RFID Blocking: What It Actually Protects (and What It Doesn`t)
If you bought an RFID-blocking wallet or one of the slim RFID blocking cards that drop into a card slot in the last three or four years, congratulations: you are protected against a card fraud method that mostly stopped working around the time the chip on your card became standard. The marketing tells you that thieves can steal from your account through fabric. The marketing was correct about the radio physics and wrong about the cards on the other end. The pitch is intuitive. Your contactless card sends data through the air, a stranger with a hidden reader can grab that data, your money disappears. It is the kind of threat model that a brain happily accepts because it follows the rules of physical theft we already understand. The problem is that the modern payment card on the other end of that radio link does not behave the way the marketing assumes.
This piece walks through what RFID skimming actually was, what the EMV contactless protocol changed, and what is currently growing in NFC fraud. Spoiler: the fraud that is growing is the kind no wallet can stop.
How RFID skimming was supposed to work
The famous demos all happened between roughly 2009 and 2013. Researchers like Pablos Holman and Kristin Paget walked onto Defcon and TED stages, held a black box near someone's pocket, and pulled out a working clone of a credit card. Conference video clips went viral. A decade of wallet, sleeve, and passport-cover marketing was born in those minutes.
The cards being skimmed in those demos were what payments people call magstripe-equivalent RFID. They followed the early generation of contactless cards, like the original Chase Blink program in the United States between about 2005 and 2013. The card transmitted, over a short-range radio link, essentially the same data that was encoded on its magnetic stripe: the primary account number, the expiration date, the cardholder name in many cases, and the static card verification value. A skimmer with a slightly oversized antenna could read all of that through fabric or thin leather from a few centimeters away. The captured data was enough to encode a working clone onto a blank magstripe and walk it into any merchant who still accepted swipe transactions.
The technical reason this worked is that the cards used the ISO 14443 standard, the short-range branch of radio frequency identification, which is built for proximity around ten centimeters. Demonstrators stretched that with bigger antennas and clean power supplies. Vicinity tags using ISO 15693, the kind found in library books and warehouse inventory tags, can be read from up to seventy centimeters. Payment cards were never on that standard. But the impression that stuck with the public was a single number: cards can be read from across a room. That impression was wrong even in 2010. It is much more wrong now.
I keep thinking about how durable that fear has been. The cards in those famous demos do not really exist anymore. The payment industry moved on. The product category built to defend against those cards did not.
Why EMV killed the threat RFID blocking was sold to stop
What ended the magstripe-equivalent skimming attack was not better wallets. It was the EMV chip and, more specifically, the contactless version of EMV that ships on every Visa, Mastercard, American Express, and Discover card issued in the last several years.
Here is what happens when you tap a modern contactless card on a reader. The card and the terminal agree on a transaction counter that is unique to that single transaction. The chip on the card uses a secret key, baked in at manufacture and never transmitted, to drive an encryption step that computes a one-time cryptogram called the ARQC, the Authorization Request Cryptogram. The reader sends the ARQC plus a few other fields to the issuer's bank for approval. If a skimmer is sitting next to your pocket and captures the same exchange, the skimmer gets the ARQC, the primary account number, the expiration date, and not much else. No CVV2, the three-digit code on the back of the card. No PIN. No magnetic-stripe track-two data. No card verification value that can be reused.
What is wrong with using a captured ARQC again? The counter has moved on. The next transaction needs a new cryptogram with the next counter value. The issuer's authorization system will reject the replay. The skimmed data is, for the purpose of cloning the card or running it through a normal in-person sale, useless.
To make the asymmetry concrete, here is what a passive RFID scanner can lift from an EMV contactless card during a single tap, compared with what a working clone would actually need.
| Field | Captured by RFID skim of EMV | Needed to clone or replay |
|---|---|---|
| Primary account number (PAN) | Yes | Yes |
| Expiration date | Yes | Yes |
| Cardholder name | Sometimes | Sometimes |
| ARQC cryptogram | Yes (single-use, counter-bound) | No (must be a fresh one for the next transaction) |
| CVV2 (back-of-card three digits) | No | Yes for most card-not-present checkouts |
| PIN | No | Yes for ATM withdrawals |
| Full magnetic-stripe track-two data | No | Yes to clone onto a swipe-only card |
| Card secret key | No (never leaves the chip) | Yes to generate any valid ARQC |
The numbers behind this are worth pausing on. EMVCo, the industry body that runs the EMV standard, reports that 96.20 percent of all card-present transactions globally used the chip as of the fourth quarter of 2024. Around 72 percent of all issued cards are EMV-enabled. In the United States, Visa reported that merchants who completed their chip upgrade saw counterfeit fraud dollars drop 76 percent between December 2015 and December 2017. That is not a soft trend. That is the chip eating the entire economic case for in-person card cloning.
There is a narrow exception worth naming. A captured primary account number and expiration date can sometimes be tested against weak card-not-present merchants who do not enforce 3DS authentication or do not check CVV2. That is a real problem. It is also not an RFID problem. The same numbers leak constantly through merchant breaches, phishing pages, and skimmed e-commerce checkouts. A blocking wallet does nothing about those.
