EEVblog #889 - Credit Card RFID Theft Protection Tested

[retrolefty]

I really enjoyed this video especially using the test equipment and running of the experiments.

HOWEVER I do have one complaint. Over and over and over you repeated that this isn't RF but rather magnetic field being used. Not RF, not RF, ... But of course all RF is composed of both E-field and H-field components. RF loop antennas for example try to selectively use only the H-field to get better directivity for use in RF directional finding antennas. To state that magnetic coupling and RF coupling are somehow different things can be very confusing to beginners trying to properly learn RF fundamentals.

 So your intent was good but instead of properly explaining about the two fields comprising an RF signal, E and H,
you went the direction you did of stating that RF and magnetic fields are different things.

 

[Fraser]

In the technical security world we had a keen interest in the vulnerabilities of RFID Prox readers and cards. The 'long range' readers were considered too vulnerable to attack so very short range types were used that needed the card to be virtually resting on the reader.

I saw a demonstration in the early 2000's by Tektronix of one of their DSP DSO's capturing both the high speed and low speed handshaking and communications between the card and the reader. The DSO was capable of grabbing the whole handshake and comm's event. It could then disassemble the event into individual data bits, no matter what the change in bit rates during the link. The demo proved that that the Prox card data could be captured and cloned using a decent  DSO and appropriate antenna. Food for thought  It was a classic 'stand-off' attack that just required the Prox card user to present their card to the reader. The data was captured during the transaction with the card user blissfully unaware. Any card protection wallet is thus useless in this scenario.

Chip and PIN or Prox and PIN can be safer but cannot be considered invulnerable. That is why I would never consider such to be secure to Government security standards.

Why do banks take the risk ? Simple, they operate on the risk analysis models where the convenience to the customer rates high on the requirements and the vulnerability to fraud may be reduced to an acceptable level. Some people believe Banks use the best security available on the market. I will not say too much on that topic but consider the purely financial risk management that they MAY operate..... If a security vulnerability that could potentially cost them $100K a year costs $5 Million to counter, it is not unlikely that the Bank will run with the risk and just pay out to the victim when an attack occurs. That is just business. I always tried to educate the client that Reputation has a definite 'value' as well. It would seem the way to preserve your reputation in such a scenario is to just pay out to the victim without a fuss and deny, deny, deny. 

Fraser

[jitter]

What I find remarkable is that the layout of the gold pads of the security pinchip is also modified in comparison to the card without RFID. I saw this change when my bankcards got rfid and see it also on your card, there are circular antenna like thin golden traces added around the normal 6-8 pads.
Does anyone have any idea where they are for? Perhaps protection against the rfid field or also another nfc wireless communication channel?

I have a sneaking suspicion that they are just for show. My bank card (green) doesn't have them, yet it's an RFID. The orange card is a non-RFID bank card.
Despite the more elaborate looking contacts on the orange card, electrically they are not different from the green bank card.

[EEVblog]

So your intent was good but instead of properly explaining about the two fields comprising an RF signal, E and H,
you went the direction you did of stating that RF and magnetic fields are different things.

I didn't want to spend any time in this video explaining the details, apart from the fact that I thought it was important to offhandedly mention it's a transformer and not an antenna as a beginner might have thought it was.
Heck, you can spend several semesters at uni trying to understand near and far field theory etc.
To think I'd be able to explain something like that in a few minutes (or even 10 minutes) in a video not focused on that is just completely impractical, it would have confused beginners more than helped them I think.

[jitter]

I just tested the alu foil on my own bank card and found that it not only works when lying over the card, it also works lying under the card  (i.e. with no foil over it). So you don't even have to wrap foil around the card, a single layer in close vicinity is enough!

Not until you lift the card up about half a cm away from the alu foil will the NFC be able to read the card.

Does the alu foil reflect and those reflection interfere enough for it to become unreadable?

