Contactless Payment Theft
06/03/2016 16 Comments
You may have seen stories in the news about Contactless Payment theft; how it is possible for a criminal to merely brush against you with a new contactless card reader and steal up to £30 from your contactless payment card. It might be a good idea to consider protecting your card against contactless RFID attacks?
You can either decide that pressing a contactless card reader against your wallet isn’t a plausible crime (it is a plausible crime) or you won’t be affected. Or you can be a little paranoid and go out and buy a screened wallet or purse, designed to block the RFID signal. They aren’t cheap!
However, you can do it yourself with stuff you should already have around the house – Gaffer Tape and Aluminium Foil. Ideally, you would have a sheet of copper mesh to use as it’s even more effective at blocking the RFID signal but several layers of aluminium foil works just fine – blocking up to 80% of the signal and rendering the contactless card reader ineffective.
Tools needed! 1 pair of scissors.
Start by laying out 3 strips of Gaffer Tape, roughly the height of your wallet and aboud 2.5 time the length. This will form the case for the foil
Tear off a nice big piece of foil and start to fold it up so it is a bit less than the height of your wallet. Make sure it is very flat!
Carefully place the foil onto the tape and 
fold up the tape over the foil and trim the edges down so you have a nice neat packet
Slip your RFID signal blocker into the notes section… and there you have it. 1 nicely protected wallet. No contactless theft possible and I have just saved myself £30 for a new screened wallet and feel a little safer when on public transport. Lovely.
OK – I know this is not my usualy Oracle technical blog, and Heath-Robinson inventions aren’t my usual story, but I do have a client who makes these machines and I probably know a little more about them than most. I’ve had one of these RFID blockers in my wallet for a very long time.
Neil Chandler's DB Blog 
Nice (and cheap!) protection! You are effectively creating a little Faraday cage for your cards (mesh does work better but we all have aluminium foil to hand, not so fine metal mesh!)
My OOW bag has an RFID-protected pocket on the back for putting your cards in. I can’t help but feel that the RFID part of that is a little OTT – if someone is managing to get an RFID reader near any cards held in there, they are doing so through the depth of the bag or my (slowly increasing) belly 🙂
LikeLike
Don’t underestimate the distance you can read an RFID! A customised (illegal) reader, with the power cranked up, could work several feet away.
There are many stories where a card in your wallet was read instead of the card being presented… I understand that at least one British retailer lowered the power of the readers back in 2013.
LikeLike
Ha – I thought I was being paranoid! I have the silver foil in the outermost notes section of my wallet
LikeLike
I used to be just silver foil. but it degrades too easily on its own – hence the gaffer tape.
Just because you’re paranoid doesn’t mean they aren’t out to get you…
LikeLike
Grinning @ a serious matter… Old fashioned Tinfoil to the rescue.
The quote on “paranoid” is a classic from catch-22, I think.
As for the “reader” problem, it is real, but.. how often does it occur ? big-data-monitoring anyone? maybe we can track hotspots where those readers are deployed…
and one solution is to use “foreign” cards: NL readers dont do Belgium cards, hence I go hungry in some canteens…
LikeLike
Paranoid? Yes – but from the 1970 film, not the book.
LikeLike
Not sure about Europe but in Russia (which is on the picture from the news) you can’t get a POS terminal without a huge list of pre-requisites including multiple identifications at a bank. Whenever somebody would try & use POS for stealing your money in such a way, he/she would be caught very quickly and the terminal will be disabled from processing.
Well if you are paranoid then no need to invent stuff – just place another similar card close to your and it’s going to be impossible to do the trick.
And stealing your wallet is still way more easy than this.
LikeLike
If you don’t think it’s a problem, don’t worry about it. If you do consider it a potential problem, I’ve given you a 10p solution.
Perhaps having 2 cards – and getting card clash – might just result in getting both sets of information stolen.
Having worked with manufacturers of merchant acquirer and tokenization solutions, and with RFID tracked logistics systems, I’ll stick with my 10p solution thanks.
LikeLike
Neil, I’m sorry but I have to agree with Timur 🙂 The problem with POS devices is that they generally require a merchant agreement that would make this very easy to be charged with.
So they cannot simply “steal” your money by walking around with a POS device. On the other hand the static card data can be skimmed over NFC and create clone card which can be used at any POS device which supports wireless payments, source: “Cloning Credit Cards: A combined pre-play and downgrade attack on EMV Contactless” (M. Roland and J. Langer)
LikeLike
Just because it’s difficult doesn’t mean it won’t happen, but thanks for the secondary card-cloning reason to do this too. 🙂
LikeLike
Interesting stuff.
Did you test your solution (if so what did the results look like?) or did it just go straight into production? 😉
LikeLike
It is a tested solution. You can test it yourself:
1. Ensure you only have only 1 RFID/contactless card in your wallet and pay for something by putting your wallet on the reader. It should word. (note: check for Oyster/Work Access/other cards)
2. Purchase something else with the signal blocker in place. It won’t work most of the time. You aren’t shielding the top and bottom of your wallet, so there can be some signal leakage. It’s about 80% effective in terms of signal block, which should keep you pretty safe.
LikeLike
Thanks, Neil.
I could test it myself if I had the inclination to make one (I don’t… not yet anyway), but 80% signal reduction is enough for 100% reliability (sorry, that’s what I was alluding to by asking about the testing)?
LikeLike
Does it irritate you when the posting that get’s most comments ISN’T about Oracle ?
I know you’re not quite as old as me but I would have thought you’d still be from the Blue Peter and sticky-back plastic era, not this new-fangled Gaffer tape stuff.
LikeLike
It’s easier to have an opinion on this sort of thing than whether you should set INITRANS to 40 for every index in a system (don’t by the way – you’ll waste a lot of space for no reason)
Sticky-backed plastic is not flexible enough for my wallet. Metallised gaffer tape also adds to the Faraday effect.
LikeLike
Except, of course, the initrans doesn’t take effect until you rebuild the index (which you hardly every do, surely) and wonder why rebuilding the index makes it bigger !
LikeLike