Continuing the discussion from Push Back on NameDrop Privacy Insinuations:
Yes, and it’s so annoying. I could use a new wallet but I don’t want one that’s going to make me remove my Charlie card to get on the subway or my work ID to get in the office. I want to keep slapping my whole wallet onto the readers.
I’m actually fine with taking credit cards out to tap them, I have more than one so I want to be sure which one is read and way too often I have to insert the card instead anyway.
How close does an RFID-enabled device need to get to the reader for payment? Sometimes, it has seemed like my iPhone paid for a purchase from about 18 inches away. (I’m assuming this is a RFID issue; if ApplePay on an iPhone is not RFID, please correct me.) I’ve become skittish about enabling Wallet and selecting the appropriate credit card and try to stand way back from the reader.
Back on topic of RFID-blocking wallets, would a tap-to-pay credit card have the same distance requirement and limitation as an iPhone? If a reader could detect a credit card 18 inches away, I might be interested in an RFID-blocking wallet. (I did read in the NameDrop Privacy thread that two iPhones need to be almost touching. Wouldn’t ApplePay and tap-to-pay be almost the same?)
And back off-topic, my passport card came with what I assumed was an RFID-blocking sleeve. Why? (My Global Entry card came with sleeve, but it seems to be paper. If someone with a Global Entry card can confirm that it is an RFID-blocking sleeve, same question. Why?)
If you’re asking why an RFID-blocking sleeve might be issued, it’s because both cards contain RFID chips for use at border crossings (where the equipment/programs are in place to allow tap-to-verity).
This makes sense if the RFID range is comparable to the spacing of the people in line at the border crossing, which goes right back to my question about the range of RFID devices. If the range is less than 18 inches, then the question about the sleeves remains.
That’s always been my understanding.
Reading NFC/RFID at a distance is definitely possible. That’s how, for example wireless toll-payment systems (e.g. E-ZPass) work. But in order to work reliably at those distances, they require a powered transmitter in your car and a fairly large receiver antenna (the big square antenna you see above each toll booth lane).
Fujitsu (among others) sells RFID-based self-checkout equipment, where a retailer tags every item in the store. You just walk through the lane and it detects every item you picked up and will bill you to a card you have on-file (or asks you for payment if you don’t have a card on-file).
But both of these are very different from being able to scan the cards in your wallet from across the street. Given the power required to activate the card, you’d need to walk through a gauntlet (like the Fujitsu system), or the attacker would need some pretty large amounts of equipment.
And even then, the attack won’t be meaningful. Contactless payment cards don’t transmit your account information (e.g. the data printed on the card). Instead the on-board EMV chip actively participates in a secure transaction with the bank, where the data transmitted is all encrypted. Although a third party might be able to activate the card with a strong enough signal, he would not be able to get the information necessary to clone the card.
That’s probably a combination of a powerful/sensitive reader and the fact that your iPhone has an active transmitter (similar to an E-ZPass transmitter).
A contactless card, on the other hand, has no battery. It is powered by an electrical field generated by the reader. So it can’t work at a distance. The nature of electrical fields (lower power as the square of the distance) means that to get a card to activate at a long distance is going to require an incredibly powerful reader device. Not something a crook is likely to have and definitely not something someone could carry around.
US passports have an RFID-blocking cover, so scanners can’t read them when they are closed. I assume the sleeve for the card serves a similar purpose.
I’ve never seen the RFID capabilities used in real life, but I assume they involve holding it up to an RFID reader in the passport control area of an airport. Maybe they are concerned that you may go somewhere else that has a walk-through RFID reader (e.g. the Fujitsu contactless check-out system) and they don’t want it accidentally reading your passport.
In addition to other information, Global Entry cards, passport cards, and chipped passports store biometrics that allow agents, kiosks, and automated gates to do facial recognition. So it is not uncommon for the RFID/NFC capabilities to be used when going through an immigration check.
One of the reasons I tend to use Apple Pay on my phone at stores is because the phone signal is so much more likely to be picked up than using a card. It’s remarkably quicker.
Have you seen the RFID capabilities of passport, passport card or global entry card used in real life?
