How Much Should You Worry About RFID Card Skimming?

At some point you’ve either heard warnings that high-tech crooks are remotely reading people’s debit and credit cards using handheld RFID readers, or you’ve seen a wallet advertised as having built-in RFID-blocking features. More than likely, you’ve seen both. But is there really anything to worry about?

But before we get into that, what is an RFID chip?

RFID chips are embedded in some credit and debit cards, and are designed to let you pay by holding the card near an RFID-enabled card reader, instead of swiping or inserting the card into the machine. Contactless payment, in other words. U.S. Passport covers issued since 2007 also have this type of chip, and you can set up a “virtual wallet” on most smartphones that can be used for contactless payments, even if the cards you add to it don’t have the chip).

The RFID chip is not the same as the EMV chip that is embedded in nearly every credit or debit card these days.

Your card will tell you if it has RFID technology embedded. The big four credit card companies each have their own name for this feature:

  • ExpressPay (American Express)
  • PayPass (MasterCard)
  • PayWave (Visa)
  • Zip (Discover)

An RFID-enabled card will also either say “RFID” or have an icon that looks like radiating waves (similar to a WiFi signal), or both. Tap-and-go is promoted as a desirable feature of these cards—they want you know you can use it.

But, along with RFID cards came the usual anxiety about new technology: with your credit card just throwing out this radio signal containing all of your personal information all the time, it was going to be a cinch for some wily hacker to sit back in a shopping mall and just collect the data from every single card in every purse and wallet that happened to pass within 50 feet, right? And, right on cue, “security experts” emerged on websites and in online videos showing how it could, in theory, be done, under ideal circumstances. “Electronic pickpocketing” was the anxiety du jour.

Immediately, wallets and passport covers and other items (fanny packs, anyone? RFID-blocking jeans?) appeared on the market that claimed to block these frequencies, and they sold like hotcakes. Interestingly, a lot of those same experts who could demonstrate how this crime could be carried out also happened to be selling wallets, or at least promoting a paid affiliate link to buy one from somebody else.

There are a few things to know about electronic pickpocketing before you seek out (and spend money on) an item that is supposed to prevent this type of fraud.

First, the range of this type of RFID chip is about 10 centimeters (under four inches) and even that’s kind of pushing it. Outside of a vacuum, and with anything less than a NASA-level RFID reader, a thief would have to get extremely close to you to even have a chance of being able to pull this crime off. Like, probably touching you with his or her reader. And even then, circumstances are seldom ideal. What if you have two RFID cards on you? Those signals would be scrambled and worthless. And someone loitering around a crowd of people, holding a device up to every purse and back pocket in the place, is going to attract a lot of attention. “Be seen by literally everyone” is usually the opposite of what most crooks want to happen.

Secondly, any time a crime (however unlikely) has that “high tech” aroma to it, it’s easy to imagine the perpetrator as some kind of super-smart criminal mastermind, and there may have been a time (think: 25 or 30 years ago) when that was the case, but a lot of the “hackers” of today are the same people that would have been snatching purses a few decades ago. They’re not masterminds, and they don’t wait around for “ideal circumstances.” They go for the easiest, surest thing, and RFID skimming is neither. It is far easier, cheaper and faster to install a skimmer on an ATM or gas pump, or to buy a database of cards stolen in a data breach—and the success rate is much higher.

Finally, you’ve probably heard people claim to have been a victim of RFID skimming, but there have been no documented cases of fraud being traced to this activity. Real card fraud happens every day, but these almost always originate either with a skimming device (that captures magnetic stripe data—becoming rarer as the EMV chip becomes the standard), phishing attacks, or from retail data breaches in which millions of consumers are victimized at once. For an individual, it can sometimes be difficult to determine where the fraud happened, and so a lot of people just jump on the last thing they heard about. “RFID skimming? Oh yeah, that happened to me…”

In summary, RFID skimming isn’t something you need to be overly worried about. If a wallet or a passport cover has a feature to block these signals and it doesn’t cost anything extra, go ahead and get it. Or get some RFID-blocking sleeves for passports and individual cards if you want to, but you don’t have to spend much on these. I’ve seen a pack for under $10 that had enough sleeves for multiple cards and passports. But don’t pay a premium price just for the RFID-blocking feature, to prevent a crime that isn’t very likely to happen in the first place.