The effect of alu foil is  NOT shielding. RFID works by magnetic coupling, and alu is not magnetic. What the alu does is absorb energy due to eddy-current losses, severely damping the signal so not enough energy reaches the card to power it, so it doesn't matter where it is as long as it can absorb enough of the field energy.   Copper would be even better.

Thanks, that explains why the NFC started reading the card if the alu foil was below less than roughly three quarters of the card and I was holding the reader close to the part that had no foil under it.

[EEVblog]

For comparison, here is an X-Ray of a security access control Prox card.

That's a 125KHz ones, I fixed one of those here:

[AF6LJ]

Good Video, and a reasonably good explanation.
Just an observation; it seems as convince becomes greater our security is the price we pay.
/She who is wondering when someone comes out with an RFID jammer.

[jitter]

I wonder...
Since this thing is basically a transformer, what would happen if the transmitter were to output a much higher amplitude at the correct frequency? In other words: could you fry the chip in the card?

[EEVblog]

/She who is wondering when someone comes out with an RFID jammer.

I can buy one at the local JB-HiFi store. Which I might do for a teardown and test.
Silly idea though, just use al-foil.

[SeanB]

High power RF would kill the card, so it might not be a good idea to go up an AM or FM transmitter with a NFC card or reader ( phone) in your pocket, as it likely will get enough RF coupled into it for long enough to heat up the card chip as the protection diodes conduct to clamp the voltage. Don't really want to place one in front of a cellular base station antenna either, as the high RF field there will also cook it.

Same with putting it in a microwave oven, though there it will blow the coil to pieces as well as it rotates through the antinodes.

[Electra]

I posed a reply on the video but I never get much response there, maybe there would be more interest here.
As far as I know, because it's a transformer action, these 'shields' act as much like a shorted turn as magnetic shielding, taking the energy the card requires and turning it into heat.

The photo shows a a 'loop' of aluminium sheet(flashing) just wide enough to cover the antenna works as a great shield for my Go Card(A Myfare Classic), but one with a break in it(Still overlapping, but insulated with some tape) doesn't do anything to stop the reader.

I believe as a result of this the more conductive the material the better it would work in this application. I wish I had a piece of ferrite large enough to test this further.? I suspect that wouldn't stop the reader.

The black card is a NFC/RFID test card from Dangerous Things(https://dangerousthings.com/shop/rfid-diagnostic-tool/?) that shows the HF(coil around the outside) and LF(inner coil) of a typical card.

[EEVblog]

I posed a reply on the video but I never get much response there, maybe there would be more interest here.

Youtube comments isn't the place for detailed discussions.

[saturation]

Readers who want to duplicate Dave's tests can make a poor man's near field probe by making a loop with a DSO probe's ground lead, more loops more gain, and clip the alligator end to the tip.  Then just follow Dave's video where he uses the near field probe, and enjoy.

You can get better results with the foil shield by making it a loop, not just a flat barrier, to act like a Faraday cage.

 

[RobK_NL]

Who, these days, has only one NFC capable card in their wallet?

Personally, I have five and, frankly, it took me a while to figure out why I had to take out my public transport card after I had been issued a new bank card.

[nctnico]

How about having coins in your wallet? It would be interesting to know whether they work as a shield as well.

[apis]

Why do banks take the risk ? Simple, they operate on the risk analysis models where the convenience to the customer rates high on the requirements and the vulnerability to fraud may be reduced to an acceptable level. Some people believe Banks use the best security available on the market. I will not say too much on that topic but consider the purely financial risk management that they MAY operate..... If a security vulnerability that could potentially cost them $100K a year costs $5 Million to counter, it is not unlikely that the Bank will run with the risk and just pay out to the victim when an attack occurs. That is just business. I always tried to educate the client that Reputation has a definite 'value' as well. It would seem the way to preserve your reputation in such a scenario is to just pay out to the victim without a fuss and deny, deny, deny. 

That's part of the explanation. But over here the supreme court has also made it the responsibility of the card user to prove that they have taken appropriate security measures to protect the card information. So there is absolutely zero risk for the banks and consequently they have zero interest in improving security unless it becomes a publicity problem and people stop using the cards.

