washingtonpost.com
Electronic Pickpocket Stoppers
How Paranoid Is It to Buy a Wallet With a Metal Shield for Your SmarTrip Card?

By David Montgomery
Washington Post Staff Writer
Wednesday, April 2, 2008

Stuck on the tarmac, flipping through a travel magazine, you're struck by the blurb for metal-lined wallets. Purpose: to prevent digital pickpocketing by blocking radio frequencies.

These handsome babies start at $79.99 and top out at the $225 Italian Leather Teju Lizard Embossed Travel Wallet.

Your reaction: Wow! Luxury accessories for paranoids!

But you would be wrong. Maybe.

Because, says electronic security expert Bruce Schneier, crystallizing the view of many: "As weird as it sounds, wrapping your passport in tinfoil helps. The tinfoil people, in this case, happen to be correct."

The issue is bigger than just the new style of passports, which contain chips that emit information that can be read by a scanner. We're also talking about your Metro SmarTrip card, your employee ID/building access card, your automatic highway toll pass, the newest wave of credit cards and gas purchasing cards, even digital drivers' licenses being developed in some states.

All of these nifty and oh-so-convenient bits of plastic employ versions of what's known as radio frequency identification technology, or RFID. That is, they toss out bits of data that are caught by receivers, with little or no contact, just through the air in some cases. The new credit cards, such as MasterCard's PayPass, don't have to be swiped through a machine. Swiping is so retro, and takes precious extra seconds. You need only lightly tap the PayPass on a terminal to register a purchase.

Neato. It feels as if you're living in the future, or in an episode of "24," when you slap your purse on the Metro turnstile and the gate opens, or you wave your ID badge at a node on the wall and your office door beeps open (and then your face and all your recent movements around the office -- yikes! -- pop up on the security guard's computer).

But alas, just as every problem has a solution, so every solution has a problem, right?

According to some security gurus, even when there is no receiver in the vicinity, your digital secrets are leaking merrily from the cards in your wallet, like sound from a radio that you can't turn off.

So, conceivably, a pickpocket with a laptop and an antenna could lift the digital contents of your wallet. This modern, hypothetical Artful Dodger would never reach his fingers under your jacket. He'd be that guy slouched on a bench in Union Station with a backpack, vacuuming up bits and bytes as crowds flowed past. Behind your back, the contents of your wallet may be talking about you, digitally, to perfect strangers.

Paranoid? The scenario has mainly been reenacted by researcher-hackers under simulated conditions. The makers and issuers of RFID cards insist the data are encrypted and safe. Yet some security watchdogs assert the need to cover, or shield, these cards when they aren't in use. A thin metalized nylon can do the trick, based on the classic Faraday cage design, to disrupt RFID communications.

"If I had an RFID that didn't have a cover, a driver's license, a credit card, a corporate ID card . . . suddenly a [shielded] wallet isn't such a stupid idea," says Schneier, an author of books on security and the chief technology officer of Santa Clara, Calif.-based BT Counterpane, a network security company.

Marc Rotenberg, president of the Electronic Privacy Information Center in Washington, keeps an ad for one of those shielded wallets, clipped from a travel mag, posted on his office door. It's a little joke, but he's also serious. "RFID creates security and privacy risks," he says.

A couple of years ago, when the State Department announced the new style of passports, EPIC recommended that people wrap their passports in tinfoil. Instead, the State Department addressed such concerns by embedding metallic shielding in the front and back cover of the passport books. In addition, the new "passport cards" to be offered to U.S. citizens who travel frequently between the United States and Canada, Mexico or the Caribbean will come with similarly shielded sleeves.

The fact that the State Department has resorted to shielding material -- does that mean the threat is real, that shielded wallets for other types of cards are a good idea? Schneier, for one, thinks the passport books are still vulnerable when they are open.

But spokesmen for the State Department and the Department of Homeland Security say the shields are just an extra level of security for documents that are already safe because of encryption and the nature of the information on them. Even when the passport books are open, the digital information can be read by a scanner no more than a few inches away, says spokesman Steve Royster. As for the passport cards for frequent border-crossers, they can be read at 20 to 30 feet but contain no personal information, Royster says. The personal stuff is safe in government computers, he says.

MasterCard, for its part, says consumers need not invest in shielded wallets -- they can save their money for other purchases.

"All of our cards go through very strict security testing," says MasterCard spokeswoman Erica Harvill, who says she carries her PayPass unshielded as a key fob. The data on the cards are encrypted using a system involving random, unique authentication codes that can only be used once, Harvill says. In addition, the signals can travel only a very short distance.

But if the specter of unauthorized leaks from your hip pocket keeps you awake at night, Geb Masterson, president of Kena Kai in Anaheim Hills, Calif., will sell you one of his DataSafe models. The shielding material is a thin "metalized nylon," finished for the style-conscious with fine Italian leather. They come in colors, and in selections for men and women. The result is no heavier than a standard leather wallet, says Masterson, who adds that he has sold more than 50,000 in less than two years. And no, the metalized fabric won't magnetize or demagnetize your credit cards, he promises.

His sales pitch is shrewd: Hackers are only going to get better at data theft, so better safe than sorry.

"I have to carry a wallet anyway," he says. "I'd rather have it lined in this material that radio frequencies can't get through."

But if you put your SmarTrip card in a shielded wallet, won't you have to take it out to make it work on the Metro? Yes -- so some models have window flaps that let you expose such cards when necessary.

Competitors offer less expensive alternatives. There's an RFID Blocking Wallet from DIFRwear.com for $19.99 and one via SkyMall.com for $19.85.

Most affordable of all: tinfoil.

View all comments that have been posted about this article.

© 2008 The Washington Post Company