I frequently pick up peoples discarded public transit passes, or wristbands from concerts, they contain mifare ultralight tags which can be reprogrammed to perform various tasks on NFC-enabled phones. For example I taped one to my night stand and programmed my phone to enable Do Not Disturb when its detected. Super handy and people just leave them everywhere.
Worked in industry with this technology the big thing I took away from it was that cards don't have a rolling transaction number, your phone does thus each transaction on your phone can only be used once per transaction and not duplicated.
Had the idea to make my phone work as a key to my rfid sensor and came to this conclusion as well. It scanned a different number everytime. So that didn't work..
Only problem is that the phone can be hacked. Often over blue tooth . Then your payment processing app will provide codes to the hacker remotely until it's caught. Currently phone payment systems are less secure than chip and pin. Every one of them has been shown vulnerable.
@@resneptacle several of these hacks were demoed at the black hat conference in 11/17 and more have been found since, like the Samsung one with it's predictable token generator(to small a token space, and the way it handles multiple cards on one account makes it worse in that case). Dig into what the security researchers actual say. Right now chip&pin is much more secure (assuming properly implanted, quite a few are incomplete atm).
I follow this Chanel for round 3 years now and the quality of the videos is always incredible high! Thank you for all the time, money and passion you put in our free education ❤️
I remember a few years back at work, having to implement the MIFARE DESFire NFC card's instruction set. Was quite interesting to see how advanced they can technically be.
@@martinrocket1436 Certainly. We were implementing what is colloquially called (at least here) "bus cards"; the NFC-based cards you in many cases can use on public transport. (Specifically, it was an implementation of a subset of the ENV 1545-2 standard.)
@@MrZenzio It might be weird, but I'm wondering, why would you implement like cards instruction set, where there are complete chips that provide complete solution including encryption implementation, CRC validation etc.? For example PN532 mentioned by Scott. It's just like "I want to talk to that card, that's the password, gimme data from that sector" etc.
@@domints Quite simply, availability. At the time, there was no suitable drop-in component that would work within our specificatio (the hardware it was required to interact with, and some requirements imposed on us by a third party). You are certainly right that it sound like a strange thing to do :)
sligovolts, really? But if this was true, then media system that relies on commercial sponsors but yet claims to be independent would be inherently broken!? unbelievable.
The short range is not because of the "high frequency", it's because that chips use capacitive coupling. At work I had to do with UHF tags at 868 MHz which have a much higher range because they are using inductive coupling. But please don't ask me for details, I just had to control the reader :)
Great video my friend... Nice format!! It allows people that aren't too technical to somewhat understand the tech they use everyday, and the people that are tech savvy can look up the IEEE standards to acquire more information... I had a professor in college that taught this way.. He called it "The Big Picture".. It allowed us to start thinking about the subject before we fully understood the science behind it.. That way, we weren't 'blindly' learning and it sparked our interest.
NFC relay attacks are still a thing which can be done against many card variants. You can buy these garage door readers which allow for long distance (like a few feet) reading; I am not sure how to hack one of these things such that a proxmark can use the antenna instead, but it should be possible.
This is amazing timing. I discovered NFC tools TODAY and I ordered RFID reader yesterday for a project me and a couple of friends are commiting to. I am a little bit dissapointed you didn't cover the difference between the different RFID readers. Please cover this in another video!
I use these cards every day, now I finally know how they work! I downloaded the App and read all my cards, very cool technology 😊👍 Many thanks for the upload!
5-1=4, that's a minus. ISO 14443-4, that's a dash. Not trying to be rude, just informing you of a mistake you make. You're still the best English speaking German I've heard!
both bank (ATM) cards and SIM cards are using same standard and actually are (at very least) similar inside, if not identical those are not just memories those are full blown computers inside (granted very embedded, but still computers) they never give access to what is inside, but rather are used to sing, decrypt and encrypt data
So, this is actually a fun topic, as stated, the nfc cards have chips, though, these chips can come in 2 variants, dumb chips, and smart ones. Bank cards actually use the smart ones which can execute code themselves. When a card comes in contact with a compliant terminal (lets say a train ticket machine) your bank card will communicate and generate a one-time-use token to authorize the payment. these payments are often bundled together and then send to your bank for processing, but that's another topic. In essence this means that even if you could capture the data, the token would be different each time, and because only your bank knows how your card encrypts said token, it'll make finding people who try to pass on those fake codes trivial. Additionally, these transactions need to be approved by your bank, and this needs to be done on-line, essentially: 1) the transaction + authorization token is send to your bank 2) your bank checks if the token is valid 3) your bank checks the transaction itself and may flag it if it spots something wrong with it (done by complex algorithms) 4) your bank checks the receiving party This system is by no means perfect, if a person were to steal your card, they could make a few transactions before you'd block if for instance. BUT, its a lot better than the old mag strip system, where all the data was on the strip, rather than cryptographic ally stored on the card
at work i use a handheld rfid machine to scan rfid tags for inventory control, it takes about 10 seconds to scan 200 items and works about 20-30 feet away. none of my current debit/credit cards use rfid now, and only one did before but didn't last long it seems.
