Contactless Payment Theft

You may have seen stories in the news about Contactless Payment theft; how it is possible for a criminal to merely brush against you with a new contactless card reader and steal up to £30 from your contactless payment card.01_reader

You can either decide that pressing a contactless card reader against your wallet isn’t a plausible crime (it IS a plausible crime) or you won’t be affected. Or you can be a  little paranoid and go out and buy a screened wallet or purse, designed to block the RFID signal. They aren’t cheap!

However, you can do it yourself with stuff you should already have around the house – Gaffer Tape and Aluminium Foil. Ideally, you would have a sheet of copper mesh to use as it’s even more effective at blocking the RFID signal but several layers of aluminium foil works just fine – blocking up to 80% of the signal and rendering the contactless card reader ineffective.

 

02_tools

Tools needed! 1 pair of scissors.

03_gaffer tape strips

Start by laying out 3 strips of Gaffer Tape, roughly the height of your wallet and aboud 2.5 time the length. This will form the case for the foil

04_foilTear off a nice big piece of foil and start to fold it up so it is a bit less than the height of your wallet. Make sure it is very flat!

05_fold_foil

Carefully place the foil onto the tape and 07_coveR_in_tapefold up the tape over the foil and trim the edges down so you have a nice neat packet

09_trim_excess_tape

10_protected_cards

Slip your RFID signal blocker into the notes section… and there you have it. 1 nicely protected wallet. No contactless theft possible and I have just saved myself £30 for a new screened wallet and feel a little safer when on public transport. Lovely.

OK – I know this is not my usualy Oracle technical blog, and Heath-Robinson inventions aren’t my usual story, but I do have a client who makes these machines and I probably know a little more about them than most. I’ve had one of these RFID blockers in my wallet for a very long time.

16 Responses to Contactless Payment Theft

  1. mwidlake says:

    Nice (and cheap!) protection! You are effectively creating a little Faraday cage for your cards (mesh does work better but we all have aluminium foil to hand, not so fine metal mesh!)
    My OOW bag has an RFID-protected pocket on the back for putting your cards in. I can’t help but feel that the RFID part of that is a little OTT – if someone is managing to get an RFID reader near any cards held in there, they are doing so through the depth of the bag or my (slowly increasing) belly 🙂

    • Don’t underestimate the distance you can read an RFID! A customised (illegal) reader, with the power cranked up, could work several feet away.

      There are many stories where a card in your wallet was read instead of the card being presented… I understand that at least one British retailer lowered the power of the readers back in 2013.

  2. Dom Brooks says:

    Ha – I thought I was being paranoid! I have the silver foil in the outermost notes section of my wallet

    • I used to be just silver foil. but it degrades too easily on its own – hence the gaffer tape.

      Just because you’re paranoid doesn’t mean they aren’t out to get you…

  3. Grinning @ a serious matter… Old fashioned Tinfoil to the rescue.

    The quote on “paranoid” is a classic from catch-22, I think.

    As for the “reader” problem, it is real, but.. how often does it occur ? big-data-monitoring anyone? maybe we can track hotspots where those readers are deployed…

    and one solution is to use “foreign” cards: NL readers dont do Belgium cards, hence I go hungry in some canteens…

  4. Not sure about Europe but in Russia (which is on the picture from the news) you can’t get a POS terminal without a huge list of pre-requisites including multiple identifications at a bank. Whenever somebody would try & use POS for stealing your money in such a way, he/she would be caught very quickly and the terminal will be disabled from processing.
    Well if you are paranoid then no need to invent stuff – just place another similar card close to your and it’s going to be impossible to do the trick.
    And stealing your wallet is still way more easy than this.

    • If you don’t think it’s a problem, don’t worry about it. If you do consider it a potential problem, I’ve given you a 10p solution.

      Perhaps having 2 cards – and getting card clash – might just result in getting both sets of information stolen.

      Having worked with manufacturers of merchant acquirer and tokenization solutions, and with RFID tracked logistics systems, I’ll stick with my 10p solution thanks.

  5. Neil, I’m sorry but I have to agree with Timur 🙂 The problem with POS devices is that they generally require a merchant agreement that would make this very easy to be charged with.

    So they cannot simply “steal” your money by walking around with a POS device. On the other hand the static card data can be skimmed over NFC and create clone card which can be used at any POS device which supports wireless payments, source: “Cloning Credit Cards: A combined pre-play and downgrade attack on EMV Contactless” (M. Roland and J. Langer)

  6. Adam Yardley says:

    Interesting stuff.
    Did you test your solution (if so what did the results look like?) or did it just go straight into production? 😉

    • It is a tested solution. You can test it yourself:

      1. Ensure you only have only 1 RFID/contactless card in your wallet and pay for something by putting your wallet on the reader. It should word. (note: check for Oyster/Work Access/other cards)
      2. Purchase something else with the signal blocker in place. It won’t work most of the time. You aren’t shielding the top and bottom of your wallet, so there can be some signal leakage. It’s about 80% effective in terms of signal block, which should keep you pretty safe.

      • Adam Yardley says:

        Thanks, Neil.
        I could test it myself if I had the inclination to make one (I don’t… not yet anyway), but 80% signal reduction is enough for 100% reliability (sorry, that’s what I was alluding to by asking about the testing)?

  7. Does it irritate you when the posting that get’s most comments ISN’T about Oracle ?

    I know you’re not quite as old as me but I would have thought you’d still be from the Blue Peter and sticky-back plastic era, not this new-fangled Gaffer tape stuff.

    • It’s easier to have an opinion on this sort of thing than whether you should set INITRANS to 40 for every index in a system (don’t by the way – you’ll waste a lot of space for no reason)

      Sticky-backed plastic is not flexible enough for my wallet. Metallised gaffer tape also adds to the Faraday effect.

      • Except, of course, the initrans doesn’t take effect until you rebuild the index (which you hardly every do, surely) and wonder why rebuilding the index makes it bigger !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: