How safe are RFID cards?

[snykymom]

Now that Disney's using the RFID cards for rooms, charging and even tickets, I wonder how secure my credit card information might be? I've read about credit card thieves using RFID scanners to gather card information. Do I need to start carrying my KTTW card in an RFID-proof case (which sort of defeats the purpose of the RFID touch-and-scan capabilities)? Or maybe I'll just carry a separate credit card and not charge to the room.

Or am I being paranoid?

 

[GOOFY26]

I was wondering the same thing I put my credit cards in RFID cases all the time, think it might get scammed in the World. Hope they thought of protecting the card somehow.

 

[Jennasis]

I've heard that those RFID wallets don't really work.

 

[Alesia]

There's no personal information stored on the card, so there's really nothing to worry about.

 

[TwinsFan]

I think the RFID part is for the door only, they still swiped the card when I bought stuff with my KTTW.

 

[fla4fun]

I think the RFID part is for the door only, they still swiped the card when I bought stuff with my KTTW.

They were starting to install the touch to pay terminals last week when I was there.

There's no personal information stored on the RFID card. It links back to your folio in Disney's system. I would be more concerned about losing the card and someone just touching to pay for food and merchandise all day since you don't need a pin unless your purchase is over $50. You could rack up quite a bill very quickly and still keep the individual transactions under $50. At least before, when you handed the card to the CM, they could glance at the card and question why some guy was using a card with Mary Jones name on it. But the CM won't even touch the card now. When you think about having to have the card at the pool in case you're checked, I certainly wouldn't want to leave it lying in the chair while I went swimming.

Have we heard any more about the bracelets?

 

[bauer1168]

I posted this on another thread. Taken from an article by Inside The Magic regarding FP+

http://www.**************.net/2012/1...-enhancements/

An interesting article from Inside The Magic about the whole program.
The most interesting part for me was the section on security...

Security

Disney understands the potential risks behind storing so much information on a simple card, particularly one based on RF technology which is notoriously insecure. On the new “My Disney Experience” web site, they offer a few notes about the new system, complimenting its usage with the caveat, “You are responsible for keeping your RF Card safe and secure.”

With the new RF system, Disney plans to “identify the individual using the RF Device and the benefits associated with that individual.”

Disney offers a description of the technology:

“The RF Devices use technology similar to the radio and computer technology in smart phones, video game controllers, credit cards and “easy pass” toll payment systems. Many of the features enabled by your RF Device will be accessed by “touching” your RF Device to touch points located throughout our Resorts. (For security purposes, you may also be required to provide additional authentication information to enable certain functions, such as a biometric read or PIN.) Other features are triggered automatically when readers located throughout the Resort recognize your RF Device when you are within the vicinity of the readers.”

It’s no secret that RF-enabled devices have been cloned, or duplicated, quite frequently in the past, sometimes far too easily. Moreover, a guest could certainly drop their card somewhere in the parks and anyone who finds it could potentially gain access to hotel rooms and shopping accounts. Because of this, Disney adds on their web site, “We are not responsible for any unauthorized use of RF Devices. If your RF Device is lost or stolen, contact Guest Services at 407-WDISNEY (407-934-7639).”

 

[fla4fun]

That's all very nice, but when is all that going to be mentioned to the guest? The only thing they told me about my card when I checked in was to touch it to the door to open the lock. Since BW was one of the first resorts getting the touch to pay system installed, I would have thought there might have been a letter left in the room or a message on the phone to let you know that your KTTW has been enhanced with these features and you might need to take extra precautions. Or better yet, add it to the terms and conditions section when you make a reservation. The percentage of guests who visit this board, or any board, is very small compared to the number of guests at WDW. I will be there again next month and hopefully they will have some form of guest communication as part of the welcome packet.

 

[Mickey'sApprentice]

I don't quite trust RFID for purchases yet. I found that I can bring gift cards with me and only use room purchases if I run out of the gift card.

 

[kaligal]

I put my RFID stuff in protective packages. I don't trust it to be secure.

And I think Disney has to be partly responsible. If they give people a choice, then I can absolving them of responsibility. But if they insist people carry these RFID things around and info is stolen, I don't see how they can refuse all responsibility.

I'm no lawyer, though.

 

[consumermonkey]

Hiya,

No one HAS to put charging on their RFID card. It is an option. If you are unsure about the technology, you don't have to use it.

The other stuff that goes with RFID (Tickets, room key etc) is about as secure as the mag-strip used before.

 

[Missyrose]

I put my RFID stuff in protective packages. I don't trust it to be secure.

And I think Disney has to be partly responsible. If they give people a choice, then I can absolving them of responsibility. But if they insist people carry these RFID things around and info is stolen, I don't see how they can refuse all responsibility.

