I\u2019ve written before about the non-existence of RFID credit card crime, a least as promoted by all the vendors selling anti-RFID shielding products. I\u2019m one of the few voices consistently saying that buying RFID-blocking wallets, sleeves and the like is a waste of time and money. I\u2019ve frequently said that I can\u2019t find a single documented case of RFID credit card crime. Each time I write about this, I get tons of angry email from vendors of these products as well as people who \u201cjust know\u201d that they have been victims of RFID credit card crime.The \u201cvictims\u201d who write me always talk about a mysterious man, acting strangely, who walked by with a visible device, which they strongly believed to be an RFID reader, and shortly thereafter their credit card has a fraudulent charge on it. I always reply that a \u201cfeeling\u201d that RFID fraud happened isn\u2019t evidence of an actual crime, and that I still, after years of searching, haven\u2019t found a single law enforcement authority or document showing evidence of RFID credit card crime.The latest batch of emails contained two better \u201cproofs\u201d of RFID crime that I hadn\u2019t addressed before.RFID car crime evidenceProof number one was a video of thieves stealing a Mercedes-Benz. Although the video doesn\u2019t show any evidence of the theft or how it happened, the accompanying or referenced news stories do claim the car was stolen wirelessly. Many Mercedes-Benz models use RFID wireless technology, which theoretically could be used to steal the car.I reached out to Mercedes-Benz several times to confirm whether or not the type of RFID crime purported in the video happened or could have happened, but after multiple queries over two weeks, they have not responded. I also could not find any law enforcement resource to talk to me about that particular crime or any possible other RFID car-related crime.With that said, I believe that it is possible for RFID car-related crime to have occurred. In the past, most car manufacturers didn\u2019t use good security development lifecycle (SDL) programming practices. I know that many car operating systems and wireless starting systems were full of security bugs. Although I don\u2019t know of the details of the car crime in the video or other purported wireless car crime, I know enough that I believe that RFID car crime has most likely occurred.I have to believe that any car manufacturer using any critical wireless signal today is now practicing SDL and protecting wireless signals from interception and forgery. I know many of the world\u2019s smartest ethical hackers who now work for car-related companies, and who are part of teams whose jobs it is to prevent digital-related crime in their employer\u2019s products. RFID car crime might be possible with older models, but I think the easy \u201creplay\u201d crimes being reported today are soon to be a thing of the past if they aren\u2019t already.U.K. report on contactless fraudAnother alert reader sent me a link to an official U.K. government finance report that claims there is a very small percentage of RFID credit card (i.e., contactless card) crime occurring in the real world. On RFID-related crime it states:\u201cContactless fraud covers incidents on both contactless cards and mobile devices. Fraud on contactless cards and devices remains low with \u00a36.9 million of losses during 2016, compared to spending of \u00a325.2 billion over the same period. This is equivalent to 2.7p in every \u00a3100 spent using contactless technology and is a decrease on the 2015 figure of 3.6p in every \u00a3100. Fraud on contactless cards and devices represents just 1.1 per cent of overall card fraud.\u201dOn its face, this seems to be pretty compelling evidence of RFID credit card fraud. Still, after searching over many days, I could not find a single instance of real-world (i.e., not a security researcher\u2019s demonstration or claim) of RFID credit card fraud.This is a very, very important point. There is a huge gulf between potential crime and actual crime. In the computer world, 5,000 to 7,000 unique vulnerabilities are publicly announced each year on average, and perhaps a few hundred of them are actually used to compromise a computer. If you\u2019re a defender, you need to worry the most about the stuff that is actually being exploited and not so much about every possibility \u2014 especially if that potential crime has never been reported as a real crime.The UK report seemed to suggest that somehow I had missed public data on the claimed \u00a36.9 million of contactless fraud. I decided that I was going to hunt down that data, once and for all, and find out if RFID credit card crime was real. I contacted nearly a dozen organizations connected to RFID credit card security including VISA, Mastercard and the Secure Technology Alliance. I even contacted the creators of the UK report referenced above, which got me in touch with the UK Finance division.I asked everyone two questions:Is it possible to commit RFID contactless credit card fraud involving a scenario where a remote thief wirelessly reads information from a victim\u2019s RFID card and then successfully commits fraud using that information?Is there a single example of RFID contactless credit card crime committed in the real world, involving that same scenario where RFID shielding might have prevented it?Starting with the creators of the UK report, since it specifically talked about contactless credit card crime, I asked how much of the reported \u00a36.9 million of contactless fraud was contactless credit cards versus mobile devices? Sadly, they were never able to provide an answer, although everyone I talked to felt that mobile device fraud and other scenarios that did not involve a remote thief with an RFID reader were far more likely.The reason the UK Finance division could not tell me is that UK merchants aren\u2019t required to report contactless card crime apart from contactless mobile device crime. The UK Finance department does not have the data to split the amount. Further, all my attempts to contact merchants who reported fraud crime to the UK government were not successful.So, I do not know how much of the \u00a36.9 million of contactless fraud was contactless cards versus mobile devices, or whether RFID shielding might have helped. I could not find any public evidence of a single RFID contactless real-world crime being committed, and the most knowledgeable officials I spoke with off the record did not think there would be any matching the fraud scenario I was seeking.Maeve Dunne, an analyst with UK Finance trade association, replied to my questions saying this, \u201cWaving a card reader about in the street or on a train couldn\u2019t take a payment from passers-by and there\u2019s never been any verified report of this ever happening in the UK.\u201d Dunne\u2019s statement doesn\u2019t rule out this happening in other related RFID scenarios or other countries, but I think the answer has to be that RFID credit card crime preventable by shielding is very rare and may be non-existent.When I asked several contactless credit card security experts about their opinion of whether fraud could be committed using my proposed criminal scenario, they all said, \u201cNo!\u201d. They said it was technologically impossible and some even accused me of being with RFID vendors who are trying to sell RFID shielding products. I chuckled, because I\u2019m constantly attacked by those vendors for dismissing their products.Why RFID credit card crime is (and isn\u2019t) impossibleEven though they said that contactless credit card crime in the fraud scenario I proposed was impossible, I pushed back for an explanation as to why. The information that is transmitted wirelessly from an RFID card is very limited and doesn\u2019t contain enough information for a merchant (or device or service) following its license agreement to allow fraud to be committed. That\u2019s not a simple statement, so let me explain more.To believe that RFID credit card crime is occurring, you have to ignore that RFID readers can read RFID information from many tens of yards away only in perfect conditions. The real-world conditions of multiple cards in someone\u2019s wallet or purse, blocked by other cards and material and surrounded by all sorts of other metal objects (e.g., keys or coins), all contribute to RFID cards being hard to read at distance. In fact, when used at a merchant with normal readers, RFID cards must be within a few centimeters to work. You often can\u2019t even keep it inside a wallet and have the signal reach the merchant reader.Let\u2019s assume the criminal mastermind has the best RFID reader and the victim is alone and is basically holding their card out in front of them so the reader has a clear shot for RFID eavesdropping. Let\u2019s assume the criminal can actually get all the information available from a wireless read.Most RFID credit cards will only readily transmit the credit card number and expiration date if read by a wireless RFID reader. The attacker will not get the person\u2019s name, security code, or the address attached to the credit card. This effectively prevents the information from being used on nearly any online vendor\u2019s website. Have you ever been able to use a credit card online without providing your correct name, security code, or address, much less missing all three? Not me. So reusing the stolen wireless information is almost worthless.Can\u2019t the wireless thief just take the captured information, make a fake RFID credit card, and re-use it in-person at stores just like the legitimate card is used? For in-person transactions, the merchant doesn\u2019t care what your name is or ask for your security code or address. You just wave the card over the reader and it transmits the same information as was sent in our theoretical thief situation. Or is there some information sent by the RFID card in a legitimate merchant transaction that a wireless thief reader cannot easily steal? The answer to the last question is \u201cYes.