I feel like a simple solution to these cards would be a resistive sensor or something (such as two metal contacts that you place your finger over) and without your finger on them, the card doesn't talk.

Yeah right, Mrs EEVBlog's bag.. It's your new manbag isn't it :-)

Love that DaveCAD works beautifully even on small screens.

Reminds me of a few of my student mates. They made a tranceiver and antenna for scanning RFID cards from a distance of up to 10 meters. Worked pretty well, they could scan university cards from people walking below past the window of the lab.

That is RF . RF stands for, wait for it, Radio Frequency. 873 kHz is a frequency that my radio can pick up, is designed to pick up. It is RF !

Thanks for clearing up the misconception and highlighting the technology.

I really don't understand why they don't just build in a little metal dome switch on the card that must be pressed to allow power to the chip. It's blindingly obvious, super simple and 100% read proof until the exact moment of payment.

I've had my card wrapped in "AL-foil" for about a month. Now I know I'm "mostly" safe. Thanks for this video and the knowledge it passes on to the public. My bank couldn't even give me a straight answer about this.

A tap and go skimmer was the first device I built with what I learned on EEVblog. It works like a charm and finances all my subsequent projects. Thank you dave.

Creating foil card sleeves seems like a much more practical solution than buying entire accessories to solve the problem.

I wanted to totally disable the RFID function of my card. The answer was simple. A small notch in the bottom edge of the card, just a few mm, breaks the coil and stops it working.

Thanks for covering some of this Dave. It would be interesting to see more testing, experimentation, and methods of protection and disabling cards in the future. It was too bad that Mythbusters were never able to air their findings due to threats possible lawsuits even relate to talking about it. They are pretty tight lipped about it all to this day.

From taking screenshots of your lovely scope I'm able to ascertain that your name is Dave.. Joking aside I imagine with even just Al foil the eddy currents would produce enough noise to disguise the AM packets, although they are sent after the circuit is charged but at that freq it probably stops the induction to the receiver coil in the first place.. I love how every second week these card are on the news as a "security risk" but never referring to the RFID technology itself. Anyhow great video mate..

Thats the REAL PERFECT way to really explain those "RFID" cards! Perfect, and Understandable. Indeed, It is a Inductively coupled system.

The fun thing to do is have a larger coil in the purse that also picks up this magnetic field and outputs random noise in the RFID bands. The best part is that under normal conditions it does nothing, only when you're being scanned by some thief.

Mythbusters actually get banned by discovery channel's investors from testing NFC card security, that is now insecure these cards is, saddly, all banks now only issue NFC cards, HUGE mistake IMO

Dave Cad... classic :D Also, this technology is very similar to the QI standard for wireless charging for phones & tablets. Instead of sending the credit card data, the device sends information to the pad such as how much current to supply and when to stop by modulating the load on the phone's internal charging coils.

Not an RF field? That's exactly what this is! That schematic you drew is equivalent to a good old fashioned crystal radio with a loopstick antenna. Generally, any of the antennas with circular elements work by coupling the magnetic (B) field, while dipoles and related things like yagi arrays couple the electric (E) field.

With the TI RFID Development kit TRF7970A I managed to read more than 10 cards at the same time. However I have seen tags that use the 125 kHz system for building access control interfer with the theft protection of a Fiat Punto. It took my friend at work several weeks to figure out what was going on and why his car didn't start sometimes. That was before 2006 though.

The convenience outweighs the risk apart from when it interferes with my bus pass!

Informative video Dave. Well done.

Great vid and explanation Dave, but could you please also show how you do the measurements, I know most people will argue that the video will take too long, but it can be interesting to learn more about more complex measurements sometimes :)

Good Lord! It works. Just two layers of aluminum foil inserted in my wallet and NFC can't read anything. Thank you very much for that advice!