[smithnerd]

Contactless payment in my bank card?

Bugger that...

[Alexei.Polkhanov]

I have an opposite problem with my Credit Card. I actually do use, and I like using RFID "Tap" payment to pay for my lunch and groceries, but 2 weeks ago I went to US and I think it happen at the corner store in Miami - stupid self checkout machine zapped my card and voila RFID does not work anymore. It is only an educated guess about when it happened.

Now I am very curious to find out HOW and WHY...

Does anyone have similar experience?
This kind of misfortune happened to me second time - am I just unlucky?
Is there some kind of incompatible technology that can damage RFID cards? How do I identify and avoid it?

[tszaboo]

For comparison, here is an X-Ray of a security access control Prox card.

Fraser

Judging by the amount of wire, that's a 125khz one

For sure. I was working on a 125Khz reader years ago. It is amazing what you can do by slapping enough voltage on the coil, even if it is this size. A typical door entry system, you need to put the card maximum 1-2cm from the reader, mine was able to read a flying card (thrown above it) from 10-15 cm. The 125 KHz cards are bulkier, they need a lot of turns on the coils, so the card is typically 3-4 mm thick, not the usual credit card.

[mikeselectricstuff]

For comparison, here is an X-Ray of a security access control Prox card.

Fraser

Judging by the amount of wire, that's a 125khz one

For sure. I was working on a 125Khz reader years ago. It is amazing what you can do by slapping enough voltage on the coil, even if it is this size. A typical door entry system, you need to put the card maximum 1-2cm from the reader, mine was able to read a flying card (thrown above it) from 10-15 cm. The 125 KHz cards are bulkier, they need a lot of turns on the coils, so the card is typically 3-4 mm thick, not the usual credit card.

You can easily get 125K cards at standard thickness.

[Fraser]

The Prox card I imaged is standard credit card thickness.

The long range readers are able to read it a distance of around 12cm but the more secure short range versions only work within around 5mm of the readers surface.

I am pleased to see that the bank cards use a different version that is very short range. The needs of contactless payment cards and RFID access control are somewhat different in terms of range and convenience.

Fraser

[Halcyon]

Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.

Perhaps in your country but certainly not in Australia.

It's actually true, even in Australia. My card has "This card remains the property of ***** Bank" printed on the back.

That said, they aren't going to give two shits what you do with your card.

Who, these days, has only one NFC capable card in their wallet?

Personally, I have five and, frankly, it took me a while to figure out why I had to take out my public transport card after I had been issued a new bank card.

True but it won't prevent a crook from reading your card. As Dave mentioned in his video, this technology has anti-collision protocols so other cards don't interfere with one another. The reason why card readers at train stations or EFTPOS machines throw up an error or refuse to read when presented with more than one card, is it doesn't know which one you intend it to read, not that it isn't capable of actually reading both cards.

Many people have a debit card and a seperate credit card, both with NFC capabilities. If you just tap your entire wallet when making a payment, how do you tell the machine which card to use? You can't, therefore it won't accept it until you use only one card.

[photon]

Interesting video and discussion. Thanks.

[Someone]

Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.

Perhaps in your country but certainly not in Australia.

It's actually true, even in Australia. My card has "This card remains the property of ***** Bank" printed on the back.

That said, they aren't going to give two shits what you do with your card.

I checked several cards from different banks and their contracts, no clauses or claims of ownership were made in any of them. You might want to change banks!

[sakhmatd]

Please note that bank cards are not your property, but the bank's. Messing with them may cause them to be not amused.

Perhaps in your country but certainly not in Australia.

Is that really true? I've tried looking around for proof of that, but couldn't find any.

Most of the world, to my knowledge, prefers to keep bank cards as properties of the bank itself and there would be a clause about this on the bank card itself. Australia has it pretty nice if that is not the case there.

I sincerely doubt the bank would really mind you drilling a small hole through it though. You could probably rule it out as an "accident".