Reading RFID cards from afar easily

RFID hacking has been around for years, but so far all the builds to sniff data out of someone’s wallet have been too large, too small a range, or were much too complicated for a random Joe to build in his workshop. [Adam]‘s RFID sniffer gets around all those problems, and provides yet another reason to destroy all the RFID chips in your credit cards.

The project was inspired by this build that took a much larger RFID reader and turned it into a sniffer capable of covertly reading debit cards and passports from the safety of a backpack or briefcase. [Aaron]‘s build uses a smaller off-the-shelf RFID reader, but he’s still able to read RFID cards from about a foot away.

[Aaron]‘s build is very simple consisting of only an Arduino and SD card reader. [Aaron] is able to capture all the data from an RFID card, write that data to the SD card, and emulate a card using his RFID cloner.

What’s really impressive about the build is that [Aaron] says he’s not a programmer or electrical engineer. His build log is full of self-denegration that shows both how humble [Aaron] is and how easy it is for anyone with the requisite skill set to clone the bank card sitting in your wallet. We don’t know about you, but you might want to line your wallet with aluminum foil from now on.

34 thoughts on “Reading RFID cards from afar easily

  1. How would one go about destroying the RFID chip in one’s credit cards without leaving any evidence of tampering with the card? I was thinking maybe some kind of over-current using some coils hooked up to a very strong power source might do the trick. Anyone have a project that does such a thing?

    1. I’ve seen a video before where someone discharged a camera flash cap through a coil of 3 or 4 turns to destroy the rfid chip

      1. @ Mike: Neutralising a US passport HAS to be done without damage to the passport otherwise they could get upset.

        I used a microwave oven, with a mug of cold water in with the passport, and it worked fine.

        The best method is to place the passport on a thick piece of metal, covered by a slightly thinner peice of metal then whack the thing a few times with a 4 pound hammer.

        Very hard to discern the damage except when TSA keeps on swiping your passport – with no success.

    2. Use a degaussing ring perhaps or as large an EMP as you can produce, perhaps. My theory is that you could try to fry the circuit that way (if you can’t get to it to cut the wires). Perhaps it would work if you put the card on an induction hob. I might try this when I get home actually.

    3. I suggest you don’t bother. The only thing this code gets is the ID number of the bank card, which is basically useless for anything. The actual banking stuff is behind a lot of encryption. Just because someone has the email address you use for facebook it doesn’t mean they can frape you. to get access to a card would take very many tries so unless you’re holding your card up to something for a few hours at a time I wouldn’t worry about it.

      if you want to kill the rfid, you can put it next to another rfid card to temporarily disable it, or look online to see pictures of where the chip is and use a hole punch to knock it out. You might as well cancel all direct debits if you’re that paranoid. They’re basically blank cheques right there.

  2. The pickup coil is usually routed around the edge of the card. Just cutting a slot 5mm in the card egde should cut that coil and disable rfid. Rfid for credit cards must be the worst idea ever…

    1. Modern bank cards use NFC chips that take up only a small area inside the card and are difficult to locate. They are also encrypted and difficult to read from long range.

  3. This project has nothing to do with cloning contactless smart cards (EMV Contactless/MIFARE) and is basically cloning the fixed ID HID cards used for building access/security which have been known to be incredibly weak. Next time read the article before making sensationalist comments on the insecurity of RFID enabled bank cards..

    1. Which is, while not covered in this hack, still true. If you watch videos from Defcon you will learn that all you need is an of the shelf contactless credit card reader to peel off all the sercurity measures implemented and get nice formated CC data ready to be burned onto magnetic strip.

    2. They may use whatever encryption they want – it’s just a matter of time before someone breaks it… Ok, it may take a looong time with some encryption technologies but I still think it’s a bad idea with contactless credit cards…

  4. I asked the local branch of Chase Bank to send me a version of their credit card without their “blink” rfid feature and they said they will. I agree, it is a stupid idea.

    1. Just take off you tinfoil cap and use it in the proper place – to wrap your passport and bank cards.

      PS. Sorry for reporting post, but that link is located in absolutely counterintuitive way.

  5. I dont know much about the ultra-techy principles of this whole project but I feel like there should be an easy way to increase the range of this system. Whats standing in the way of making this “relatively” simple?

  6. Ok I just realized why the range thing is an issue because the rfidis not self powered, it needs to be powered by the field your unit is putting out.

  7. I have been reading this site for years, and this is the first peice of FUD I can remember…

    Come on guys, really? Destroy the RFID chips in your cards? How about you fix the problem, rather than just banishing the entire technology like some sort of religious deity said it was unclean.

    And blowing up the chips is not a solution either. Many banks around the world use them to verify the card in the machine is the correct one.

    RFID blocking wallet/sleeve. There. You get all the convenience of RFID without letting it be active all the time. Until they invent a way to disable the chip (that is easy too–disconnect the antenna) that you can enable easily then you have to take security into your own hands.

