Wallet: Recommended Practices

Healthy-Paranoia
EMV RFID wallet
Page content

TL;DR

Use RF-blocking materials when carrying cards. Know what’s in your wallet and how to contact the issuing banks if a card is lost. Carry only what’s necessary. Thoughtfully choose how you’ll carry the cards. Thoroughly destroy retired cards.

Terms & Tech

Modern credit and debit cards are radio enabled. Benefits include using the card in a contactless manner and their use of one time codes to complete transactions. The contactless Europay, Mastercard, and Visa (EMV) standard is defined in ISO/IEC 14443. ISO/IEC 7816 defines the protocol used between the card and reader and interestingly, it was originally designed for cards with exposed contacts. Near field communication (NFC) incorporates ISO/IEC 14443 and enables mobile phones to emulate cards in a mobile wallet like Google Pay or Apple Pay. While it’s uncomplicated to skim and utilize data obtained from the legacy magnetic stripe, cloning a chip is infeasible, so modern credit and debit cards all now ship with chips.

There are two ways to process a transaction: chip and personal identification number (PIN) and chip and signature. The chip and PIN is more secure and is a form of multifactor authentication, e.g. the PIN is something you know and the chip is something you possess. They require each other to work. The chip and signature payment relies on an employee at the point of sale to verify the signature signed to the receipt matches the signature on the back of the card. A chip and signature card offers cloning protection, but does not offer fraud protection if the card itself is stolen. The issuing bank determines if the card will be chip and PIN or chip and signature.

A radio responsive card means it’s possible that it could be read in an unintended manner. An attack vector would require someone to be extremely close with a card reader or device capable of emulating one.

Recommendations

  1. Although a successfully executed proximity-based attack is highly improbable, combatting this attack vector can be done by carrying the cards in a radio frequency (RF) blocking wallet or sleeve. There are no drawbacks to doing this, but shop carefully. There are generally low and high frequency ranges for RF-responsive cards. Low Frequency (LF) cards operate at 125 KHz and some cards work at 134 KHz and 148 KHz. These are usually building access or hotel key cards and are commonly called radio frequency ID (RFID) cards. The lower the frequency has a greater range. 125 KHz cards can be read up to three feet from a reader and a common use case is for garage parking. High Frequency (HF) cards operate at 13.56 MHz and can be read up to six inches from a reader. These include credit cards, passports, and state issued identification. This is obviously the more important frequency to block if it’s impossible to block both.
  2. Plan for losing your wallet. Know what’s in it: e.g. which cards, their customer service phone numbers, and the 3 or 4 digit Card Verification Values. American Express uses a four digit CVV. Visa and Mastercard use a three digit CVV.
  3. Reduce risk and carry as few items in your wallet as necessary.
  4. Do not carry your Social Security card with you unless you need it that day, and even then, that’s an exceptional case.
  5. Carry your wallet in a front pocket or zippered pocket in pants/purse. This increases the difficulty for pick-pockets and a front pocket is better than a rear pocket for sitting posture.
  6. Do not return previously used hotel keys at checkout. Use a mechanical shredder to destroy them just the same as retired credit cards.