Its all about the frequency^^ There are Toll Stations with long range RFID, but they can't read your credit card in your wallet, cause they use another frequency.
My dorm just had a renovation and introduced RFID/NFC door locks... I wonder how secure it is. I'm going to try and see if they did something stupid like having the memory on the key being a combination of your room nr and something else and not a completely random key. If it isn't random I could make a master key that works everywhere. It wouldn't surprise me. Edit (09/12/2022): Today I picked up a newspaper at my dorm. On the front page the company that installed our locks in our dorm is being criticized for ignoring security concerns and that their locks are easily copied and turned into universal keys that work for thousands of apartments and dorms. Guess i was right xD
Depends of the safety you need. If it's for your house's main door definitely buy, but if it's just to keep your annoying sibling out of your room or something like that diy is the way to go.
buy an encrypted one for the front door/backdoor/exterior access. Definitely DIY anything on the inside because buying each time for the inside will leave your wallet drier than the mojave.
I could tell you are from Germany firstly from the EC card in the video thumbnail because I had the same when I lived there. Thumbs up for team lefties, as I am one as well. 👍 Good video, thanks for sharing!
flexairz Transfer between the store and the bank would happen the same way whether or not the customer used NFC. This video is about RFID and NFC so I was just saying this comment is not very relevant to the topic of the video.
You shouldn't be, at least if you're using Google pay or similar. If Google messes things up you'd be sure that they won't take it lightly, besides banks always insures you that your money is safe, no matter how stupid you are.
You could live even without internet just some simple Phones and Messages now it is painful because most of time everything uses Internet for faster communication
good video, notes are.. 3 popular ICs - RDM6300 (125KHz) - PN532 (13.56Mhz ) - Can handle more RFID tags, but not credit card NFC data (this might work for workplace access card) - RC522 (13.56Mhz ) - Can’t read credit card NFC data , Can read and write Frequencies used (13.56Mhz) HF MIFARE Classic 1K - (tag based RFID) Both the card and the tag, holds 1KB of data Contactless payment uses NFC and not RFID (and has standards) and it uses 13.56Mhz So credit card’s NFC cant be read with RC522 Card. a HP with NFC maybe able to read NFC card and gives the card type (ISO 1443-4) but cant read memory as the data is encrypted.
NFC limits are way higher here in Australia (think of people buying groceries etc) I killed my antenna but left the chip untouched, so no contactless payment for me (or anyone else if I lost my wallet) 👍
Yeah, but its useless to do so because it sends you any time you do a Reset another ID, at least so is mine. Most Datasheets for RFID Cards are under NDA, so you won't know how to talk to it/decrypt it. You can't even get the Datasheets for a Desfire Card without signing any NDA. Actually, they have done well on it in the "Internet Neuland" ;D
I've been using NFC Tools a lot recently in conjunction with NFC stickers I got for peanuts online - 10 for about £3 with free shipping! I've been experimenting on different ways of using them and I have been finding some great uses. The only real limitation is storage space so you have to program them efficiently.
Great Video, Scott. Should you want to go into more "in depth" of both NFC and the security around it, I can connect you to people that are on the edge of this technology. I recently got a demo about the NTAG 424 DNA (Followup of the NTAG 413 DNA) which is a great and affordable chip type from NXP and has a very, very high level of security.
OK, it sends the data, but encrypted by the manufacturer key. *Safe as long as the card maker* can keep their encryption keys safe. After that, everybody is not safe. The govts can probably pressure the card issues to give them the keys, if they wanted to. OR till real evil people figure out some weakness in the tech.
