RFID in Credit Cards and Identification Documents

Experiments with RFID Tags Hidden in Credit Card

Microwave Zapping of Credit Cards

I had seen some examples of a credit card microwaved, but the examples appeared to be that of someone placing a card in the microwave, and turning on the microwave long enough to melt the card.
That approach didn't make sense because the purpose is to overload the RFID tag's electronics with enough signal to fry the circuit; not the entire card. In other words, instead of trying to destroy the card, merely expose the electronics to sufficient signal overload to damage the electronics.
I had received two cards with Chase's "Blink" RFID. I didn't see anything describing "Blink" as RFID, but decided to look it up. Yep, RFID. So I called and asked for cards without the RFID.
"Does that mean that this card has RFID?"
"Yes." (okay, so far, so good. Maybe I won't hear a bunch of BS.)
"Can I get a card without RFID?"
"I'm not sure. Why do you want it without RFID?" ("Not Sure?" I would have said the guy was deliberately lying, but conceivably the RFID is used for some branded cards that have alternate purposes.)
"I'd like to get a card without RFID."
"Why don't you want RFID."
"I don't want RFID. I just said that."
"I would like to find out if you know the advantages..."
"I don't want RFID. Would you please complete the transaction?"
"Okay, you should receive new cards within 2 weeks."

Next Step

Now I still had two cards which I knew had RFID chips. I'm an engineer.
So I took the one with my real name on it (both are the same account), and stuck that card in a microwave. (Oh, I'm an engineer -- I placed one card in the food chamber of an Amana RR-1110 microwave oven.) Since the RR-1110 isn't certified for frying RFID cards, I also placed a cup of water in the microwave. (This is probably the first time in 22 years this thing was run with plastic in it.) I heated the water to a lukewarm temperature, with the card on the bottom plate next to cup.
The card now showed a visible raised spot where the RFID chip is. I did not know if the electronics were fried, but something got warm.
Okay, now I had a microwaved card, a second card to use as a control sample, and a glass of water I wouldn't want to drink.

The Test

Actually Chase's website lists very few places around here that even use the "Blink" RFID cards:

McDonalds
For their drive-through facilities. I already knew they had these because the "hot cup of coffee" lawsuit concerned a drive-through customer. I suppose a local McDonalds would not be hard to find.

CVS
That's a drug store chain. I don't need something there today.

7-11
Okay, I was following some driving directions today that used a 7-11 as a landmark, so I would stop there.

So I bought a cup of coffee and a small milk. Tried the microwaved RFID credit card.
"It's not reading it."
"Good."

Then I tried the 'control'.
"It says 'Card Declined'"

"You mean it didn't read the first one and the second one was declined?"
"Yes."

(The "declined" part made sense because I hadn't gotten to a payphone to call the number on the sticky label. I suppose if you're going to give out no-signature cards, you need to be careful about authorisation.)
So at least from this sample of 1 card, exposure of the RFID chip to a 1000 watt microwave exceeds the chip's operating parameters.

What RFID Is

RFID (radio frequency identification) tags are transponders that provide stored informtion in response to an "interrogation" by a scanner. In the case of identification documents, RFID tags are used to provide a response corresponding to the identification document.
The information provided can be identical to that of the identification document or can provide more or less information as compared to the identification document.
RFID tags are useful, for example, to identify a lost pet, since even if the pet's collar is lost, the RFID tag provides a means to connect the pet to a database, allowing the owner to be notified. (In addition, pets with RFID tags are also given a visible tag, which has the code and a phone number for the organisation keeping the database.)
RFID cards are also used for pass cards and private security. In these cases, the RFID information is limited in scope or is limited to use by a defined entity.

RFID Identification Documents and Credit Cards

Identification
In theory, driver's license or passport should be used by entities entitled to the information. In other words, border agents and police. In practice, these forms of identification are used by commercial third parties for various purposes.
The problem is that businesses may attempt to collect more information than necessary for the transaction, including specific demographic data associated with the target's name. Without electronic media, the business must surrepticiously photograph the license and manually enter the data. OCR helps but the data must be manually entered. If the target tapes over some of the data (e.g., the address), even manual scans are precluded.
Law enforcement authorities rarely use these devices, because they check identification against their own database.

Credit Cards
Recently, some credit cards are being issued with RFID tags. It is unclear what information is provided, but apparently enough that the signature requirements typically differ from other types of card reading.
It is also unclear how the customer selects which card xe uses in the event that two or more cards have RFID.
A more serious issue is the possibility that RFID cards can be read in a crowded area. In the case of building passes, RFID data is pretty much useless, but this could be an issue if the data includes credit card or personal identification information.

First posted 11-Jan-03, and 5-Aug-07 as a separate page. Last revised 14 Mar 09.

Questions - see FAQs.

Comments about this site: email me

www.scn.org/~bk269/