    Personally, I just called the bank and had them re-issue me a non-RFID card and I use my Google Nexus for all my RFID/NFC needs… Simple/secure enough for me. Yes, my Nexus is encrypted and no it is not rooted.

    1. It is unclean. Openly allowing any old reader to read your card is inherently unsafe, no matter the encryption.

      Apparently, Chase doesn’t, as you would have had difficulty obtaining a non-RFID card.

      As an alternative option to introducing security holes into your finances, don’t use RFID.

      Your nexus is either less safe (due to being more easily lost, connected to a network, or being out in the open more often) or more safe (being a larger object) than an RFID credit card.

      1. Lets address your concerns one at a time, to see how well the hold up.

        1. Openly allowing any old reader is unsafe no matter the encryption.

        This is because the RFID is being treated like a magstripe–which also gets cloned pretty easily by waiters and the like–but it could be easily made to be secure by either using a two factor authentication such as requiring a button to be pressed (which would connect the antenna, allowing the RF power to turn on the chip) or by having a secondary form of ident such as a fingerprint. OR BY PUTTING YOUR CARD IN A RFID BLOCKING SLEEVE as previously suggested.

        2. Apparently, Chase doesn’t, as you would have had difficulty obtaining a non-RFID card.

        You can either take your accounts elsewhere (if you are this worried about security, a couple of days of annoyance changing all your bank accounts around is TRIVIAL) or you can use the RFID BLOCKING SLEEVE which would block this from being read.

        3. As an alternative option to introducing security holes into your finances, don’t use RFID.

        Sure. You could also say don’t use your card number online, over the phone, in a restaurant, or in Walmart which had a gigantic breach last year or so… The fact is, all methods are at the very heart INSECURE as we use a Fiat currency and it can be stolen very easily. That we are talking about here is strictly the card being read when you do not want it to be read. That is a sleeve, or you use a device that lets you turn off the chip inside. Then, it only gets read when you want it to be read–which is NOT to say that RFID is any more secure than the Magstripe on the back, but you can at least control when it is read by physically taking your card out of your wallet and handing it to the cashier.

        4. Your nexus is either less safe (due to being more easily lost, connected to a network, or being out in the open more often) or more safe (being a larger object) than an RFID credit card.

        My cellphone is encrypted, and not rooted. All of the hacks I have seen involve your phone either being rooted and an app gaining root access to get the numbers, or the phone not being encrypted so they root it when they get it and they get the file. Since I am encrypted, that cannot happen.

        I can send a text message to it and it reboots the phone (which is when the encryption kicks in) a special mode where it sends me a text message every 5 minutes with the location so long as it has battery life to do so. This makes it easy for me to find, and also impossible for them to root the device even using a temporary root exploit.

        If they wipe it fully to try and resell it, which is what most stolen phones are for–the NFC element is defunct and will not even function for ME again. It is a ‘bug/feature’ of the NFC chip inside the phone. It can be a bug if you wipe your phone to put new roms on it, but in this instance it is a feature.

        The RFID part of it will not function as a payment option as that is initialized only when Google Wallet is open. Not open, it doesn’t work. So even if you were sticking your reader in my pocket (hey, do I know you?!?) you wouldn’t get anything.. Well, maybe my phone number–but you could have just asked me for that.

        So all in all, I am failing to see how buying a sleeve for $2 or a wallet for $15 is not the solution to the problem rather than shunning and being afraid of it. If you know the weaknesses of the tech, and it is a simple fix, just fix it. Done and done.

  8. So how does one verify that whatever sleeve (or tinfiol) is actually working? Does one have to build a device like this in order to test sleeves? Are there other places where one can go to check that a given sleeve actually works.

    Just saying cover the card is not very helpful unless there is some easily accessible way to verify that the cover actually works.

  9. Regular aluminum foil (supermarket grade) is amazingly good at reducing the range of rfid cards.

    I’ve tested it myself and although it doesn’t make them unreadable, it SIGNIFICANTLY reduces the range with just one layer.

    Destroying the rfid section without ruining the whole card can be done but isn’t worth the trouble. Foil is your friend.

  10. if the card rfid is turn on by 13.4 mhz , lets make a deetector cheap and small so you will know if someone is trying to read your info. they will sell like hot cakes

  11. I don’t get it. Why aren’t the cards encrypted so that only the bank can read it? A vendor doesn’t need access to info, and waits for the finance company for approval anyway.

  12. I punched the card rfid logo with a leather puinch , the card works fine, Visa is
    supplying me with new RFID Less cards. end of story

  13. Hey there, in the description i read about a pin 17. But on my version of the Arduino isn’t such a thing. Can someone help me there? Im sure its a pretty dumb question but i’m new to Arduinos :/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s