The way contactless skimming works is that people would get a POS machine using a shell company to tap everyone's bag and if they get lucky they can tap some cards that got contactless payment enabled. Which kinda makes QR code payment 100X safer IMO. It requires you to take out your phone and reveal the QR code, which is an authentication key. And you can protect that feature using biometric authentication and device lock. And you get almost free skimming insurance with that. Ultimately it's not for paying a lot of money, but what matters is that it does require your acknowledgment in order to make the payment.
well, you've talked about passive RFID, but i think it would make a great video if you'd talk about Active RFID, and maybe made like a security system with it or how safe it is in cars.
doesn't even need to be a payment card. I've got my ID card, train ticket, blood donation card, public swimming pool card.... Shit, everything has NFC nowadays
except it will confuse only shitty readers, because ISO 14443 has collision detection and resolving mechanism described :) With good reader they can bill all your cards at once (except they won't because of reasons I described elsewhere, but having multiple cards isn't the problem)
Contactless payment is not dangerous since it is a RFIC card instead of RFID card that uses an internal key to sign transactions. Therefore, it is ridiculously hard to clone it even if you get physical access to the chip. Even in that case, just use the CVV is much easier :) Also, mobile payment is great because it requires you to confirm before release the information. like apple pay or sumsung pay. In my opinion, ApplePay may be the most safe method since it have a physical chip dedicated to cryptography and generate a unique transaction id to perform the transaction. BTW, the magnet strip contains card#, date, and CVV. therefore, a card w/o card number is just as dangerous if it have a magnetic strip on it. Therefore, I am disappointed that Apple Card have a mag strip on it and still marketing it to be safer. Is your threat model people who are just taking a picture of your card when it is lying on the table?
I was thinking like, if the card encrypted then what stops people from just copying the cards info directly onto a second (maybe virtual) card? What is it that makes rfic harder to clone? Does it communicate instead of just information dumping?
@@lucasschut4174 so the card contains a asymmetric key to sign transactions inside itself, and it would not allow access to the key without some involved process such as DPA Try lookup FIDO U2F key or Bitcoin wallet, they work in a similar way
You are correct, but bank card uses NFC (Near Field Communication) which is a subset of RFID, but width a much shorter range Up to about 10 cm or 4 inches. Todays RFID can have ranges up to hundreds of meters.
You can get the data unencrypted from an android phone. It's an app called "credit card reader" it gets the card number, bank, pin tries, chip manufacturer and other misc details, as well as transaction history if your card supports it.
I remember a while a go, when contacless payments first arrived in the west there were stories of people walking around with portable payment terminals on packed trains just taking a buck here and there through wallets in pockets. Payments low enough most people wouldn't notice.
That's not really true... You can pay with NFC on credit cards with higher values than 25€ ;) For example I paid 480€ contact less for my TV. The limit of 25€ is only set by your local Sparkasse bank
all the info are blocks (lines) and sectors (parts) with further detailed info. exampe, block 0 (first line) containts the UID BCC SAK ATQA and the manufacturer data, etc.
@@VIDE0G4M3Enj0YER Yep I sure did. That was a year ago, not had any backlash yet. Banks aren't going to file police reports and subpoena CCTV footage over a couple hundred dollars, they'll just write it off. If I'd stolen thousands or done this more than once, then maybe they would. Good thing about contactless is there's no clawback from the retailer, the Bank takes all of the hit. The extended story behind this is that a utility provider had mistakenly took a large amount out of my account and the bank allowed it even though there was not enough in the account to cover it. It was all sorted and the utility provider refunded the money but the bank refused to refund the fees they charged (which added up quickly) for the unauthorized "borrowing". Instead of going through all the hoops and legal nonsense to get the fees returned, I just did the card thing, then closed the account.
Crazy idea: What if, your RFID card had a normally-off button built in, to interrupt the energy supplied by the wireless energy coil, until such time as you want to let the information be transmitted?
Those devices usually are miniaturized, and in some cases it would be very difficult to fit a button in... Think for example about credit cards. But that's just a minor inconvenience, the main issue is that RFID devices are resonant RLC circuits. Their impedance (apparent resistance) is critical for their operation as it determines at which frequency the circuit resonates and works. A button would majorly screw up the circuit's impedance requiring some serious compensation at factory level. That would mean measuring and adjusting every circuit making this idea definitely possible, but very cost inefficient. In the end, it all comes down to production costs.
