I work with security card readers, with more power used you can extend the range of those to several feet easily. The card readers we use at automated gates will read 3 to 4 feet without any modifications.
Admittedly, I know nothing about these new credit cards and their readers, but it would make me a bit nervous.
As has been mentioned, the system is far from perfect. Errors and deliberate “mods” can make misuse of your card trivial. Note that there are a lot of fake/modded ATMs out there that drain people’s accounts. But that requires you to actually insert your card and punch in your PIN. RFID cards can be “scanned” while still in your pocket. That’s scary.
RFID chips can be easily tracked. Think in terms of 100 feet. Just one RFID tag in your wallet allows a store to track you throughout the store. They know when you enter, when you leave, what aisles you walk down. You buy something with a credit card, they now match up the RFID tag with YOU. Even if you buy a tube of lube later with cash, they’ll know it’s you. Of course, the big money with that data is to sell it. So a big Equifax-like company accumulates a tremendous amount of data on you.
There are so many nightmare scenarious that can arise from this it would be impossible to summarize even a fraction of them.
Take this example: You are checking in at the airport. It turns out that you spent 5 minutes in the Muslim book aisle at a bookstore 5 months ago. You miss your flight because you’re in the “interview” room with TSA hardasses for the next 5 hours.
Note that laws and policies don’t matter. Most of the bad stuff done with information is done by people who are stupid, lazy or immoral.
E.g., your soon-to-be-ex-spouse has a friend who works at the company with all this information. An under the table favor is exchanged. His/her lawyer can make you look really bad by selectively culling the data. The ex, of course, is a far worse character but you don’t have the comparable data.
Or, the people in India working for the company decide to make copies of all of it, make CDs and the next thing you know, a lot of your personal info is for sale on the streets for Moscow. (Such CDs for identity theft are already available.) These people don’t think twice about blackmail.
And that’s just “corporations”.
Freelancers can also track people easily. They have even worse ethics (hard to imagine).
DVD encoding has been cracked.
WEP has been cracked.
Bluetooth has big holes.
DES can be cracked with effort.
MD5 is no longer considered secure and is being phased out.
We don’t know what NSA has cracked.
Yes, the ordinary credit card system is hardly secure (and the whole banking system is a joke).
But at least you have to take the card out of your wallet.
You also know when you have one.
Do you know if there is an RFID tag in your new pair of Nikes?
I didn’t even know that the Republic of South Africa had an encryption scheme and why does the Royal and Ancient care about it? Were you sandbagging on your handicap?
Okay … if fraud is so easy and inevitable, why isn’t any of this being considered by manufacturers of chips and readers? Or is it?
Many of the problems we see with the technology, are seen as big features by the manufacturers. They WANT everything tracked.
Of course it is also in their interst to play down the possibilities of fraud.
OK, will keeping RFID cards in an altoids tin keep it from randomly being queried? What will?
Fraud isn’t anticipated and forestalled because people get excited and want to go with the new shiny thing and wishful thinking takes care of any trepidations the reasoning mind might experience.
At DefCon this summer, a modified Yagi amp (one of which, BTW, can be built for pence out of a Pringle’s can) was used to Bluesnarf a Nokia phone from a range of 1.1 miles away. The entire contents of the phone’s contact list was snagged along with text messages. The same basic setup used with a computer can be used to hijack a Bluetooth phone to make long distance calls.
RFID has similar security issues and the companies who market the devices pooh-pooh the vulnerabilities hoping to cash in quick before it becomes widely known. Even a cursory Google search of “RFID security vulnerability” turns up what is commonly known as a shitload of pertinent hits. It’s not a good idea as it is right now, and I think it’s valid to be wary of unwarranted and unwelcome information gathering and tracking, especially when it’s disguised as something beneficial and we pay for it. Talk about being forced to kiss the whip… :rolleyes:
Think of it in terms of what the system is designed to do. Working as designed: I buy a Big Mac from McDonald’s, and pay for it by passing my credit card close to the restaraunt’s reader. The McDonald’s, by virtue of my card passing close to the reader, is able to get a couple of bucks (the price of the Big Mac) out of my account.
Now consider the implications for a thief. My credit card passes close to a thief’s reader (perhaps by walking past him down the street, say). Why can’t the thief do the same thing McDonald’s just did, and transfer the price of a Big Mac out of my account? Or, for that matter, the price of a Buick?
Nuke 'em. One or two seconds in the microwave and the RFID tag is toast. The mag stripe on the back isn’t conductive and won’t be affected. The hologram might spark a little, though.
Awesome!
I’m nuking my credit cards when I get home (If i remember).
Can’t be too careful these days.
Quick: someone start a company that manufactures wallets and purses that are opaque to radio waves. I know a Faraday cage will do the trick, can that be scaled down to something lightweight and flexible enough to be put into a wallet lining? Or does a cage require grounding to work? If we can jump on the RFID paranoia bandwagon (although what’s the word for paranoia when there are actually people out to get you?), we can make a mint. 
I’ve got a bit of passing familiarity with RFID since the company I work for has a division working on processing software to collate RFID information (although mainly in retail distribution / warehouse environments).
There are “active” RFID transponders which have their own power source built in. When they receive a trigger signal, they transmit their ID. This is what’s used for systems like IPass / EZPass for automated tollbooths. Since they have more trasmitting power, these have a relatively large range (100 feet or more, IIRC).
Then there are “passive” RFID tags. These get charged by a power signal (I’m assuming with some sort of semiconductor capacitors in the RFID chip), which is then used to transmit the signal. Due to the lower power, they have a shorter range. I can’t remember exact numbers off-hand, but it probably maxes out in the area of 10-20 feet, although factors on the chip and reader can be tweaked to set this just as short as the manufacturer wants. That being said, I’d assume that some sort of modification could be done to a reader (up to a point) to boost sensitivity. I’ve noticed these on things like books, it’s a flat stick-on circuit with a winding “wire” (the antenna), and is probably what’s being included in the “blink” cards.
As a consumer, I basically see it as a tradeoff between convenience and security. Is “blinking” the card more convenient than swiping the magnetic strip? Maybe a little. Is that worth the possibility of subjecting myself to even more data collection on my private life, with the likelihood of data mining increasing as this system gets wider use? Not for me. As long as magnetic card readers are still in use, I’ll stick with non-RF cards. Or, if non-RF is not an option, nuke the suckers (sweet tip, QED).
And I did come across a pretty well-written wikipedia article on RFID: http://en.wikipedia.org/wiki/RFID
You could probably burn 1 or 2 calories a day swiping your card during a busy shopping spree. Good to see that the RFID card is relieving us of that burden.