What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID

Flipper Zero tool reading bank card, displaying data on LCD

The Flipper Zero is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.

Drawing of Flipper Zero and a variety of RFID tags
Popular 125 kHz protocols: EM-Marin, HID Prox II, and Indala

Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.

For example, 125 kHz tags have an antenna made from many turns of very fine wire, with no visible space between the loops. High-frequency tags on the other hand will have antennas with fewer loops, and visible space between them. To tell them apart, a bright light is often enough to see the antenna structure through thin plastic.

Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.

Like many others, we’re looking forward to it becoming available, sadly there is just no getting around component shortages that seem to be affecting everyone.

29 thoughts on “What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID

  1. “Mobile payment systems (like Apple or Google Pay) don’t do that.”
    On the other hand most smartphones don’t really get regular updates so it is still risky to make them gateway to your account.

    1. Significantly more regular than the EMV spec though! Some manufacturers are pretty good at regular security updates (and Apple always have been given owning the whole platform).

      1. Yeah, Banking Institutions did tent to do that.

        Meanwhile they are learning that their “Just thrust us” needs to be “At … you can get information how to re-implement client side for verification why you can thrust us”.

          1. There’s a nested comment here that I can’t reply to directly*, sorry for jumping in. This one is directed at “X” who implies that because we haven’t inspected all the source code for Linux, that open-source is somehow weaker. No, I haven’t reviewed every line, but I’ve read *infinitely* more linux source than I have for any closed source OS! I think there’s a saying about “many eyes make all bugs shallow” or something.

            * Hackaday, Slashdot solved online comments 20 years ago. Their code (slashcode) is free. Nested comments, proper community moderation (not the reddit popularity contest) Sure, it’ll need some tidying up, but it has to be better than wordpress. Not trying to criticise HaD – the stories and comments here are generally of a very high standard. I’ve learned a lot here.

          2. Well well..I took my first Comp Sci class in 1998 and what was taught that summer was Linux Red Hat 6 there shit for a GUI then we lived root anything we wanted to have working we scripted..Linux Red Hat is now Business end based and if you can code and code old school ..cloaking.. when there was not any of the stuff you have today to make yourself obscure while in Win or Mac then no reason to question Linux obscurity .. Why do you think all the geeks and nerds..not hipsters who think they are legit using Ubuntu..because the can code manipulate etc to have Linux be the precise environment you want not to mention holeing up keep those vulnerability for MS..check out MedaSploit

  2. Once the pandemic is over, I will be cutting the antennas in my bank cards again.

    Up til now the risk from COVID (and being able to pay contactless to mitigate that) has slightly outweighed the risk from fraud….

      1. Are you actually asking that?

        Some number, maybe up into the 1,000s of people per day pull their cruddy cards out of their sweaty, dirty pockets and stick it in that same slot before you get there. Then you show up, expose your card to whatever crud has been left behind before sticking it back in your own pocket all with your bare hands.

        Or you just wave it by without even making contact.

        1. The same thing gets done with cash, yet we don’t get sick from handling cash. Sure, if you handle a lot of cash, you should probably wash your hands before you eat, but you should be doing that anyway.

          1. You may not get sick from handling cash but odds are more in your favor of getting high from handling cash. 90% of US currency has cocaine on it. Fun fact.

    1. I tin foil lined my wallet when these cards came out, but I also discovered that keeping 2 or more cards together would make a reading impossible, especially my buscard had stronger signal output (better antenna?) then all other cards.
      So I always keep my buscard furthest out in my wallet.
      But just the foil was enough by itself,
      I kind of planned to make a buzzer that warns me if someone is trying to scan my wallet too, and one inside my door if someone is trying to scan the keyfob to my car trough the door, but it fell on the backburner
      I am sure there is a commercial product there if someone wants to take the idea and run with it.
      “Key fob scanning alerter” only 19.95 on Flebay.
      My keyfob is kept well inside my house in a metal can with lid, I had the habit of puttin my keys there since well before kefobs were a thing, so it was an easy solution to a stupid problem that shouldn’t exist

      1. You all should be more worried about your phone…Android phones come out of the box with nearby share on and smart switch and so on honestly you have no idea how many people do not have a clue..when you are in you are in…every bank account, credit card, cash app, veno, all it takes is seconds to screenshot all the passwords and even if you need pin or pattern takes only a few seconds to look at history, go to banking sites, 90% of the public uses auto fill, go in change the phone number, screen shot acc numbers or virtual cards.

  3. Shut up and take my money!

    I want one so I can find out how my access card for work works. Then I want to find a compatible id chip to implant in my hand so I can get in without reaching for my wallet.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.