I’ve actually designed systems using RFID, so I have a fair amount of experience with them.
In the old days, RFID tags were simply RF diodes tuned to specific frequencies. You “programmed” the tag by cutting out diodes of different frequencies to make a bit pattern that corresponded to the number of the tag. The bigger the number you need, the more RF diodes you need. I’m not aware of anyone still using this old technology.
Modern tags tend to have a semiconductor chip in them. This is not a general purpose processor of any sort. These are dedicated microchips that basically provide the functionality of the chip and nothing else. All they basically do is wait for a coded signal to come in, and if they receive a valid signal, they send a coded data stream back out. Basically, all you get is a number.
To oversimplify it a lot, it works kinda like this:
Tag reader sends out a number: 12457132
Tag accepts this number, and responds with its own: 847385628
And that’s it.
The numbers are actually longer than that, and the security algorithm is a little more complicated than that (actually sometimes it’s a lot more complicated than that), but that’s the basic gist of it.
The only real programming you can do to it is to encode the number that you want onto the tag, and with some of them you can’t even do that.
Also, the RF interface on the tag is very specific. A phone doesn’t have the right kind of interface to talk to it.
There are two basic types of tags, beam powered and battery powered. Most are beam powered, which means that the tag uses the incoming radio waves to charge up a capacitor. Once the capacitor is charged, the silicon chip switches on and the tag does its thing. The battery powered ones don’t need to charge anything up, and because they have a battery, they can transmit a much stronger signal. Beam powered tags have to be very close (a few inches at most) to the reader to work. Battery powered tags can be mounted on the sides of rail cars, shipping containers, trucks, etc. and can be read from 10 to 20 feet away. Cell phone protocols not only don’t match up in any way, they don’t even follow the same type of algorithm. So they don’t even work anywhere near close to the way that the tags work.
I’ve also dealt with classified materials and classified and secured computer systems (I work in industrial control these days, and having a virus take control of a system that is controlling the production of something like phosgene gas would be a very bad thing). Secured systems have what they call an “air gap”. There is no physical connection between that system and the outside world. There is no way to transfer anything to that system from a phone, card reader, or anything else. However, the big security problem for these systems is flash drives. Someone needs to transfer a file from somewhere else (like a patch received from the control systems manufacturer) so they need some way to transfer the file over from their unsecured e-mail system to the secured system. So they reach in their pocket, pull out their handy-dandy flash drive that they also used at home, and they transfer a nice bit of malware from their home system to the secured system. Then they call up the folks who make the control system (my company) and ask why their control system is suddenly a bit sluggish, and we discover that whatever malware they accidentally installed is flooding their network with traffic as it looks for other computers to infect. True story. Fortunately, they were a company producing fairly benign materials. I won’t say what product they make, but they weren’t one of our customers that processes nuclear bomb materials or expensive pharmaceuticals or chemicals that end in -ene (why is it that everything that ends in -ene tends to be really, really bad?).