Reading RFID Cards From Afar Easily

RFID hacking has been around for years, but so far all the builds to sniff data out of someone’s wallet have been too large, too small a range, or were much too complicated for a random Joe to build in his workshop. [Adam]’s RFID sniffer gets around all those problems, and provides yet another reason to destroy all the RFID chips in your credit cards.

The project was inspired by this build that took a much larger RFID reader and turned it into a sniffer capable of covertly reading debit cards and passports from the safety of a backpack or briefcase. [Aaron]’s build uses a smaller off-the-shelf RFID reader, but he’s still able to read RFID cards from about a foot away.

[Aaron]’s build is very simple consisting of only an Arduino and SD card reader. [Aaron] is able to capture all the data from an RFID card, write that data to the SD card, and emulate a card using his RFID cloner.

What’s really impressive about the build is that [Aaron] says he’s not a programmer or electrical engineer. His build log is full of self-denegration that shows both how humble [Aaron] is and how easy it is for anyone with the requisite skill set to clone the bank card sitting in your wallet. We don’t know about you, but you might want to line your wallet with aluminum foil from now on.

41 thoughts on “Reading RFID Cards From Afar Easily

  1. How would one go about destroying the RFID chip in one’s credit cards without leaving any evidence of tampering with the card? I was thinking maybe some kind of over-current using some coils hooked up to a very strong power source might do the trick. Anyone have a project that does such a thing?

          1. the best way of disabling a rfid tag is using a coil and discharging a capacitor through it… the only problem with that is it will also damage the magnetic slip and the chip on most cards. same problem with a magnet … the rfid would actuly survive a magnet though… if you want to disable it i recommend cuting the antenna… the antenna raps around the card and a knife on any edge will disable it…i recommend just getting a stainless wallet or a rfid jammer ( but thouse may reduce credit card life )

      1. @ Mike: Neutralising a US passport HAS to be done without damage to the passport otherwise they could get upset.

        I used a microwave oven, with a mug of cold water in with the passport, and it worked fine.

        The best method is to place the passport on a thick piece of metal, covered by a slightly thinner peice of metal then whack the thing a few times with a 4 pound hammer.

        Very hard to discern the damage except when TSA keeps on swiping your passport – with no success.

    1. Use a degaussing ring perhaps or as large an EMP as you can produce, perhaps. My theory is that you could try to fry the circuit that way (if you can’t get to it to cut the wires). Perhaps it would work if you put the card on an induction hob. I might try this when I get home actually.

    2. I suggest you don’t bother. The only thing this code gets is the ID number of the bank card, which is basically useless for anything. The actual banking stuff is behind a lot of encryption. Just because someone has the email address you use for facebook it doesn’t mean they can frape you. to get access to a card would take very many tries so unless you’re holding your card up to something for a few hours at a time I wouldn’t worry about it.

      if you want to kill the rfid, you can put it next to another rfid card to temporarily disable it, or look online to see pictures of where the chip is and use a hole punch to knock it out. You might as well cancel all direct debits if you’re that paranoid. They’re basically blank cheques right there.

      1. Yes… no.

        Me, being an evil genius, put RFID readers under the seats at the local cafe. To discourage people from digging TOO much at them, I put a few wads of gum on the box. NOW people will sit down, wallet near by, and give me time to attempt brute attacks at the encryptions.

        In other news, even at the highest level, this type of security is extremely vulnerable if a company loses control of their private key… and MUCH more vulnerable if they think that adding in a feature to allow the key to be changed via RFID is smart. Note that private key attacks have been increasing in the “let’s put linux on it” community because it allows them to easily bypass security layers… and pirate games… and hack into psnetwork… http://www.engadget.com/2010/12/29/hackers-claim-discovery-of-ps3-private-key-enabling-unauthori/

        Getting the key isn’t easy, but once you have it, all doors are unlocked for you.

  2. The pickup coil is usually routed around the edge of the card. Just cutting a slot 5mm in the card egde should cut that coil and disable rfid. Rfid for credit cards must be the worst idea ever…

    1. Modern bank cards use NFC chips that take up only a small area inside the card and are difficult to locate. They are also encrypted and difficult to read from long range.

  3. This project has nothing to do with cloning contactless smart cards (EMV Contactless/MIFARE) and is basically cloning the fixed ID HID cards used for building access/security which have been known to be incredibly weak. Next time read the article before making sensationalist comments on the insecurity of RFID enabled bank cards..

    1. Which is, while not covered in this hack, still true. If you watch videos from Defcon you will learn that all you need is an of the shelf contactless credit card reader to peel off all the sercurity measures implemented and get nice formated CC data ready to be burned onto magnetic strip.

    2. They may use whatever encryption they want – it’s just a matter of time before someone breaks it… Ok, it may take a looong time with some encryption technologies but I still think it’s a bad idea with contactless credit cards…

  4. I asked the local branch of Chase Bank to send me a version of their credit card without their “blink” rfid feature and they said they will. I agree, it is a stupid idea.

    1. Just take off you tinfoil cap and use it in the proper place – to wrap your passport and bank cards.

      PS. Sorry for reporting post, but that link is located in absolutely counterintuitive way.

  5. I dont know much about the ultra-techy principles of this whole project but I feel like there should be an easy way to increase the range of this system. Whats standing in the way of making this “relatively” simple?

  6. I have been reading this site for years, and this is the first peice of FUD I can remember…

    Come on guys, really? Destroy the RFID chips in your cards? How about you fix the problem, rather than just banishing the entire technology like some sort of religious deity said it was unclean.