\u201dIf an RFID thief has an RFID reader, it only gets two pieces of critical information: the credit card number and expiration date. In order for a valid transaction to occur, the merchant\u2019s RFID device has to transmit authorizing information, which then causes the card to respond with a character-based authenticating code (part of what is called the datagram) that can only be successfully requested and responded to when using a previously validated merchant device. A remote RFID thief cannot recreate a valid datagram with a simple reader device. The missing component is created by pairing the RFID card and a legitimate merchant device.Can\u2019t the thief use a valid merchant device?That begs the question, instead of the RFID thief using a simple RFID reader, can\u2019t they use a legitimate merchant RFID transaction device? Yes, but you\u2019d have to ignore a bunch of important factors, including the previous assumption of how close the thief would have to be to the card. Remember, merchant readers are only good for a few centimeters. Let\u2019s assume that the thief is either very close to the victim\u2019s card or has the capability to do a long read (maybe a specialized criminal device).Merchant machines have identifying numbers. If the thief successfully got the victim\u2019s card to participate in a bogus transaction, the card holder would eventually report the fraudulent transaction to their card vendor, who would be able to identify the merchant device involved. Not just anyone can buy and use a merchant device. They have to apply for one. Documents need to be reviewed and signed, and the merchant has to have an existing, trusted validated bank account involved, for conducting transactions.Further, for related security reasons, RFID transactions are limited to fairly small amounts, maybe $20 to $50 or so depending on the credit card network. The RFID criminal would have to go through the expense of getting a legitimate merchant device (that costs money by itself) and supply a valid bank account that the credit card vendor can easily reverse charges to. After committing just a few rogue, cheap transactions, the thief would be cut off using that machine if not their entire merchant account.RFID credit card crime either can\u2019t be done or not much of it can be done before the mastermind\u2019s crime spree was over. Let\u2019s not forget that the criminal can buy regular credit card information to steal thousands of dollars with far less risk over a longer period of time for a few bucks per card. This is another reason why RFID credit card crime is nearly impossible, and even more so, not very profitable for the risk. It\u2019s very unlikely to be done even if it could be done.Ah, but RFID crime has been successfully demonstratedI came across an older internet story on RFID contactless credit card crime. In 2015, security researchers were able to wirelessly steal RFID credit card information (e.g., account numbers and expiration dates) from closely held, unobstructed cards and re-use them to buy large dollar value goods from online vendors.It\u2019s proof that it can be done, sort of. It requires that an online vendor violate their merchant agreement and not do basic anti-fraud validation (by requiring a valid name, address, and security code). The vendors not performing the correct validation have the reported fraud taken out of their own bank accounts. I\u2019ve got to think those online vendors are either unscrupulous and intending to be used as a criminal fence or they won\u2019t be in business very long when the credit card merchants trace back the fraudulent transactions to their poor validation checking.Still, this is not evidence of a real-world crime.\u00a0RFID credit card crime is only possible when...To worry about RFID credit card crime, you have to assume incredible remote RFID reader ability in real-world situations and online vendors with literally no basic credit card validation, or criminals who want to buy legitimate merchant devices and go through the lengthy authorization process, and provide a real bank account, to capture a few low-dollar transactions before they are cut off.As Randy Vanderhoof, executive director of the Secure Technology Alliance and director of the U.S. Payments Forum wrote me, \u201cConsumers should listen to their trusted financial institutions, the banks, and payments brands and believe them when they tell their customers that contactless payments cards are secure.\u201dEven if we assume that all \u00a36.9 million of 2016 RFID crime reported in the UK Finance report was committed by credit cards and not mobile devices, it means RFID crime is still, at best 1.1 percent of overall credit card fraud, and it\u2019s falling. If you are worried about a potential 1.1 percent crime rate while also using non-RFID credit cards which are responsible for 98.9 percent of credit card fraud, aren\u2019t you focusing on the wrong threat? Why use any credit card? As far as I can tell, if you are worried about credit card fraud, you\u2019d be about 90 times safer (and getting safer) to only use RFID credit cards. You shouldn\u2019t run away from or even worry about RFID credit cards, you should embrace them.