I'm no lawyer, though.

Those RFID protective packages don't really protect your card from anything.

 

[Cheshire Figment]

Let's say that someone did have a reader and was able to read your card and also had blank Disney stock and was able to clone your card.

1. They could get into your room, but they would have to find out not only which resort but which room number.

2. They could possibly enter a Park, but the finger scan is still used with RFID.

3. They could access your dining credits, but (at least for table service) would have to know your name. And

4. They could charge purchases to you room up to the limit on your account, but they would have to present the carfd and, if over a certain dollar amount sign the receipts. Note that it is onlly tied to your room lock and folio, it is not a direct link to any debit or credit card.

 

[rock_doctor]

We always get "no charging" on our room keys. Good old credit card at the register is the safest way to go (imho). I always have a few metallic Mylar static bags with me so i just put the RFID cards in those and they are safe. The metallic coating acts as a Faraday cage and does not let the RF signal out from the tag nor a RF signal in to trigger the tag. Keep my ez pass in one, so i know for a fact that it does work. If you have any old static bags around (from computer parts) put your cell phone in it and see if you still have a signal. If it is a metallic one you will not. Good test to see if the bag will work. The metal wallets do work just fine but they are expensive. I would assume you have to type in a PIN to make purchases with the RFID enabled cards. If not then...that would be an issue.

 

[Polydweller]

Disney also uses low range RFID, you do have to touch the reader straight on and within a very small range, about a 16th of an inch. So, it's hard for someone to get near enough to you to steal anything. And as stated it has no personal info on it, just a reference number to Disney's database.

 

[newdeal]

have you ever used your RFID credit cards? If so you will know just how close the card needs to be to the reader for it to work. Basically for a woman the reader needs to get into your purse and for a man it needs to be touching your butt. I suppose its easier than physically stealing the card but very little risk none the less

 

[snykymom]

Note that it is onlly tied to your room lock and folio, it is not a direct link to any debit or credit card.

This is the issue that I was worried about - theft of my credit card info. Since it's not stored on the RFID card, I feel much better about it.

have you ever used your RFID credit cards? If so you will know just how close the card needs to be to the reader for it to work. Basically for a woman the reader needs to get into your purse and for a man it needs to be touching your butt. I suppose its easier than physically stealing the card but very little risk none the less

You mean as close as a pickpocket has to get? Not very reassuring that someone with a RFID reader in a crowded park has to "get close."

 

[Raenstoirm]

I think you all are waaaay too paranoid. We have had credit card info stolen, no big deal. Call the credit card company and have them remove the charges, takes 10 minutes. In one of our cases, we didnt even know our card was cloned until the credit card company noticed that we had used the same card in 2 truck washes in Arizona and Virginia 20 minutes apart and called and told us! We must have been really booking to get our imaginary big rig across the country in that amount of time!

We loved the RFID last week!

 

[Jennasis]

This may help... http://www.snopes.com/fraud/identity/pickpocket.asp

And from consumer reports:

The absence of a flood of fraud reports linked to the cards is not proof of their security, though, according to Kevin Fu, a University of Massachusetts at Amherst assistant professor who has published research on the topic. Because the contactless cards in circulation in the U.S. represent only 3.5 percent of the total debit and credit cards in use, they have not yet presented a big enough target to lure many crooks, especially when traditional magnetic stripe cards are so easily counterfeited.

Shields or wallets marketed as RFID-blocking devices can make it more difficult for someone with an electronic reader to read your cards, but they dont entirely block transmission of card data. When Recursions security experts tested 10 types of shields and wallets currently being sold to protect contactless cards, they found that none blocked the signal completely, and there was dramatic variability even among samples of the same brand. Using a different approach, Recursions experts created a credit-card-sized jamming device for the wallet that prevents cards from responding to any reader.

Our reporter offered her own homemade shield constructed of duct tape and lined with aluminium foil. It provided better protection than eight of the 10 commercial products, including a stainless-steel RFID blocking wallet selling online for about $60.

 

[Polydweller]

This is the issue that I was worried about - theft of my credit card info. Since it's not stored on the RFID card, I feel much better about it.


You mean as close as a pickpocket has to get? Not very reassuring that someone with a RFID reader in a crowded park has to "get close."

They would have to get a card reader within 1/16th of an inch of your RFID card and hold it there for about 1 second. The Disney cards are very,very low range and you do wait for the reader to react. Doubt a person is going to do that. Pickpockets actually don't get that close. If you've e sr seen it demonstrated, and I have having been in a job in the justice system, it's a flash of the fingers from a few inches away reaching swiftly into a pocket or open purse.. Not the same thing as having a piece of equipment to scan a card.

Frankly, I'd be more concerned about swipe card scanners at ATMs and store checkouts than RFID.