Friday, August 12, 2016

Privacy and RFID Chips

If you ask my family how I feel about privacy you would probably get some eye rolling. I think they think “Dad is a little paranoid.” I’ve worked for the U.S. government for many, many years. I see what they do and how they do it. I also have seen the many scandals and breeches of security that have come from lax or even treasonous activity. This is even the subject of a Presidential candidate’s use of email. If the Secretary of State can be considered “careless” by the FBI then how paranoid should I be about my personal privacy?
Many years ago I talked about how we were going to a cashless society. At that time I was writing checks for everything. Now, I can’t remember the last time I wrote a check. I seem to have become what I was fearing in the 1980’s. I still use cash with certain purchases. I don’t want a paper trail that leads me to that ammo or whatever might be a questionable purchase. These days everything is recorded, there are cameras everywhere. How anonymous are we in this time of social media and data manipulation? I think we need to do all we can to minimize our digital footprint and maximize our privacy and digital security. Whenever we opt for convenience it comes with a cost. When you go to a convenience store to buy milk it usually costs much more than at the grocery store. You’re paying a cost for the convenience. The cost of technological convenience isn’t always apparent. Take for instance RFID chips. These are Radio Frequency IDentification chips. You’ll probably be most familiar with them by seeing them on your bank cards or credit cards. These chips are being used as a replacement for the once ubiquitous magnetic stripe. By using RFID on these cards instead of the stripe, the convenience we gain is that they are less susceptible to damage, and don’t need to be run through a strip reader which has its own problems. How often have you had to run a card through three or four times per transaction? It’s a pain compared to just tapping the card reader. The RFID chips can also store more information and have that information encrypted, supposedly for your safety.

Like every new technology that comes along, intended to keep us and our information safer, there are legions of people out there willing to show us that it isn’t always safe Really though, what is 100% safe? Nothing – we just have to have an acceptable level of security and, for all intents and purposes, RFID tags are reasonably secure. Yet, they can still be read, decoded, and used in crimes against you.

You may have seen videos of people using card readers bought online to brush up against a purse or wallet, thus harvesting the information from the RFID tags inside. Then the person takes that harvested information to their lair of evil and decrypts the information to literally make copies of your bank or credit cards. At which point the Rolex shopping spree begins and you get stuck with the tab.

It doesn’t have to be this way. The odds of it actually happening to you in the first place are extremely slim. However if you want to protect yourself a little further, there are some very easy things you can do. Remember, the R stands for Radio, so anything that louses up your music radio’s reception is going to have a similar effect on these little things.

For people who carry a wallet in the back pocket of your pants, you can easily switch to putting it in your front pocket. This has two positive outcomes. One is that it makes it harder for someone to brush up against you with a reader. Most people react very differently when getting bumped in the groin area than getting bumped on the bum. This may be enough deterrent for most would-be thieves.

The other benefit is that it’s better for your back to not have lumpy wallet throwing off the alignment of your spine when sitting. There are even commercially available front-pocket wallets with RFID blocking built in.
If you carry a purse or handbag, you may consider not keeping your bank cards in it, but perhaps in something that is going to be on your body where you will naturally have higher vigilance against contact. If you need to keep it in the handbag, keep it in the innermost compartment of your handbag, in a wallet. All the other stuff in your bag could create enough interference to stymie the card reader.

Keep in mind neither of these methods is a 100% foolproof. They only make the likelihood of the card being read much less.

What kind of wallet do you have? Is it just a leather or fabric wallet? These don’t lend much stopping power against radio waves. There are commercially available wallets that are lined with aluminum or other metallic foils that help interrupt radio waves. But you can get a similar effect by lining your wallet with aluminum foil. There are dozens of ways you can do this and dozens of sites that show you how. If you have a wallet that has a billfold slot, the easiest thing you can do is to insert a sheet of foil there. Once the wallet is closed everything inside is protected by the foil.

You could also get a similar effect by using an anti-static bag – you know the kind that some computer hardware is shipped in. Those are somewhat similar to a Faraday Cage. All the other methods are simply fancier variations on this.

You can step it up a notch and find a metal container to store your cards in. Again, there are various manufactured ones specifically designed for this purpose, or you can re-use some other item for the job. The always-popular Altoids tin works. Some people also use cigarette tins for this purpose. You might even use a tin that was used to hold playing cards. All of those introduce a metal shell that helps defeat radio signals.

“Couldn’t I just pry the darn thing off the card? I mean, I’ve already got the magnetic strip there and that should suffice.” Oh if only it was that easy. The card is not your property. If you read your contract, I’m sure you’ll find that the cards remains the property of the bank or company that issued it. So you’d be damaging someone else’s property. You may find that doing so invalidates your card completely. However, you might want to call the card issuer and see if they will issue you a stripe-only card. They might or they might not. You won’t know until you ask.
What Will Work 100%? Forgo the convenience of having a bank or credit cards to pay for things and only carry cash. Of course, that introduces its own set of problems. But if you feel strongly enough about it, it’s not a bad way to go. Carrying only cash has a nice benefit of limiting what you spend to what you have on you and cuts back on impulse purchases.

The next closest thing is to have an actual Faraday Cage for your cards, not just some tinfoil. Faraday Cages are specifically designed mesh-like metal holders that essentially filter out certain electromagnetic frequencies and siphons them off to the ground. This means that you’d have to know what specific frequency your RFID tags operated on and have the appropriate cage for that.
In short, nothing will work 100% to eliminate the possibility of your RFID cards being scanned. All you can do is use one, or more, of the techniques above to limit the risk a little more. Also use your situational awareness. Keep an eye out for someone who just keeps bumping into people. Look for card readers that seem to have more things attached to them than they should. Don’t just hand your card over to a waiter and let them walk to the card machine with it. Treat your card like you would with cold hard cash – because it is.

I hope you feel more empowered now about the safety of your credit and debit cards. Maybe you feel a little wiser but don’t be disheartened. People are basically good. There are the few that ruin it for the rest.

Privacy and security are only what you want them to be. Credit card companies and banks will try to take care of their customers, but that only goes so far. You must be proactive in your own safety and security.

Semper Paratus
Check 6