My passport has had the e-Passport logo on it since 2012, and I’ve traveled quite a bit since then (including to the UK, Denmark, Belgium, Sweden, Israel, China, Singapore and international cruises) and no location’s passport control (not even on returning to the US) has used the RFID. They all either have a human reading the ID page and/or they have a kiosk that scans that page. (Singapore’s kiosk wanted a fingerprint as well).
Which leaves me wondering where it is actually used and why countries are spending all the time and money on the tech if they’re not using it.
I haven’t paid really close attention while in transit but some examples of what probably is use of the RFID/NFC I’ve experienced recently are:
I’d say, too, as somebody who has also gone through all the security at TLV, I would be very surprised if passport chip data isn’t used there in some way.
Interestingly, the French toll-payment system, operated by Vinci, doesn’t require a powered transmitter in the car. My transmitters are small gadgets (about 2cm x 4cm x 1cm), mounted on the windscreen, and have no battery. Most booths require you to slow nearly to a stop, but some (clearly labelled, happily) will let you through at 30kph. I still get a little frisson of excitement each time, wondering if the barrier will rise in time.
Are you sure there’s no battery? E-ZPass transponders are small, mounted in that location, and sealed but do contain a sizable lithium battery.
Sounds like the FasTrak system in California. The chip measures 1cm x 2cm and is affixed to the inside of the windshield by a decal. You can whiz through the detector at 70mph (there is no gate).
I’m pretty sure - they can’t be opened, so it’s hard to be absolutely definite. Certainly, a battery of the kind you show wouldn’t fit. I don’t know what battery life one would expect, but I’ve had one of them for nearly 10 years and it’s still working just fine.
I checked on the web, and they say
"The Standard E‑ZPass battery has about a 10 year life under normal usage conditions.
There are no user replaceable components in your E‑ZPass.
If you have a properly mounted device and are having problems please contact your E‑ZPass service center for assistance."
I have had an E-Z pass transmitter since 2017, with no problems, but all those batteries are going to start dying sooner or later, and it does not look like they have any plan for users to test them before they fail, or for for distributing new transmitters.
Which is pretty far off topic, but to go back to the original question, I have not heard reports of using RFID to pick people’s pockets. On the other hand, with all the ingenuity that goes into thievery these days, I wouldn’t be surprised if it happened sooner or later.
My EZ Pass has a date to replace it on the bottom.
I have, in fact, had an old EZPass fail because the battery ran out. It did last just about ten years. The replacement I think is more than ten years old and is still fine; I have a second in our second car that is now over 10 years old and, the last time I rolled through a toll, was still working fine. My kids each have one, and are also probably about eleven and nine years old respectively. So, yes, it’s a thing that happens.
Weird. I’m not in an area that has tolls. I thought they’d switched to license plate scanners.
When I went through the Bay Area in September there was no place to pay on the toll road and they just sent me a bill in the mail (interesting, since I’m out of state, but they tracked me down).
Personally, I wish they would be replaceable. I seem to remember some older regional toll-transceivers that had a user-replaceable 9v battery. Personally, I’d prefer that, in order to minimize e-waste.
But there’s an advantage to a device that needs to be replaced every 10 years - it means that customers will be getting periodic replacements, so they know they don’t need to support old outdated protocols for more than 10 years, since all the old devices that require them will stop working by then.
I’ve seen that in a few locations. Usually in places where they don’t want to have any manned toll booths at all. But they’ll charge you a higher toll if you don’t pre-register with them in advance.
You’re right that this would be more convenient for everybody, but I suspect it costs more for them to run the system, since they need to perform image recognition on every car that drives through and run all the tag numbers through a national database (which I’m sure charges by the lookup).
Vs. just reading the ID from a transmitter and debiting a prepaid account (only falling back to license plate scanning for people who don’t have a transmitter).
FWIW, my state E-ZPass agency automatically replaced my original E-ZPass tags when they turned fifteen years old. I didn’t need to request the replacements; they just appeared in my mailbox one day with an envelope to return the original ones.
My area uses both methods, offering a significant discount if you have an E-ZPass transponder in your vehicle.
