How Easily Can Data Be Stolen from RFID Credit Cards?

By RFID Journal

  • TAGS
Ask The ExpertsHow Easily Can Data Be Stolen from RFID Credit Cards?
RFID Journal Staff asked 7 years ago

I am trying to provide a friend with sufficient and correct knowledge about security. It has to do with the chips on RFID-enabled credit cards in the United States. My friend is paranoid about range detection. I said not to worry much. I checked your FAQs, but the only reference there is to passive chips that have a range of 3 feet or less; then it depends on the tag and reader.

What size of device would be required to have the power to grab one's information from a passive chip from, say, a distance of 3 feet or less? Would it be the size of an iPhone or a large 2-way radio? My friend is going to be traveling by train and subway in Europe, and is freaking out over data being stolen, such as on rides with large crowds. Any enlightening information would be helpful.




The passive RFID tag in your friend's credit card is an HF tag based on the ISO 14443 air-interface protocol, which limits the read range to a few inches, for security reasons. RFID credit cards are actually much safer than conventional magstripe cards. With a magstripe card, you a hacker could easily capture the information stored on the magnetic stripe and create dozens of cards that are exact duplicates. These could then be used online or in person.

With an RFID-enabled credit card, there is a CVV on the back that works for conventional magstripe purposes (if a retailer does not have an RFID reader), but the electronic CVV is dynamic. So let's say someone read the information off a card. If he or she tried to create and use a physical card, that would not work because the electronic CVV would be different from the physical one and the purchase would be rejected by the issuer. If that person tried to use the electronic CVV online, that would not work either. For online purchases, you must use the CVV on the back of the card.

If the person created a duplicate card with the electronic CVV in a chip, it would work only once. After that, the dynamic CVV written to the card would not match the RFID tag ID in the card and it would be rejected (see Are RFID-Enabled Credit Cards Safer Than Magstripe Cards?).

If your friend is stilled worried after perusing the above article, I would suggest that he or she wrap the credit card in tin foil while traveling. This will prevent anyone from being able to scan information from the card's RFID transponder.

—Mark Roberti, Founder and Editor, RFID Journal

Previous Post