality similar to a London Subway Oyster or a DC Metro SmarTrip card.

For some reason someone has concluded that what we really want in America is to just hurry up in “yeah, whatever” mode waving our card at the POS terminal to not spend 10 seconds more at the checkout entering our PIN.

That’s what I mean - I thought someone issued a “smart chip” card here in fairly recent years.

Ka-ching! Have a cigar.

It’s not what *we *want. It’s what retailers want. We are in the final process of evolution to the “instant purchase” model, removing even that last small barrier to buying crap.

Purchasing convenience isn’t and never has been for the benefit of the consumer.