Security hole / Uncategorized

RFID technology – a practical companion that holds risks!

RFID technology – a practical companion that holds risks!

In addition to the many forms of cyber crime, one kind of data theft often goes unnoticed in public reporting and perception: RFID technology and so-called RFID skimming.

The data stored on the chip is read by attackers. For example, criminals can quickly focus on their own bank cards. Every year, around 7 million pounds are captured.

What is behind the RFID technology?

Radio Frequency Identification (RFID) is a technology for automatic, contactless identification of objects. Electromagnetic waves (similar to a radio) can also be used to automatically capture, store and locate data of objects at close range. The communication standard NFC is a specialization of RFID technology for small distances.

How widespread the technology is is also reflected in the amount of damage. An incident in June 2018 attracted attention: Europol searched for, found and arrested numerous criminals. The damage is estimated at approximately 8 million EUR.

Where is RFID technology used?

RFID technology has existed since the 1940s. It has been used since the 1960s as a useful technology for identifying machines, materials and other haptic elements in industry. A practical example is the machine tool, which is equipped with an abundance of drills. In order to be able to select the right drill, it must first “know” each drill. This is successfully realized with a small RFID chip and since the age of industry4.0, the industry can no longer be imagined without it.

There is an almost infinite number of possible applications of RFID technology. From electronic locks, access controls, animal identification (“animal chip”), fuel cards, electronic immobilizers, to contactless payment systems, as well as ID documents (identity card, passport) RFID technology is used. This fact has already led to numerous fake news:

But of course RFID technology is also used in medical technology. The “VeriChip” becomes a kind of electronic health record in which emergency information from a patient is stored and can be quickly read out if necessary. The chip is implanted with a injection under the human skin. Alternatively, there are systems that are implemented in wristbands.

How does RFID work?

An RFID system consists of a transponder with a unique identifier that generates a high frequency field for both data transmission and power supply, and a reader. In addition, of course, a suitable reader is required to read out the data provided.

What are the risks of RFID technology?

No direct contact to the reader is required to read the information from an RFID chip. However, it is necessary to be within close proximity. The robbery is therefore usually not immediately noticed.

RFID attack methods


Creation of motion profiles

Cloning & Emulation

Creation of an RFID duplicate


Listening/modifying data traffic by “hanging in-between”


Read the stored data

Relay (RSA)

attack extension by range increase

Spoofing & Replay

Data manipulation and faking of the RFID transponder

Denial of Service

Disable the RFID system

RFID Malware

Introduction of malware for data manipulation

In reality, the attackers lurk for the victims mostly in highly frequented places such as shopping malls, airports, train stations, and public festivals. The probability of attracting attention there is simply lower than in less frequented places.

For example, the attackers let a smartphone glide slowly over the surface of their victims’ bags or jackets. If an RFID/NFC-enabled product (perhaps a bank card) is detected, the attackers are informed via a signal from the smartphone. The process only takes seconds. The attackers then cause the captured data to be used for shopping on the Internet, for example. Only when the victims analyze the turnover/account statements of their accounts are the debits noticed. But then the attackers are long gone.

How can I protect myself from RFID?

Since virtually anyone can read a bank card and copy the contents of the transponder if they can get close enough to the device, it is advisable to protect themselves effectively. We at AWARE7 therefore recommend that you only allow data traffic during direct payment and otherwise block it. This is relatively easy with bank cards.

With an RFID Blocker-Card you can get a protective cover for your RFID/NFC capable cards, which shields the inserted cards and makes them almost invisible for attackers. A further aid can be to carry another card of the technology with you. Especially with NFC, the payment process from the wallet no longer works perfectly, with another card.

However, your personal data is also important. Therefore it is also important to protect not only your bank cards, but also your identity card and passport. You can get these envelopes for a small mark on the net.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.