Tip: Last NFC transactions history is stored directly in most Visa cards. There are applications to read them also. This video focuses a lot on scanning aspect, but scan is useless without SE response. So the only way to actually steal money is to perform MitM attack with HCE endpoint to emulate SE. As for biometric passports - data is encrypted and key is generated from passport number, date of birth and date of expiration. That's why you have this

thanks for sharing your cc# on the scope lol

More sophisticated than a charcoal rubbing of a pocket to determine the contents.

Been using metallic Christmas foil wrapping paper in my wallet to protect my credit cards. Thank you for the video ! tjl

People have seen skimmers walking the London Tube with handheld Point of Sale devices. Here in the UK the limit is a much more manageable £30. Still spend a few hours walking about London crowds and you could make a decent living. Electronically pickpocketing £30 quid a time.

Hey Dave, how about a video on those little security chips. Those look pretty neat to me.

If you want to disable your payWave or PayPass chip, simply cut the side of the card where the wire loops around the card. You don't need to cut much, only to rupture the loop.

if people are so concerned, and they don't care to use the touch and go of the card, then I would just say they should exacto the coil and break the circuit.

why do i find 'Dave CAD' funny with the smiley face in the D? i do not know but it made me laugh (3:10)

lol the black tape reminded me of the scraped off ICs, And you thought all along those foil cone hats in the 80's was all for just laughs.

Also NFC TagInfo by NXP gives lots of data.

I'd say that the reason people think that putting cards together will protect them is that a lot of implementations don't do anti-collision properly. Haven't tested it with Opal, but certainly the MyKi readers in Melbourne don't implement anti-collision, if it sees multiple cards it just gives up. So they've probably seen a message like "multiple cards detected, try again" and assumed that that means that the system can't read them if there are multiple cards there. As far as reading them from a distance, there's an application note, I believe on the TI website which covers building long range antennas for RFID, after a point you end up with something that looks like the anti-theft tag gates in shops. What I'd be more interested in (haven't got around to actually testing it though) is how much of the signal you could passively sniff while a transaction is in progress, because although the system is designed to use magnetic coupling, 13.5MHz propagates reasonably well so you're going to get some degree of RF leakage.

You will find that the credit card details can be retrieved. If you had pressed the tag information, you would have seen the credit card number.

To clarify: the message that the chip sends to authorise a transaction and prove that it isn't a clone (the cryptogram) is protected by strong cryptography, but information that is also present on the front of the card or on the magstripe, such as the card number, is always transmitted in the clear. So it's possible to skim a card and use the card number to shop online or something, but, in principle, it's not possible to physically clone a skimmed card. In practice, this isn't always true, mainly due to American banks that don't bother checking the cryptogram.

A friend of mine was on the standards committee for the design of all RFID banking cards and he went through the maths regarding theft and RF levels both to activate the card and the RF from the card and the chance of someone stealing your data is very low. Anyway you'll get your money back as it was an unauthorised transaction.

I haven't tried taking it apart so I don't know what tech the Tesla key uses, but other metal keys in my pocket sometimes interfere with the car's ability to read the key. That's over a much longer distance though.

Hey EEVblog, I might not be absolutely correct but it seems RF communication works with the same principle as RFID cause you are still using the same electromagnetic field for TX and RX except that the distance has to be very closed for reception. The current that is oscillating in RF antenna induce the same magnetic field for long distance transmission, and at the destination end you surely do need the antenna where the same signal will be induce except that mechanism for reception is different, but basically the medium is still the same. Thanks for pointing this out.

Beats the paint-drying Lab Re-arranging vid Dave :) Seriously, was insightful. Actually quite simple how it works in terms of coms. But surely the card is read only, so if you could capture the traffic and decode it, one could emulate it? Or perhaps there is some sort of 'key' on board, like SSL

In Portugal the code is asked every 60€ of purchases and if a single transaction is more than 20€.

Soo good, keep it up!

It was my understanding that RFID referred to card containing actual RF chips which also contained a coil. So when you slid your card through a magnetic field (think hotel room key) the RF chip would be able to send a code in a single RF burst, which was then read by the receiver. Is this technology also employed? Why is this not used in credit cards? Awesome video Dave!

"Don't wear it on your head, put it in your pocket" lol.

Do the tags put into clothing etc. work on the same principle and iso standard? I'm just curious as to the function expected by the use of these tags. They seem very intrusive.

Hi! Where can I find more details on the schematic you've drawn in this video?

Hagenberg goes EEVBlog ;-)

in the USA, I don't think banks issue cards with the RFID chip anymore. As a matter of fact, I remember all my cards being replaced without the RFID symbol. They only contain the chip.

Actually, the modulation is ~106KHz. (13.56MHz / 128). It only goes to 847.5KHZ (13.56MHz / 16) after the PPS handshake between the PICC (card) and PCD (reader). The card has to say, "I support these baud rates" during the RATS command, then the reader has to choose the baud rate to use with the PPS command. Otherwise, spot on, mate! I didn't know you did RFID stuff.

Thanks Dave. Just for your information: Skimming like this is already happening in Europe.

Hey Dave, would love to see you do something with the keyless "fob in pocket" start auto systems. The rumor is that criminals can place a transceiver near your house say at the front door where a lot of people leave their keys and basically extend the range to get into the car. Don't know what happens if they start it and drive away. Does the engine shutdown when the key is no longer in communication range?

What if they use a few shorted turns in the fabric to keep the induced voltage at ground zero? Can the transmitter get anything if you have shorted turns under it?

If you are worried about people stealing your data you could always just disable the RFID functionality. I know that my bank has an option online to just turn the feature off. The same option is there to disable the magnetic strip. What this does is probably just declines any transactions made when using those technologies.

I would like to see Dave take a look at the rfid Guardbunny created by Kristin Paget. First featured at schmoocon 2012 and later went openhardware and got an article on Hack a day.

Such a shield works while the card is in it. Remove the card to use with the RFID scanner at checkout and a black hat behind you in the checkout line doesn't even need to transmit anything to pick up the signal.

Dave keeps going on about how it's "not an antenna", and that it uses magnetic coupling not "RF fields", but aren't they essentially the same thing, just longer distances? Like all EM waves are composed of Electric and magnetic fields right, so what makes this different?

I know of someone who used to chat with their victim. They worked in a shop with a card reader that they would put the card in and hand to the customer. They would get in to a surprised sorta reaction, put the card down on their touchless payment machine and and get an easy £30. Somehow it was also untraceable.

I remember in the 90 all the public phone use that chip for cards with credits. And we use a eprom with the software to emulate and call free.

is it possible to use a jammer to jam the 13.56 mhz to prevent the tap from working at all? the scenario is someone could broadcast a blank 13.56 mhz wave so the terminal cant read so it prevent the transaction to force the use of the chip or swipe so the skimmer could be used. in the past when the chip came out criminals would make the shimmer insert have some tab to block the chip so when you put the card in it would not make connection to the chip at all or it would have some wires to corrupt the signals to the chip to make the transaction fail so it forces the customer to swipe. i am asking because i suspect that a couple gas stations here in the united states may be in on a skimming ring and they say it is a problem with the card or security.

Can you get the hex dump from the oscilloscope image? :D

you don't have to put it all around, one layer of foil on any side is enough because it detunes the resonant frequency a lot.

Oh, I have a slight issue with how you are thinking modulating a coil is not a radio? The difference between a transformer and a radio is the radio modulates the electromagnetic field (we call it electromagnetic radiation for a reason). My one transistor AM crystal radio works exactly the same way using the radio signal to provide enough current to run it, admittedly I do ground it rather than ground to the other end of the coil. I bet if I tune a heterodyne receiver to 50Hz I'll be able to here a continuous 50Hz radio signal. With a powerful enough radio signal one can in fact activate one of these cards.

