This is an excerpt from Dollar Scholar, the Money newsletter where news editor Julia Glum teaches you the modern money lessons you NEED to know. Don't miss the next issue! Sign up at money.com/subscribe and join our community of 160,000+ Scholars.
A few months ago, I saw the Jonas Brothers kick off their world tour with back-to-back shows at Yankee Stadium. I sang, danced, screamed, sweated, cried, traded bracelets, got rained on and even did karaoke with Jimmy Fallon (???).
I also spent a LOT of money. I'd bought the tickets back in April, so the seats were paid off, but between Yankee Stadium's $40 cocktails, the $70 I dropped on limited-edition merch and the $30 worth of chicken tenders I scarfed down after the show, I felt like I was constantly pulling my card out of my wallet to pay for one thing or another. And despite my JoBros bliss, I started worrying about whether it was truly safe to do that in a crowd of thousands.
I know there’s an entire industry around RFID-blocking wallets — but would they help in this situation?
Do I actually need to use an RFID blocker to protect my money?
Roger A. Grimes, a data-driven defense evangelist at KnowBe4, gave me a straight answer. Absolutely not.
“In nearly two and half decades,” he says,” I've never found a single real-world crime that would have been prevented by an RFID blocker.”
Let’s back up. RFID refers to Radio Frequency Identification, a technology that uses radio waves to read information stored on a tag. RFID chips are embedded in hotel key cards, toll passes, passports, credit cards, debit cards and even pets — everything with contactless functionality.
“If your card has a wavy thing on it, then there is RFID technology in that card, which is why you can tap it [at the register],” says Mallory Knodel, the chief technology officer at the Center for Democracy and Technology, a civil liberties nonprofit. “The card is pushing out a tiny amount of data that gets picked up.”
That data can be read by anyone who gets physically close to an RFID chip and has an RFID reader. RFID readers are readily available online, meaning every Joe Schmo with 80 bucks can get their hands on one, stand behind me at the merch table and scrape my data without my consent.
But theoretically, this signal can be blocked by a special RFID-blocking wallet, purse or passport holder made of a material that interferes with the radio signal.
How big the risk is depends on who you talk to.
Knodel says “it’s not something to panic about.” Grimes points out that RFID tags can only transmit a small amount of data to begin with, and with recent advances in cybersecurity the information an attacker could potentially get — and then maliciously use — via RFID is becoming “less and less usable” over time.
Eva Velasquez, president/CEO of the Identity Theft Resource Center, says that in order to use an RFID reader to steal someone’s data, a bad actor would “have to get very close, practically bumping into the person.” They’d also have to be willing to attempt the maneuver out in public where it’s easy to get caught.
“Is it possible this could happen? Yes, but it's unlikely,” she adds.
RFID crime is really rare: Grimes says in the handful of times someone’s card info has been stolen this way, it involved a scenario where a person had to pull their card out of their wallet to use it (at, say, a gas station). Having an RFID-blocking wallet wouldn’t have prevented that crime anyway... despite all the marketing to the contrary.
“All these vendors make money by scaring people about these nonexistent threats,” he says.
Velasquez, for one, is a big fan of mobile wallets, which she says are “the safest way to pay other than cash.”
That’s because when I add a card to my iPhone, it gets tokenized whenever I use it, meaning that even if the point-of-sale system in question is compromised, my data is guarded.
“I would rather see somebody put their cards into their mobile wallet and spend their time doing that than shopping for an RFID wallet,” Velasquez says, adding that people should also set up biometrics, strong passcodes and remote-wipe features in case their phone gets lost.
Other best practices for protecting my identity include watching out for social engineering, or instances in which a stranger tricks me into sharing personal data. I may also want to freeze my credit and use my credit (not debit) card whenever possible.
Credit cards come with better fraud protections than debit cards, and in the case my card number does get stolen, the recovery process is a lot easier.
The bottom line
RFID blockers are largely overhyped because the risk is so low. Going out of my way to buy an expensive wallet solely for this capability? Not necessary.
“If you like the wallet and it happens to have RFID, enjoy your wallet,” Velasquez says. “But we really would like people to focus their energy on much, much bigger threats out there.”
More from Money: