Have you ever thought about the possibility that a thief can steal information from your contactless payment cards, even if they are inside your wallet or purse? An increasing number of newly issued credit and debit cards now contain an embedded chip that transmits information from the card via a short-range radio signal when the card is close to a contactless payment terminal or device. Contactless payment cards contain an embedded NFC chip that can receive and send information via NFC radio signals.
An RFID-blocking wallet helps prevent malicious parties from collecting information from your contactless cards or making fraudulent purchases. The wallet blocks radio signals from nearby devices masquerading as contactless Point-of-Sale terminals.
Is RFID the same as NFC?
One may wonder why the wallets are called RFID-blocking wallets when contactless payment cards use NFC radio signals. RFID stands for ‘Radio Frequency Identification’, whereas NFC stands for ‘Near Field Communication’. RFID is a one-way communication method, whereas NFC is a two-way communication method. RFID works over longer distances than NFC. RFID-blocking wallets both RFID and NFC signals.
Why are contactless cards becoming popular?
When you make a contactless payment, your card transmits information to a Point-of-Sale terminal using radio waves. Contactless cards use a radio wave technology called NFC (Near Field Communication). NFC radio signals are reasonably secure since they have a short range of up to 4 cm. The short range reduces the likelihood that an eavesdropper will be able to intercept the radio signal and steal your personal information.
One of the benefits of contactless card technology is that it can speed up the checkout process at a store. A shopper can tap or wave their NFC payment card on or over an NFC-enabled Point-of-Sale terminal to complete a purchase rather than inserting the card into the reader.
Some access cards, travel passes, electronic devices such as cell phones, and government identity cards also contain NFC chips.
This article will primarily focus on a discussion of NFC payment cards. Even though the transmission range of an NFC radio signal is quite short (up to 4 cm), an attacker could theoretically exploit vulnerabilities in the NFC technology and steal your personal information, even if they cannot touch, see, or swipe your card.
How do I know if I have an NFC payment card?
If you have to insert your payment cards into a Point-of-Sale terminal to pay for goods at a store, you probably don’t have any NFC payment cards.
The next time your financial institution sends you a new payment card, check to see if it has a wave symbol printed on either the front or back of the card. If you see this symbol on one of your cards, you can be sure that the card has an embedded NFC chip.
You can still use an NFC payment card like a regular payment card. If you prefer, you can swipe or insert your card into a Point-of-Sale terminal to make a purchase or provide the account number, expiration date, and CVV code to a merchant.
How does an NFC payment card work?
A shopper can make a contactless payment by tapping or waving an NFC payment card over an NFC-enabled Point-of-Sale terminal.
For the payment to succeed, the payment card needs to be no more than 4 cm from the Point-of-Sale terminal. The Point-of-Sale terminal transmits an NFC radio signal known as a ‘solicitation request’ when it is ready to accept a payment. The NFC chip on the payment card receives the request signal and responds by transmitting an NFC radio signal containing the following account details stored on the payment card:
- Card Number
- Expiration Date
- Issuing Bank
- iCVV
The iCVV is a unique code that an NFC payment card generates for each contactless payment transaction. It is only valid for one payment transaction. The iCVV is different from the CVV code typically printed on the back of your payment card. The iCVV is only applicable for contactless payments. Your financial institution uses it to validate the payment request.
When the Point-of-Sale terminal receives the account information from the card, it transmits it to the financial institution for verification. The financial institution then verifies the information and either authorizes or denies the purchase.
How can information be stolen from an NFC payment card?
The probability of a thief being able to steal information from your contactless payment card by placing a fake Point-Of-Sale device close to the card is extremely low.
Some products on the market can read information obtained from NFC devices. Android applications that read data from contactless payment cards can be downloaded from the Google Store.
However, our research has only found theoretical scenarios in which a successful attack resulting in fraud could occur. Implementing these scenarios in reality is most likely unrealistic. The following hypothetical scenarios exploit potential vulnerabilities in NFC payment card technology:
- Primitive NFC Payment Card Skimmer Attack.
- Advanced NFC Payment Card Skimmer Attack.
- NFC Payment Card Eavesdropping Attack.
- NFC Payment Card Relay Attack
- Compromised NFC-enabled Point-of-Sale terminal
Primitive NFC Payment Card Skimmer Attack
The Attacker needs to be able to position an NFC card reader device within 4 cm of an NFC payment card to perform the attack. It is surprisingly easy to acquire these devices. For example, NFC payment card reader apps are readily available for Android Smartphones that can read account information from NFC payment cards. Many apps on the Google Play Store won’t display the iCVV from the credit card. However, apps from other websites can read the iCVV. Sophisticated attackers can build a custom app or even a custom device to capture this information.
An attacker in a busy shopping mall or an airport may brush against a victim and position the NFC payment card reader device close to a pocket or a purse. The victim may be at risk if they are carrying an NFC payment card.
The Attacker then activates the NFC payment card reader device, which causes an NFC Solicitation Request signal to be transmitted.
If the payment card is within close enough range, the embedded computer chip will assume that the solicitation request has come from a Point-of-Sale terminal.
The computer chip transmits an NFC radio signal containing the payment card information, which is received by the Attacker’s NFC payment card reader device.
The Attacker will have succeeded in stealing the card number, the card expiration date, and the issuing bank. Depending upon the app or device used to perform the attack, the Attacker may also have captured the iCVV.
An Attacker may need more information from the attack to perform a fraudulent purchase with online or other merchants. Most websites and merchants require a CVV to make a payment card purchase, although this is not an absolute requirement according to Chase.
In the case that an attacker finds a web site or merchant that does not require a CVV, it might be possible to make a fraudulent purchase if additional security measures to verify the identity of the cardholder are not in place.
Advanced NFC Payment Card Skimmer Attack
The Advanced NFC Payment Card Skimmer Attack requires an NFC Payment Card Reader that can replay payment card information captured from one or more solicitation requests. Smartphone apps that can replay solicitation requests are not available on the Google Play Store, but they are available on other websites. A software developer with appropriate knowledge could create a suitable Smartphone app.
The Attacker positions the skimmer device close to the victim’s NFC payment card. The skimmer device transmits one or more NFC solicitation requests to the payment card. A response is returned to each solicitation request, containing the victim’s payment card details, including the iCVV.
The skimmer device app records all of the information received from each response. The Attacker can use the payment card information captured from each solicitation response to make a single contactless payment transaction.
To make a fraudulent purchase, the Attacker pays for goods at an NFC-enabled Point-of-Sale terminal using the Skimmer device. When the Skimmer device receives an NFC solicitation request from the Point-of-Sale terminal, the device retransmits the payment card details (including the iCVV) captured from the oldest solicitation response.
If the Skimmer has collected additional solicitation responses, the Attacker can use each solicitation response to make a purchase. The Skimmer replays the next oldest solicitation response when it responds to the solicitation request from the Point-of-Sale terminal.
For this attack to succeed, the Attacker must make all fraudulent purchases before the victim has an opportunity to use their payment card to make a legitimate contactless payment. The iCVV used in a contactless payment transaction includes a sequence number component. Financial institutions reject payment transactions from contactless cards if the iCVV is out of sequence.
NFC Payment Card Eavesdropping Attack
The NFC Payment Card Eavesdropping Attack is similar to the NFC Payment Card skimmer attack, but targets multiple NFC payment cards.
The Attacker hides a small electronic device close to an NFC-enabled Point-of-Sale terminal. The device contains an antenna that is capable of receiving NFC radio signals. It can also transmit captured payment card information to another computer.
When a shopper is ready to pay for their goods, the Point-of-Sale terminal transmits an NFC solicitation request signal. If the customer chooses to make a contactless payment, their NFC payment card responds with an NFC radio signal containing the payment card details.
The Eavesdropper device also receives the payment card details and transmits the information to another computer (using a wireless internet connection).
NFC Payment Card Relay Attack
The NFC Payment Card Relay Attack enables an Attacker to use information skimmed from a victim’s payment card to make one or more fraudulent contactless payments. The Attacker can use information collected from an NFC payment card, including the iCVV, to make a fraudulent purchase at a store. The attack is quite sophisticated and requires at least two NFC devices as well as careful coordination between two attackers.
To prepare for the attack, one of the attackers (the Skimmer), positions themselves close to a victim in the hope that they can skim payment card information from a pocket or purse. This person carries an NFC Payment Card Reader device. The second Attacker (the Shopper) has an NFC reader device such as a Smartphone, that emulates an NFC payment card.
When the Shopper is ready to pay for goods at an NFC Point-of-Sale terminal, they contact the Skimmer to prepare for a Skimming attack on a victim. The Shopper positions the NFC relay device close to the NFC-enabled Point-of-Sale terminal. The NFC Relay device receives the NFC Solicitation signal from the Point-of-Sale terminal. It sends a command over a wireless internet connection to the Skimmer’s NFC Payment Card Reader to transmit an NFC Solicitation signal.
The victim’s NFC payment card responds by transmitting the payment card information, which is read by the Skimmer’s NFC Payment Card Reader. The Skimmer’s NFC Payment Card reader then sends this information back to the Shopper’s NFC Relay device via a wireless internet connection. The NFC Relay device relays the payment card information, including the iCVV, to the NFC Point-of-Sale terminal. The sequence of events occurs in a fraction of a second. The NFC Point-of-Sale terminal processes the payment information and approves or denies the purchase.
The notion that the Shopper and the Skimmer would be able to exercise the precise coordination required for this type of attack might seem a little far-fetched in this example. However, a custom-built NFC reader device or Smartphone app could skim and store the victim’s credit card information beforehand.
Compromised NFC-enabled Point-of-Sale terminal
An Attacker who can re-program the software on a Point-of-Sale terminal can skim payment card information from each transaction.
For this attack, a computer hacker modifies the software on the Point-of-Sale terminal to send a copy of the information from each payment card transaction to their computer.
The seriousness of the breach depends on how much control the Attacker can gain with the compromised software. If the Attacker can only skim payment card information from contactless payment transactions, the iCVV codes are useless. However, if the compromised software can capture payment information from all cards, regular (non-NFC) payment cards are also vulnerable.
The Compromised Point-of-Sale Attack is not just theoretical. It has happened in practice. There are documented cases of credit card breaches that have occurred at retail stores in the U.S. due to Compromised Point-of-Sale attacks. However, a Compromised Point-of-Sale attack is not unique to NFC payment cards.
All payment cards, including contactless cards, may be at risk from this type of attack.
Has contactless payment card fraud due to compromised NFC ever occurred?
Very little evidence suggests that modern contactless payment cards have been compromised due to vulnerabilities in NFC technology.
We found some articles suggesting that in the past, NFC attacks might have occurred or that an attack might have been possible.
This video from Channel 4 News in the UK contains a segment that illustrates how a thief may be able to perform a fraudulent transaction on some websites, using information stolen from a contactless card. Please note that the video was created 11 years ago, in 2012 when NFC payment card technology was still in its infancy. Recently issued contactless payment cards no longer store the account holder’s name in an NFC tag on the card:
This video from ABC News, produced 7 years ago (2016), mainly discusses fraud committed by physically skimming payment cards. It does contain a small segment on NFC payment card fraud starting at approximately the 4-minute mark.
Summary
- According to our research, the risk of fraud due to vulnerabilities in NFC payment card technology is very low.
- In our opinion, an RFID-blocking wallet is not essential. However, if you can find an RFID blocking wallet that you like and that meets your needs, why not have the extra protection?
- An RFID-blocking wallet might prevent your cell phone from sending and receiving signals, if the cell phone is placed close to the wallet.