My bus stops near me have nfc cards in the bus stop and when you scan it you get taken to the time table on the website which is pretty cool but instead of that i read the card and rewrit to the card so now when you scan it you get taken to pewdiepies channel so you can subscribe
In Australia, there is a $100 point in which after that including that point you have to enter your pin. However you can just keep doing $99 payments without a pin until the bank finally blocks the card.
@@tomhyhlik1788 Contactless payments are rfid cards that emit the cards encrypted data into the reader. the point is that if a hackers reader gets close enough to your card it can get your data, tho encrypted. phones can turn this function on and off. so up till there you can get a pretty good self thought out answer
Felix R, totally looks like. But one thing he didn't research correctly: The NFC blockers don't always have to be bought. Sparkasse and other banks give them out for free if you ask politely.
@@martinrocket1436 I mean, there is literally the Sparkasse Logo on the Card. He taped over the Name of the Bank though, because it gives away his general region
You totally oversimplified (or just didn't dig enough) the RC522 / PN532 topic. The 13.56MHz tag isn't spitting out data. It won't even spit out ID without being asked, not to tell about the data. All the data on the card (1KB in case of Mifare Classic 1K) is password protected and your card spit the data out because your reader asked for it and had proper access keys - in case of your card it was transport key, default consisting of loads of 0xFs. The only card that just spits out data are the 125kHz cards, but there isn't much there to spit - just few bytes of ID.
the important thing to know is that mifare clasic, mifare ultralite (NFC Payments) and Mirefare desfire (ultra high security), it is not a data dump, but rather 2 way communication between the chip on the card (or fob or tag or whatever), so in an access control senario, (wich uses these technologies), you first have to send a password to the card for it to start opperating, then encryption is established on the communication between the card and reader, then the data is sent as per what is requested by the reader. Ultralite and Desfire, also, have hardware encryption on the card itself 125khz access cards however do data dump there contents, making them far less secure.
5 лет назад+7
Aldi, Lidl, Kaufland, Hornbach, Media Markt, Saturn
Sometimes it might be, but RFID is very limited in range. Often in stores it's a far simpler circuit, purely coil and capacitor which resonates at a specific frequency, this is then detectable by the induction coil by the doors.
Create a project where it uses an active rfid. It should transmit different data in every x second. Make the change synchronized with the Arduino so everytime you authenticate, it would pass. Ex. encrypt "qwerty" with unix time as salt, the mcu(with rfid reader ofc.) and active rfid (also with mcu) will generate the same output as long as their time is in sync.
@@greatscottlab r/technicallythetruth But in all seriousness, take your time. It shurely will be an awesome project, so waiting a but longer will be worth it. Greetings from Luxembourg!
MST works by emulating a magnetic stripe being read. Magstripe is no longer in use for payments in Europe, hasn't been for a long time. But that also means that it's just as insecure as magstripe, so, not much to learn there.
@@nikomo That is not the case, the Samsung pay is way safer. I don't know the terms, but it only works one time with each code generated and ofc you can only read the code when the user wants to pay. The only way to scam someone with Samsung pay except for hacking and such would be to have a powerful receiver and read the code and jam the real reader. Would be hard to do in practice and you still need to trick the bank.
@@marcusm5127 It wouldn't have to be that powerful. Also one could just hijack the phone through blue tooth. Then next time they go to use it the token is relayed to your phone instead of the coil. just only do it on a percentage of first tries and the user won't even realize what's going on and just thing it's a normal failure. And both the bluetooth hack and the token relay have been tried and worked. And the relayed of token even worked when relayed to another country that at the time wasn't on Samsung pay's availability list, many miles away from the originating phone, meaning Samsung pay didn't even sanity check it. "oh you're buying a snack in a country we don't support hundreds of miles away from the phone? No problem"
Nice video! I recently got a contactless card and I highly enjoy the convenience of just holding it to the reader briefly, compared to inserting it and typing a code. Faster than paying with cash. I assume the banks have calculated risks carefully, and that it's cheaper for them to occasionally eat a small disputed charge, rather than to design a 100% safe system. After all, the card number is printed on the card for cameras to see, and attacks where someone has a reader in their pocket would also mean that the fraudulent charge would be deposited into an account that could be investigated. Would love more analyses on that subject though.
All this technology (RFID, NFC, Magnetic Cards, etc) Is not dangerous in mater of security. But is extremely dangerous in mater of privacy. So If you want to have privacy in your life, simply reduce the use of them of even better stop use them.
