RFID blocking explained: The verdict, the science, and what actually protects you

Contactless payments are a fact of life in many countries: they simplify paying and help avoid the need to carry cash, remember your PIN, or use an ATM. It’s an incredibly popular way of paying: 76% of all debit card transactions in the UK in December 2025 were made using contactless payment.

The source of all this magic is RFID (Radio Frequency Identification), a wireless technology that puts a chip and antenna into credit and debit payment cards used around the world.

RFID has transformed to more than just how you pay for coffee and a croissant on the way to work each morning. The technology is used all over the place, for everything from office entry cards and fobs, checking books in and out of libraries, tracking products through supply chains and theft prevention in stores, to keyless entry and ignition in vehicles.

One thing common to the examples above is that RFID is often used to communicate or enable something with a value attached. From your bank account or public transport season ticket to the hotel room you’re staying in or that shiny new car you just bought - all of it is accessed via a system that pushes data out into the airwaves for anyone to see. That sounds scary, right?

Well yes, but also, no: According to the Annual Fraud Report 2025 from UK Finance (the British trade association for the UK banking and financial services sector), contactless fraud using RFID represented only seven percent of all face-to-face card fraud losses in UK retail in 2024.

In this article we’ll look at what RFID is, how it might be compromised by attackers, how you can protect yourself (and your RFID-equipped assets) and why the dangers might just be a little less likely to affect most of us than you might think.

Key points of this article

• RFID blocking stops attackers from stealing data from RFID tags commonly used in payment, door entry, and public transport pass cards, as well as other RFID-enabled devices.
• So far, RFID scanning of payment cards to steal payment information remains a non-credible threat.
• However, other uses of RFID, such as keyless entry and ignition systems for cars, are vulnerable to relay attacks that allow thieves to steal vehicles. For this reason, RFID blocking should be used for keyless car fobs when not in use.
• RFID blocking helps reduce the risk of attackers stealing data or identity, tracking your movements or disrupting manufacturing and supply of materials, but it’s never 100% effective.
• Data that can be stolen or cloned includes bank details, entry passes for buildings or rooms, and public transport access cards.
• While an attacker might be able to skim your bank card number and expiry date, they won’t be able to access your PIN or CVV number with the same technique. A more credible RFID risk is attackers skimming access card details to break into buildings or rooms that use keyless entry systems
• When it comes to card details, you’re more likely to be a victim of fraud resulting from social engineering, phishing or malware than RFID card skimming.
• If you’re concerned, a practical step to protect your payment cards is to store them  in a wallet or pouch that acts as a Faraday Cage, but even that’s not 100% effective. It’s also worth checking for unusual transactions you don’t recognize.
• There are both active and passive products to prevent skimming, and there are also plenty of things you can do that don’t involve buying a product.

What is RFID, and how does it work?

RFID uses electromagnetic fields (radio waves)  to exchange data between a transponder - a card, and a reader - NFC-equipped smartphone, or physical car key, for example. Transponders are sometimes also referred to as tags, and they’re divided into passive and active types. Both exist to do one job: when triggered by a reader, they share data with the reader in a secure manner. As an analogy: RFID readers work like a key if the data in an RFID transponder’s chip is a locked box.

Passive RFID tags are the most familiar to most of us: they’re found in credit and debit cards, hotel room key cards and door entry cards used in workplaces. They’re clever bits of kit: instead of using a battery, they collect the electromagnetic energy transmitted by the reader using an incredibly thin wire antenna embedded in the card to briefly power a low-energy chip inside the transponder so it can exchange data with the reader. This keeps the tag small enough to fit inside a standard payment card.

If you’re interested enough in what this looks like, dissolving an old card in a jar of acetone (commonly sold as nail varnish remover) will eventually expose the chip and antenna. Enterprising nerds have been doing this to London’s Oyster cards   to open barriers at London Underground stations since at least 2008.

There’s one key thing worth mentioning in all of this: most passive tags are only activated when in very close proximity to a reader - typically between 4 and 10 cm.

Active and semi-active tags are powered, and they’re often used commercially to track vehicles, workers, or the status of high value cargo. The most visible example to most people is the tags used to automatically pay motorway tolls such as the French Télépéage, enabling motorists to roll up to a toll gate at 30 km/h without worrying that the barrier will remain lowered. Newer versions of passive RFID tags using UHF (Ultra High Frequency) radio are replacing these tags in motorway toll systems, however.

Smartphones are also RFID-capable, as they use a form of it known as Near Field Communication (NFC). Thus, both Apple and Android devices can be used to tap and go, serving as electronic wallets.

Does my credit card have an RFID chip?

Most likely, your payment card has an RFID chip and antenna embedded in it if it was made after 2015. A visual clue is the Contactless EMV payment icon, which features four curved lines similar to the universal logo for Wi-Fi, often with a line drawing of a hand holding a card. If this symbol isn’t on the card, it likely won’t have RFID, but check with your card issuer to be sure.

