I have a metal wallet. Why? Because some idiot decided that making student IDs have NFC was a good idea. Which, among other things, can be used to open doors after-hours, and buy things.<p>(And yes, it is idiotic. It replaces a magnetic strip scan (which, by the way, these cards have - which means that it's strictly less secure now, as it still has the problems with magnetic strip <i>and</i> the problems with NFC) with a plunk the card on the scanner - which doesn't save much of any time. And in the process means that your card isn't secure even if you have it on you at all times and use only trusted readers. Larger attack surface.)<p>They are trivially susceptible to relay attacks, among other things. (Plunk a relay near the target, and a relay near the thing to open, where each one sends any data it picks up to the other one, which re-broadcasts it.)<p>Note: <i>any</i> NFC card is susceptible to this sort of blind relay attack. As is any buttonless key fob (like the ones on some cars).<p>Theoretically, you can prevent this by means of speed-of-light limitations, or by requiring user interaction (like pressing a button on the card itself, for instance. Although even that could be abused). But in practice, they are too cheap to build that sort of circuitry in. As usual.
Everyone in the UK has these. It's actually stupid: they replaced two-factor (card and PIN) with one-factor (NFC).<p>What I did: put my card in a fetching tinfoil hat. <a href="http://reddragdiva.dreamwidth.org/578323.html" rel="nofollow">http://reddragdiva.dreamwidth.org/578323.html</a> (2012) Also keeps it from interfering with my Oyster card.
> Industry body, the UK Cards Association, dismissed the findings saying Which’s report was “not a new story”.<p>So the industry body acknowledges that they knew <i>for a long time</i> that the
whole thing is insecure, yet they apparently did <i>nothing</i>. This doesn't make
them look any better.
It's worse than that. They have no protection against forwarding attacks. At all. Not even basic latency time checking. Here's a demo from two years ago:<p><a href="https://www.youtube.com/watch?v=t0MCFjYHieQ" rel="nofollow">https://www.youtube.com/watch?v=t0MCFjYHieQ</a><p>Madness.