That doesn't make any sense, in terms of of payments your purchases are logged the same by both the store and credit card companies either way you pay, only way around that is to use cash for everything... Now if you were talking about working at some place that uses wireless tags in order to get around the building, then you kinda have a point.
@@vgamesx1 If I was in charge of building security tech, it would include near range fingerprint scanning, palm line scanning, hair and dot configuration fingerprinting of arms, fingerprint of bare foot characteristics, voice analysis, retina scanning, breath and over all air fingerprinting (seeking most unique possible set of particulate mixture put off by a given person [how animals with a strong sense of smell identify]), as well as checking visible physical characteristics of the body, posture and movement. Not necessarily impossible to fool, but if someone did, every living other spy would blush upon it being proved. Most likely armed security would catch them trying to penetrate a wall, floor or ceiling surface that they can't detect is being monitored.
In Ireland the limit for contactless payments is € 50.00. Aldi raised their limit to € 100.00 last Christmas for the duration of the shopping season. I keep my Credit Cards in an aluminium wallet for safekeeping. Dublin Bus offers a contactless service for fare collection. I had 2 multi journey tickets in my hand and when the bus started I stumbled into the card reader and both tickets were debited with the fare. My duplicate fare was refunded in cash when I called to the office and explained what happened. 8:51
disable contactless by poking a hole in the card where the antena cable is. if the limit is 100 without pin and you lose your card/wallet you are screwed. before you cancel it people will use it. I work in retail and often times I get visits from the police requesting cam footage because a stolen card with no pin contactless was used. So you better add your card to your phone's nfc and poke a hole on the card itself. I even pijed a hole on the cvv number so people can't shop online
When you walk on street, then a man bumped accidentally to you. Who has a pin machine in his pocket and takes 25 euros (because thats the limt in our country) by passing the pinmachine along your pinpass... How to earn 500 euros each day!
You probably can build a high power transmitter and drive around. It's illegal to do so, but if you're one person stealing people's money I guess you wouldn't care about that.
@GreatScott your video does not make enough distinction between NTAG, Mifare and EMV contactless cards. They are pretty different to each other. Each of these has their own "API" and access control systems which run over the ISO standards including ISO 14443. The debit card you showed has both RSA and 3DES, and can be accessed using standard ISO7816 commands. The EMV specifications are the open standards for this, and are available from their website. EMV cards, both contact and contactless, use 3DES or AES session keys which generate a unique cryptogram for each transaction, which signs the transaction amount, the date and a random number from the terminal. This chip data is very difficult to counterfeit or replay (other comments have also made this point).
This is why the old gen samsung smartwatch is so popular. The newest one took away the payment option that simulated your magnetic strip, so it worked EVERYWHERE. Also for security, it only ever worked when you activated it, so nobody can steal it without your consent
You don't need to spend money to buy the metal envelope to protect your credit cards, just use the aluminum foil bag (1 or 2) (perhaps from the candies you just ate) to hold the card(s), that should be able to shield the NFC signals.
The app probebly recognised that it is a debit/credit card and defaults to "I don't understand". As with near feild. There was a couple flif French guys at defcon 14 who showed that with amplification you can read nfc and rfidfron a further distance
Interesting, the modulation scheme uses what is called LSK(load shift keying). this is also used in implantable medical devices to communicate with the implant.
Here in the USA, we have electronically protected stickers which is basically a coil and a capacitor in parallel. When the cashier scans the price tag, the scanner sends out a high voltage magnetic field that shorts out the capacitor. When it is a failed attempt the customer breaks the infrared beam which activates the anti-theft sensors and it sends an electromagnetic field to the tag and the lc oscillator circuit inside the tag lowers the frequency. Please correct me if I’m wrong.
Decent security is based on a combination of something you have (a card f.e.), something you know (a code or password) and/or something you are (figerprint, facial recognition, ...). If only one factor is used, or both can be cracked together (like writing your code on your card), it's not safe. NFC isn't safe, the risk is only limited to a small amount.
security is always at odds with convenience. the safest option possible is also the most inconvenient. different people have different thresholds of what they would consider "worth" the added security.
As it's know in the security industry, the S in RFID is for Safety.
There is no S in...
Oh...
@@rich1051414 👏dont worry i was about to post that
Thers no S in RFID... are yu stupid or someting?????
@@Loznero No
@@Loznero I hope you're joking
I frequently pick up peoples discarded public transit passes, or wristbands from concerts, they contain mifare ultralight tags which can be reprogrammed to perform various tasks on NFC-enabled phones. For example I taped one to my night stand and programmed my phone to enable Do Not Disturb when its detected. Super handy and people just leave them everywhere.