The RFID chip is usually one of several elements in one of these cards - there’s also usually a light gold-colored contact patch in the surface of the card so it can be used with Chip and PIN machines, and a magstripe along the back of the card. Some credit cards also retain the raised numbers and letters that allow merchants to take physical carbon copies of the cards, the method of making a transaction before magstripes, Chip and PIN, and then RFID made the technology all but obsolete.

What is RFID skimming, and what data can and cannot be stolen with it?

RFID isn’t without faults. It’s often the case that convenience comes at a cost, and in this case we have RFID skimming, which is a type of electronic theft where someone illegally reads data from an RFID-enabled device without the owner’s knowledge.

Attackers have a few ways to do this: pushing more electrical power through the reader, or using what’s called a relay attack to access the tag at a distance from the reader. 

It’s easy to rush to the conclusion that, just because an attacker can clone the data from an RFID transmission in extremely rare circumstances, they’ll be able to use that data to drain our bank accounts. This is a very small risk compared to other types of fraud, many of which don’t even require the fraudster to be anywhere physically close to the victim.

ATM skimming, shoulder surfing, and social engineering attacks such as intercepting replacement cards and PIN advisories in the mail are far more prevalent, and they pale into insignificance against phishing, malware and other cyberattacks aimed at harvesting banking credentials.

Another thing to bear in mind is that contactless credit and debit cards are more than just RFID chips. While RFID describes how data is transmitted and the hardware it’s stored on, the actual payment data is protected by encryption. This encryption changes the cryptographic value used for each transaction, something we’ll come back to later.

What do RFID payment cards do when they get hit by an RFID reader?

The data presented by an RFID card is partial. While older standards lacked encryption and could give up the card’s expiry date and number, they did not send the account holder’s name or, more critically - CVV or CVC numbers - the ‘extra’ numbers you’re asked to quote when making a payment over the phone or online. Another piece of information that isn’t shared: your PIN code. Attackers simply cannot clone a card using an RFID reader and use it to withdraw cash from an ATM. Besides, there are far easier and lower risk methods of using ATMs to skim card details and observe PIN entry that have been around for years. The FBI estimates that ATM skimming fraud costs consumers and banks in the US more than $1 billion a year.

What are the likely consequences of RFID skimming?

Firstly, successful attackers won’t be able to make online purchases. In Europe, PSD2 (the Second Payment Services Directive) requires online purchases using a card to include a second factor authentication, such as a CVV or CVC number, or authentication via the user’s banking app.

Secondly, modern contactless cards generate and transmit a unique code for every transaction. Every time you tap, a new code (cryptogram) is generated and then validated by the card issuer. An attacker would effectively clone the cryptogram of the last transaction you made, which would be unique to that transaction and would then fail. If you want to get into the real detail, then a good starting place is EMV Co’s contactless chip specification.

There’s a vanishingly slim chance that an attacker will be able to extract enough data from an old card (assuming it hasn’t already expired) and be able to make a single contactless transaction below the contactless threshold. A lot of personal risk for a $100 purchase for any criminal, and one that someone with the equipment and skills to perform an RFID skimming attack would probably not want to try.

Let’s put it another way: while an RFID skimming attack on a contactless card could gather data for an attacker, there are simpler, faster, more effective and (critically) far less risky methods of defrauding people that don’t require such personal involvement on the attacker’s side.

How real is the risk? What the evidence shows

When it comes to debit and credit cards with RFID chips, UK Finance has some solid numbers that give an idea of the risk of skimming to users in the UK at present. It found that contactless fraud totaled £41.1 million in 2024, but before anyone panics, this number should be presented in context. Two things are important to bear in mind:

1. 74% of all card transactions in the UK at that time were contactless, and fraud decreased by 1%.
   
2. Contactless fraud overwhelmingly involves theft of a physical card and subsequent use to make a contactless purchase.
   

UK Finance also put a number on contactless fraud compared to total contactless spend: for every £100 spent using contactless technology,1.3 pence was fraudulent, compared to overall card fraud (6.0 pence). It’s difficult to tell how much of that involved wireless skimming and how much basic physical card theft, however: UK Finance doesn’t track wireless skimming because it has not observed the phenomenon at any scale.

Still, researchers have been able to demonstrate theoretical eavesdropping techniques older cards that don’t use the dynamic cryptograms introduced with EMV in 2015. More recently, Flipper Zero, a multitool used by security researchers, has made it easy to read data from RFID chips, but this only extends to the data the chip gives up, which in the case of EMV-equipped payment cards, isn’t enough for attackers to do much damage, as this review from an offensive security researcher at Lendable shows.

What is RFID Blocking, and how does it work?

The best way to stop attackers accessing RFID data is to block the radio waves used to energize passive tags like those in contactless payment tags. The best way of doing this is to enclose your RFID tags - cards, car keys and the like - in a Faraday Cage.