    And blowing up the chips is not a solution either. Many banks around the world use them to verify the card in the machine is the correct one.

    RFID blocking wallet/sleeve. There. You get all the convenience of RFID without letting it be active all the time. Until they invent a way to disable the chip (that is easy too–disconnect the antenna) that you can enable easily then you have to take security into your own hands.

    Personally, I just called the bank and had them re-issue me a non-RFID card and I use my Google Nexus for all my RFID/NFC needs… Simple/secure enough for me. Yes, my Nexus is encrypted and no it is not rooted.

    1. It is unclean. Openly allowing any old reader to read your card is inherently unsafe, no matter the encryption.

      Apparently, Chase doesn’t, as you would have had difficulty obtaining a non-RFID card.

      As an alternative option to introducing security holes into your finances, don’t use RFID.

      Your nexus is either less safe (due to being more easily lost, connected to a network, or being out in the open more often) or more safe (being a larger object) than an RFID credit card.

      1. Lets address your concerns one at a time, to see how well the hold up.

        1. Openly allowing any old reader is unsafe no matter the encryption.

        This is because the RFID is being treated like a magstripe–which also gets cloned pretty easily by waiters and the like–but it could be easily made to be secure by either using a two factor authentication such as requiring a button to be pressed (which would connect the antenna, allowing the RF power to turn on the chip) or by having a secondary form of ident such as a fingerprint. OR BY PUTTING YOUR CARD IN A RFID BLOCKING SLEEVE as previously suggested.

        2. Apparently, Chase doesn’t, as you would have had difficulty obtaining a non-RFID card.

        You can either take your accounts elsewhere (if you are this worried about security, a couple of days of annoyance changing all your bank accounts around is TRIVIAL) or you can use the RFID BLOCKING SLEEVE which would block this from being read.

        3. As an alternative option to introducing security holes into your finances, don’t use RFID.

        Sure. You could also say don’t use your card number online, over the phone, in a restaurant, or in Walmart which had a gigantic breach last year or so… The fact is, all methods are at the very heart INSECURE as we use a Fiat currency and it can be stolen very easily. That we are talking about here is strictly the card being read when you do not want it to be read. That is a sleeve, or you use a device that lets you turn off the chip inside. Then, it only gets read when you want it to be read–which is NOT to say that RFID is any more secure than the Magstripe on the back, but you can at least control when it is read by physically taking your card out of your wallet and handing it to the cashier.

        4. Your nexus is either less safe (due to being more easily lost, connected to a network, or being out in the open more often) or more safe (being a larger object) than an RFID credit card.

        My cellphone is encrypted, and not rooted. All of the hacks I have seen involve your phone either being rooted and an app gaining root access to get the numbers, or the phone not being encrypted so they root it when they get it and they get the file. Since I am encrypted, that cannot happen.

        I can send a text message to it and it reboots the phone (which is when the encryption kicks in) a special mode where it sends me a text message every 5 minutes with the location so long as it has battery life to do so. This makes it easy for me to find, and also impossible for them to root the device even using a temporary root exploit.

        If they wipe it fully to try and resell it, which is what most stolen phones are for–the NFC element is defunct and will not even function for ME again. It is a ‘bug/feature’ of the NFC chip inside the phone. It can be a bug if you wipe your phone to put new roms on it, but in this instance it is a feature.

        The RFID part of it will not function as a payment option as that is initialized only when Google Wallet is open. Not open, it doesn’t work. So even if you were sticking your reader in my pocket (hey, do I know you?!?) you wouldn’t get anything.. Well, maybe my phone number–but you could have just asked me for that.

        So all in all, I am failing to see how buying a sleeve for $2 or a wallet for $15 is not the solution to the problem rather than shunning and being afraid of it. If you know the weaknesses of the tech, and it is a simple fix, just fix it. Done and done.

  7. So how does one verify that whatever sleeve (or tinfiol) is actually working? Does one have to build a device like this in order to test sleeves? Are there other places where one can go to check that a given sleeve actually works.

    Just saying cover the card is not very helpful unless there is some easily accessible way to verify that the cover actually works.

  8. Regular aluminum foil (supermarket grade) is amazingly good at reducing the range of rfid cards.

    I’ve tested it myself and although it doesn’t make them unreadable, it SIGNIFICANTLY reduces the range with just one layer.

    Destroying the rfid section without ruining the whole card can be done but isn’t worth the trouble. Foil is your friend.

  9. Hey there, in the description i read about a pin 17. But on my version of the Arduino isn’t such a thing. Can someone help me there? Im sure its a pretty dumb question but i’m new to Arduinos :/

    1. Hi MrSnuggles (FYI such a cute username)

      Any way. I would like to attempt to answer your question about the pin 17 Arduino board. I have been looking into the RFID tag vulnerability and I have been looking at getting a setup to test and see if I could add to the work being done. I have seen other brands of boards out there that are compatible with Arduino software and hardware but due to me being a student, the little money I got needs to go to booze so I can hack all the things. So I can not be 900% confident in saying that you can get those boards because I have read their specs and I hope that my memory is not failing me that the truth is out there you just need to get a looking. I would love to find it again but mate Raspberry pi and Arduino have so many copies made that I would cause my own Global financial Crisis because booze ain’t cheap and I need the booze to help. ADHD IS A BITCH BUT I LOVE IT. I hoped I managed to answer your question but if not at least there is some humour in it to make up for it.
      ✖️⭕️✖️⭕️
      SpiVic007

Leave a Reply to davegCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.