That's pretty cool
Great idea! Can old credit cards be reprogrammed? Or does the security prevent that?
@@TheRainHarvester cards that have security cant be reprogrammed but apps like Tasker and Trigger can still use them
I wish mifare desfire mk2s weren't protected so much
Shadan Rikan yeah but free is free
Greetings to Germany from Germany
The only country where your credit Card is Secure (because you just cant use it to buy a cup of coffee) :D
Same :D
@@ostelaymetaule haha xD
@@ostelaymetaule sooo true 🤣
Danke😉🤣
Worked in industry with this technology the big thing I took away from it was that cards don't have a rolling transaction number, your phone does thus each transaction on your phone can only be used once per transaction and not duplicated.
Had the idea to make my phone work as a key to my rfid sensor and came to this conclusion as well. It scanned a different number everytime. So that didn't work..
Only problem is that the phone can be hacked. Often over blue tooth . Then your payment processing app will provide codes to the hacker remotely until it's caught.
Currently phone payment systems are less secure than chip and pin. Every one of them has been shown vulnerable.
@@kaseyboles30 That's not true
@@resneptacle several of these hacks were demoed at the black hat conference in 11/17 and more have been found since, like the Samsung one with it's predictable token generator(to small a token space, and the way it handles multiple cards on one account makes it worse in that case).
Dig into what the security researchers actual say. Right now chip&pin is much more secure (assuming properly implanted, quite a few are incomplete atm).
@@kaseyboles30 Have a link to what they say?
I follow this Chanel for round 3 years now and the quality of the videos is always incredible high! Thank you for all the time, money and passion you put in our free education ❤️
I remember a few years back at work, having to implement the MIFARE DESFire NFC card's instruction set. Was quite interesting to see how advanced they can technically be.
Lasse Hovlandsdal, may I ask what you implemented?
@@martinrocket1436 Certainly. We were implementing what is colloquially called (at least here) "bus cards"; the NFC-based cards you in many cases can use on public transport. (Specifically, it was an implementation of a subset of the ENV 1545-2 standard.)
@@MrZenzio It might be weird, but I'm wondering, why would you implement like cards instruction set, where there are complete chips that provide complete solution including encryption implementation, CRC validation etc.?
For example PN532 mentioned by Scott. It's just like "I want to talk to that card, that's the password, gimme data from that sector" etc.
@@domints Quite simply, availability. At the time, there was no suitable drop-in component that would work within our specificatio (the hardware it was required to interact with, and some requirements imposed on us by a third party). You are certainly right that it sound like a strange thing to do :)
Your channel has grown alot since I started watching a few years ago. Great work, as always! Your videos are always well made and detailed.
Didn't mythbusters get in trouble for trying to cover this topic?
Useless Duck Company Yes you’re right
derbi senda why would they get in trouble?
Nicksperiments Wellll, they found out how crappy the system was.
@@Nicksperiments they got in trouble because the credit cards companies threatened to cut ad money for their TV channel
sligovolts, really? But if this was true, then media system that relies on commercial sponsors but yet claims to be independent would be inherently broken!? unbelievable.
Come on Scott, this is oversimplified. You usually create content with precise info and much more details. Keep up the standard :-)
I was disappointed too
Yes, its lacking something else
Maybe it's in order to prevent abuse of critical security problems in a criminal way...
Yes that's was a bit short video, usually much more info, but anyway thx Scott
Cookie__XD this was my thought
The short range is not because of the "high frequency", it's because that chips use capacitive coupling. At work I had to do with UHF tags at 868 MHz which have a much higher range because they are using inductive coupling. But please don't ask me for details, I just had to control the reader :)
Both can have really long ranges with very specialised equipment, so it is possible to make it go far
Great video my friend... Nice format!! It allows people that aren't too technical to somewhat understand the tech they use everyday, and the people that are tech savvy can look up the IEEE standards to acquire more information...
I had a professor in college that taught this way.. He called it "The Big Picture".. It allowed us to start thinking about the subject before we fully understood the science behind it.. That way, we weren't 'blindly' learning and it sparked our interest.
NFC relay attacks are still a thing which can be done against many card variants. You can buy these garage door readers which allow for long distance (like a few feet) reading; I am not sure how to hack one of these things such that a proxmark can use the antenna instead, but it should be possible.