Best video on how NFC works but with wrong title

yeah,I guess i would be more converned with the ones they are sticking to the front of gas pumps and at rest stops. seems here in Michigan,theives have targeted the main areas they know people in a hurry to travel stop. they have already hit up several gas stations and rest stop machines.

The ISO14443 standard calls for readers to have a minimum of 1.5A/m output. ISO15693 calls for 2.0 A/m. if anyone's interested. ISO10373 is concerned with the measurements of the readers. Your phone will be producing around 1.0A/m at 13.56MHz. the ISO14443A ID1 credentials can sometimes read somewhere around 0.3 to 0.4A/m depending upon the amount of processing involved. Actually you'll find that most cards won't be read over about 15cm with a reader producing 4A/m as the magnetic field just isn't strong enough. You won't find anything portable over 4A/m as you start needing a beefy RF amp It is quite possible for these cards to be read from this distance but like Dave said, it doesn't mean they can actually set the transactions up.

In the UK it's just 'touchless payment' and limited to £30 afaik.

This is why no-one with any technical knowledge should call them 'RFID' cards. These are all NFC(Or near-field-commutation) cards. Dave gets half a break as he's using layman's terms for ease of explanation, but searching for 'NFC' reader and 'RFID' reader gets quite different results. Many public transport cards use the same tech, so they make for great test cards if you don't want your credit card shown on air. :) And if you want a somewhat overpriced(due to postage outside of us) way to see what tech a reader uses: dangerousthings.com/shop/rfid-diagnostic-tool/

To the end the sticky tape sticks more and more against your card and the risen numbers.. you show the card from various angles and with lighting from different sides... bad people could try to read the numbers. CRC could even help them to guess... yes, I know there are still things missing like the security code from the back, but I would have used a thicker tape, blurring the outlines of the numbers more.

I have an idea or two about a protection features that can be added to these cards. How about if the chip in the card only starts working if it detects the electrical resistance from your fingers on the card? That way the only way the card can work, is if you are holding it. Otherwise it's only going to activate the coil if it is within a 13.56MHz magnetic field but there isn't going to be any data exchange. Something like a metallic grid on the card that should read somewhere between say 10 and 50 koms in order to start the chip. Or have specific finger locations that you need to hold the card at, in order for it to work. And there is even a simpler way to do it, just put a dome switch in the card that should be pressed in order to connect the coil to the electronics inside. Needless to say that it's location must be a bit deeper in the card in order to prevent the button getting pressed while in your purse or pocket. That way you can only activate the card if you are holding at a specific location and apply some relatively significant pressure.

Cut the handbag open and search that protective layer!

once u have used the app to read your card what's to stop the app squawking all your card details back to whoever wrote the app? This technology is called contactless payment here in the UK BTW.

Just put the card in an aluminumized envelope, just like you'd do with those toll transponders. I'd have thought that putting the card inside of an aluminum box would shield it because the box should act as a shorted turn in the transformer.

So you trade the inconvenience of swiping your card for the inconvenience of wrapping and unwrapping your card in tin foil. (Yes, I know it's not tin.)

A perfect solution to stop these cards being read without the owners permission would be to embed a photo diode into the body of the card that only allows the circuit within the card to activate when it is in ambient light (ie out of a persons wallet) then when it is in the wallet / bag, it would be unreadable.

could you use some gadgets in your lab to generate a more powerful transmitter? That would have been interesting. And to test the max distance with the phone's power and plot it out

great video as always, some banks NAB for example, offer a paypass for your phone which basically acts just like your card for transactions. I obviously turn my NFC off, but I wonder if someone didn't could readers do the same thing or would there be some kind of extra security level in it's software?

You can expose card by power flashlight and see embedded coil and chip

we JUST got chip and pin to be widespread in america ... i got my first one recently 10 more years we might get this RFID :P

Does the alignment between the transceiver and the card matter?