Faraday Cages are what’s called conductive enclosures; they distribute electromagnetic energy (radio waves in this case) across the surface of the cage, stopping it from getting inside the cage to energize the RFID chip. A very basic example that will entertain the tinfoil hat brigade is a tinfoil wrap for your cards. Wrapping RFID cards in tinfoil creates a Faraday Cage, although it should be said that wrinkles in the foil, openings and the like reduce its effectiveness.

There are a ton of products available that do a very good job of creating a Faraday Cage around RFID devices. The conductive material can be metal sheet or mesh fabric, or carbon fiber. They must completely enclose the card to work, and they can wear out over time, as the conductive material wears or becomes damaged.

Good news though: often these protection devices are keenly priced and very affordable.

RFID Blocking vs. NFC Blocking: Is there a difference?

There’s no practical difference when it comes to blocking RFID and NFC signals; remember, NFC is a subset of RFID technology, and both operate at a frequency of 13.56Mhz, although RFID can operate on a wider spectrum.

When RFID Blocking may be worth considering

Let’s separate the transport medium - RFID - from the use case. RFID signals can be intercepted. However, the way that modern contactless payment cards work means that the data that attackers can read from cards is effectively useless to them. That won’t stop other card fraud attacks, which are far simpler and more effective. But while the payment industry is expending a lot of effort on making contactless payment secure, other RFID use cases are less so, and RFID blocking should be considered.

Car owners with keyless fobs should store them in Faraday Cages when not in use, as they can be subject to relay attacks, where the attackers use a device to collect and amplify the range of the fob to allow them to steal the car. A cloned or relayed RFID signal from a high-end car’s key fob will let an attacker steal and make off with a car in seconds without ever having to get physical access to the key. In the UK, this attack has been used to steal cars from the driveways of people’s homes while the fob was inside the owner’s home.

In the case of one organized crime group operating in the South of England in 2024, that meant stealing 40 cars worth £500,000 in eight months. If you have a keyless entry and start system on your car, and it involves a wireless fob, then keeping the fobs safe and sound in Faraday Cages until they need to be used is probably a very good idea.

Remember the Télépéage example of RFID tags with greater range? While both passive and semi-active RFID are used in Europe for smoother motorway toll payments, the US also uses RFID for passport cards. These are intended to allow US passport holders to have their details read from their vehicle when passing land borders of the United States.

Corporate access badges for employees that use older RFID standards such as MIFARE are vulnerable and should be replaced by the organizations using them.

For those with a reason to be more security conscious, such as activists, journalists and others who may have cause to expect they will be subject to surveillance, RFID blocking for all RFID-enabled items should be considered, since it may be possible to track individuals in some circumstances by the RFID tags they carry.

The threats that actually put your card at risk

RFID blocking protects against a small subset of around 7% fraud that involves use of a contactless card, much of which occurs as a result of physical card theft. Let’s look at the other 93%:

• Card Not Present (CNP) fraud (when the physical card is not needed to make purchases) ran to around £400 million in the UK in 2024, according to analytics company FICO. The lion’s share of this fraud comes from social engineering, data compromise and scams.
• While contactless payments using a smartphone mean you don’t even need to take your RFID-enabled payment card with you, recent attacks on Android devices have allowed attackers to steal payment data.
• Phishing and social engineering remain the primary source of CNP fraud and account takeover. The 2025 UK Finance report cited earlier reported that 70% of APP (Authorized Push Payment) fraud started online.

In short, fraud caused by an attacker skimming an RFID payment card is a unicorn event in a sea of far more common cyber attacks that are targeted at far less-well protected parts of the payment infrastructure – actual users and the devices they use. Because contactless debit and credit cards use strong encryption in the form of cryptograms, compromising them via RFID skimming is, at present, difficult and bordering on the impossible. Of course, circumstances can and do change, but a bigger and more present threat to consumers’ bank accounts are other forms of physical, cyber and social-engineering frauds.

Strengthen your financial security with ESET HOME Security Premium

RFID skimming is extremely rare. But online fraud, unsafe banking sessions, and fake websites are not. ESET HOME Security Premium helps safeguard your financial activity across devices, giving you stronger protection where it truly counts.

How to protect yourself - a practical checklist

• Enable transaction notifications on your mobile banking app to receive immediate notifications for any card activity, authorized or not. This remains the fastest real-world detection mechanism.
• Use virtual card numbers for online shopping where your bank offers them. These expose nothing an attacker can reuse. Alternatively, if available, use a temporary virtual card, which can automatically close after a certain amount of time has passed or following a transaction.
• Check your bank statements regularly. Report anything suspicious to your bank as soon as you see it. In the UK, Section 75 of the Consumer Credit Act and Payment Services Regulations limit liability for unauthorized transactions when reported promptly.
• Use strong, unique passwords and two-factor authentication for banking apps - preferably an authenticator app, rather than SMS. Credential theft is the primary enabler of account takeover, not proximity scanning.
• Be suspicious of any unsolicited contact claiming to be your bank. Vishing is the primary driver of APP fraud. Banks will never ask for full PINs, passwords, or to transfer funds.
• If you have been involved in a known data breach, consider a credit freeze via your national credit bureau.