The contactless fraud numbers RFID blocking products never show you
People shopping for RFID-blocking wallets almost never see the actual fraud numbers, because the fraud category the wallets are pitched against is not the one losing the money.
| Source | Year | Figure |
|---|---|---|
| UK Finance Annual Fraud Report 2025 | 2024 | UK contactless fraud losses 41.1 million pounds, first year-over-year decline since 2020 |
| UK Finance | 2024 | Total UK unauthorised card fraud 572.6 million pounds |
| Derived | 2024 | Contactless fraud is roughly 7.2 percent of all UK card fraud |
| UK Finance | 2024 | Card-not-present fraud is around 70 percent of all card fraud, more than 400 million pounds |
| FCA engagement paper | 2025 | Contactless fraud rate of 1.3 pence per 100 pounds contactless spend, versus 6 pence per 100 pounds across all unauthorised card transactions |
| FCA / Computer Weekly | 2024 | UK contactless transactions: 18.9 billion, up 3.4 percent year over year, average value 15.86 pounds |
| FICO US Card Skimming 2025 review | 2025 | The American fraud body explicitly states it cannot isolate RFID skimming as a separate loss category |
Read that last row twice. The reason there is no widely cited dollar figure for American RFID skimming losses is that the people who count card fraud cannot find a meaningful number to report. They isolate ATM skimming and gas-pump skimming because those leave a physical device behind. RFID skimming, in the form sold to consumers in those Defcon clips, does not show up.
The blunt summary is that documented passive RFID skimming losses against modern EMV contactless cards are statistically indistinguishable from zero. Consumer Reports, AARP, multiple named security experts including Roger Grimes at KnowBe4, the Identity Theft Resource Center, Chase, and Visa have all said versions of the same thing in print.
The Federal Reserve Bank of Kansas City studied the United States chip rollout in a 2018 payments-system briefing and found that card-present fraud at chip-enabled merchants fell sharply once the transition completed, with counterfeit rates dropping while card-not-present rates rose in compensation as criminals followed the path of least resistance into online channels. That migration is the central fact of card fraud in the 2020s. Skimming, in every flavor, has become a small and shrinking slice of an already shrinking category of card-present losses. Contactless skimming sits at the small end of that small slice.
One more datum is worth surfacing. The UK contactless ceiling was raised from twenty-five pounds to one hundred pounds in 2021, then the Financial Conduct Authority signaled in 2025 that the cap will be removed from March 2026 and individual issuers will set their own limits. If passive contactless skimming were a meaningful loss vector, a five-fold increase in the per-tap exposure would have moved the numbers. It did not. Contactless fraud fell year over year in 2024 despite higher limits and higher transaction counts. The protocol is doing its job.
The real NFC threat your wallet can't block
While the RFID-blocking industry was answering 2012's question, attackers moved on. The fastest-growing NFC fraud right now does not involve a stranger near your pocket at all.
In August 2024, the security firm ESET published research on a piece of Android malware called NGate. The attack chain looks like this. A victim is phished, usually with a text message claiming to be from their bank. They install what they believe is a bank security update. The fake app asks them to verify their physical card by holding it briefly against the back of their phone. The malware reads the card over the phone's NFC chip and relays the data, in real time, to an attacker's phone in a different country. The attacker walks up to an ATM with their phone in their hand and withdraws cash as if the victim's card were tapped against the machine. ESET documented an arrested suspect with about six and a half thousand euros taken from three victims in a short window.
That was the first widely reported case. By the first half of 2025, ESET telemetry showed NFC relay attack detections up roughly 35 times compared with the second half of 2024. The technique is now in active use. It works against modern EMV contactless cards, because the protocol does what it is supposed to do: the card is being tapped, the cryptogram is fresh, the issuer's bank sees an apparently normal transaction.
An RFID-blocking sleeve protects against none of this. The card is being tapped voluntarily by the victim, against their own phone, after they install the malicious app. The radio shielding around the wallet is unrelated to the attack surface.
What actually defends against this attack is much harder to monetize as a physical product. You need to recognize the phishing message, not install apps from links, and treat any request to tap your card to verify as the alarm it is. None of that fits in a twenty-five dollar wallet on Amazon.
Where RFID blocking technology still earns its place
The honest version of the story is not that RFID blocking is useless. It is that the payment-card pitch is the weakest part of the product. The genuinely vulnerable RFID things in many wallets are everything except the bank cards.
A short list. Old hotel keycards still ship in many properties using the 13.56 MHz HID iClass and MIFARE Classic families, both of which have been broken in public research and can be cloned by anyone with a cheap reader. Building access badges, especially older corporate systems, often use the same broken stacks. Library tags follow ISO 15693, which is the standard with the larger read range, and they leak their identifiers freely. Some early biometric passports had weak basic access control and could be skimmed for the data page contents. Loyalty cards, gym fobs, and transit cards with stored value are typically straightforward to clone or relay.
If you carry several of those alongside your bank cards, a basic blocking sleeve has a real, specific job to do. It does not have a job to do for your contactless Visa.
The asymmetry is the part the wallet marketing avoids. Two different problems get bundled into the same product pitch, and the easier-to-explain one is the one that mostly stopped existing a decade ago.
A practical way to think about it: list the things in your wallet. For each item, ask what radio standard it uses and whether that standard has a cryptographic challenge layered on top. Bank cards, since the EMV chip rollout completed, do. Most building badges, hotel keys, and library tags do not. The sleeve protects whatever does not have the cryptographic layer. It cannot improve what already has one. That is the whole story of RFID blocking, told without the marketing.