I don't know about Australia but many places in the US they have RFID tags in the cars for toll roads, the readers are over the road at least 16 feet in the air, they can record me passing even at 75mph. now i doubt the protocols are the same but i'm fairly sure the tech is. larger antenna and more power obviously, but since your not a criminal and not equipped with these toys I wouldn't discount the criminal elements ability to procure such devices.

"This is NOT a RF system, it works on magnetic fields instead of RF-fields" o.O Well, what are RF-systems working on ? RF-systems are in theory a transformer system - and yes, they are called antennaes.

Mrs EEVBlog's bag... TAKE IT APART !!

"Not valid unless signed" Nice to see I'm not the only one who doesn't sign their cards. Zero point in doing it.

I have tested access control RFID at the 125Khz band and even very thin aluminium works as a shield... :-/

Those anti-theft systems at stores use an electromagnetic field, right? Would love to see a hack that turns them into a giant skimmer that could be wheeled up to any store front.

Where did you get the reader app for your phone??

Did you forget some annotations at the end?

hi Dave Actually RF's are magnetic waves so why are you bothering yourself to say its different from a typical RF cable that sends off data in form off some modulation of a RF pulse?

a UNI-T brand battery? (at the end of the video in the lower right corner) :D

Funny story, my father had one of the early types and I knew the risks and downloaded a card reader app and said "watch this" pinged his card and it displayed the number and everything then I said "is this your card" he replied "yes, that's not good" so the mobile phone app demo that you did I also used to prove that they were easy to read

Is it possible to emulate a NFC tag with the phone? I.e, store a copy of a tag and emulate it?

I know that the CC had run some experiments and was actually able to read these information from several hundred meters away. (though it were tags in clothes .. and maybe from the official ID cards which are used around here)

I'd like to propose two fixes you might want to add before releasing it: 1) It is actually the same chip as the one seen from the outside, not a separate one (Google images "paywave x-ray"), and this way they can also have the same data shared (e.g. some cards count your contactless transactions and allow only X in a row). 2) They are not just data storage like your usual tag, but the are actively negotiating with the terminal and cryptographically sign transactions. The data you can read out from it alone will not help you much (you do get CC number and expiration date, but not name or CVC2 - it's worse to have your card captured by a security camera than having it scanned). To make a transaction, you would need to go around with a terminal, or relay the communication via the Internet to another phone at a rogue merchant's place, and since merchants must be registered, this makes it a lot harder for criminals.

I use my iphone to do the equivalent of the tap n go, but the iphone apple pay has extra layers of protection. Like it needs my thumbprint to work, and if I lose the iphone or it gets stolen(which would result in basically the card was also lost or stolen) I can just simply shutdown the phone with Find My Iphone and not worry about it. So now, all I carry is my iphone with me, all the credit cards stay at home.

For those curios: ESD bags does NOT block the signal

Have you seen the jamming cards that deliberately jam the RFID frequencies when they detect a field? I've seen a bunch of these on the market (eg: armourcard, which is an Aus company - they sell them at JB). Would be interesting to see whether they're any good using the testing setup you used there. Interesting story is that I see them on the counter near the EFTPOS pinpads, and every time i get a failed card read at JB (and had to insert the card instead) one of these display stands is pretty much next to the pinpad. Tends to lend credibility to the product, but really silly placement by JB!

I don't think that I believe your statement that card information can't be stolen, because how would the store's scanner process a payment? My wife's card had not left it's paper sheath since it was issued, and yet it, and every RFID card in her wallet were compromised somehow. The old cards without contactless payment were unaffected. I call BS on the VISA assertion that this is secure.

Bummer... I downloaded that program on my phone and tried it with a couple of cards I have not really knowing if they were NFC cards or not. None of them are. Even my passport card I have doesn't. Now I can't play around with it. Oh well. Good video though with a good explanation of how this actually works and NOT "RFID" like the news media would tell you it is.

i wonder if you can make an rf id protected duck tape wallet using that foil