Can RFID Tags Get Your Credit Card Information?

By Richard Gaughan

Does RFID pose a danger to credit card security?
i Jupiterimages/Brand X Pictures/Getty Images

People who invent new technologies are always high on the prospects for improving your quality of life with their latest and greatest gizmo. But new technologies also create their fair share of fear and distrust. Those of us not intimately familiar with the technology are faced with a challenge: weaving our way through the hyperbole on both sides and discovering the true benefits and risks. Radio Frequency Identification, or RFID, is a perfect example. Do we have to be worried about RFID tags stealing our credit card information?

The Basics of RFID

Automatic toll lanes use RFID to take your payment.
i Medioimages/Photodisc/Photodisc/Getty Images

Any RFID system consists of two parts: a tag and a reader. The tag is a small computer-chip-like device that contains information about the object it's tied to. For example, your automatic toll-paying transponder is connected to your car -- and your account. The reader is a device that detects tags and reads the unique information they contain. When you drive through the automatic toll lane, an RFID reader senses your tag and records that you drove through the toll booth at such-and-such a time.

The Interrogation Process

RFID readers and tags use radio waves to carry information.
i Stockbyte/Stockbyte/Getty Images

An RFID reader sends out radio pulses that "interrogate," or trigger, RFID tags. When an RFID tag senses the pulse, it sends its own little pulse back. There are two different types of RFID tags: active and passive. Your automatic toll tag is active, which means it contains batteries and can power itself. RFID tags on a shipping pallet — or possibly on your credit card — are passive. Passive tags take energy from the reader's interrogation pulse and use that to power the return signal. Active tags can transmit a signal ten or fifteen yards away, while passive tags are limited to transmitting a few feet.

Your Credit Card

If your credit card does not have an RFID chip, but just a magnetic strip, then no RFID system can get any information from it. Some newer cards, however, have a passive RFID tag that can be interrogated by a reader and transmit information a few feet. Remember, a reader is completely different from a tag -- neither an active nor a passive RFID tag can get any information from your credit card. Only a reader can get information from your RFID credit card.

Are RFID Credit Cards Safe?

If the reader at the department store checkstand can get your credit card information, then what about an unauthorized reader that some unscrupulous person might be carrying next to you in line? The answer is that, yes, another reader close enough to you can read your card's information. But the more complicated part of the answer is that it won't do them much good.

How RFID Credit Cards Are Used

The RFID on a credit card contains account information, like your account number and the card's expiration date, but it also contains another bit of information: a code that needs to be read for your purchase to be authorized. The code changes with every transaction. So, if someone steals all your information from one transaction, they won't be able to use that information to buy anything in person because the code they captured is only used once and they have no way of knowing the next code your card will generate. Because the RFID doesn't transmit the verification number printed on the back of your card, the thief won't be able to make online purchases with your stolen information either.

What About "NFC?"

NFC stands for "Near Field Communication." It's the technology used in some smartphones to transmit and receive data to other devices, and it can be used to process bank transactions. From the name alone, you might guess that NFC is pretty similar to RFID, where the tags need to be close to the reader to be read. In fact, NFC is a form of RFID, with the same security vulnerabilities as RFID-enabled cards. Exactly how serious those security breaches are is a matter of some controversy. Certainly there are open questions, and your decision will depend upon the level of risk you're comfortable with.