Thanks!
Thanks for the support :-)
This is amazing timing. I discovered NFC tools TODAY and I ordered RFID reader yesterday for a project me and a couple of friends are commiting to.
I am a little bit dissapointed you didn't cover the difference between the different RFID readers. Please cover this in another video!
I use these cards every day, now I finally know how they work!
I downloaded the App and read all my cards, very cool technology 😊👍
Many thanks for the upload!
5-1=4, that's a minus.
ISO 14443-4, that's a dash.
Not trying to be rude, just informing you of a mistake you make. You're still the best English speaking German I've heard!
*Not to be rude, just informing you of a (/the) mistake you -> made
The quality of your videos have really raised in the last year or so. WOW...
both bank (ATM) cards and SIM cards are using same standard and actually are (at very least) similar inside, if not identical
those are not just memories
those are full blown computers inside (granted very embedded, but still computers)
they never give access to what is inside, but rather are used to sing, decrypt and encrypt data
So, this is actually a fun topic, as stated, the nfc cards have chips, though, these chips can come in 2 variants, dumb chips, and smart ones. Bank cards actually use the smart ones which can execute code themselves.
When a card comes in contact with a compliant terminal (lets say a train ticket machine) your bank card will communicate and generate a one-time-use token to authorize the payment.
these payments are often bundled together and then send to your bank for processing, but that's another topic.
In essence this means that even if you could capture the data, the token would be different each time, and because only your bank knows how your card encrypts said token, it'll make finding people who try to pass on those fake codes trivial.
Additionally, these transactions need to be approved by your bank, and this needs to be done on-line, essentially:
1) the transaction + authorization token is send to your bank
2) your bank checks if the token is valid
3) your bank checks the transaction itself and may flag it if it spots something wrong with it (done by complex algorithms)
4) your bank checks the receiving party
This system is by no means perfect, if a person were to steal your card, they could make a few transactions before you'd block if for instance.
BUT, its a lot better than the old mag strip system, where all the data was on the strip, rather than cryptographic ally stored on the card
Please make a Video with muscle sensors!
I can put it on my to do list
And maybe also the alcohol sensor from Arduino
I'VE BEEN WAITING SOOOO LONG FOR A VIDEO LIKE THIS!!!! THANKS!!!
Could you make a video about DIY or BUY BMS with balance charging? As always, great video m8!
Gruezi
Search for collin hickey or adam welsh diy bms
Part list around 30 dollar
at work i use a handheld rfid machine to scan rfid tags for inventory control, it takes about 10 seconds to scan 200 items and works about 20-30 feet away. none of my current debit/credit cards use rfid now, and only one did before but didn't last long it seems.
Its all about the frequency^^ There are Toll Stations with long range RFID, but they can't read your credit card in your wallet, cause they use another frequency.
My dorm just had a renovation and introduced RFID/NFC door locks... I wonder how secure it is. I'm going to try and see if they did something stupid like having the memory on the key being a combination of your room nr and something else and not a completely random key. If it isn't random I could make a master key that works everywhere. It wouldn't surprise me.
Edit (09/12/2022): Today I picked up a newspaper at my dorm. On the front page the company that installed our locks in our dorm is being criticized for ignoring security concerns and that their locks are easily copied and turned into universal keys that work for thousands of apartments and dorms. Guess i was right xD
My OCD was pleased with your diagram drawing proficiency.
Diy or buy rfid smart door lock?
Cool,would definitely like to see
Still not safe tho
DIY, i have a $1000 SALTO-system at my home. Way to expensive
Depends of the safety you need.
If it's for your house's main door definitely buy, but if it's just to keep your annoying sibling out of your room or something like that diy is the way to go.
buy an encrypted one for the front door/backdoor/exterior access. Definitely DIY anything on the inside because buying each time for the inside will leave your wallet drier than the mojave.
I could tell you are from Germany firstly from the EC card in the video thumbnail because I had the same when I lived there. Thumbs up for team lefties, as I am one as well. 👍 Good video, thanks for sharing!
Woah, I would have never thought to "loop" a probe like that.
Best quality content for electronics on ytb
Now if everything is connected to the internet, nothing is safer :(
Thanks for this video!
This video had nothing to do with the internet
flexairz Transfer between the store and the bank would happen the same way whether or not the customer used NFC. This video is about RFID and NFC so I was just saying this comment is not very relevant to the topic of the video.
does not matter internet or not, nothing is absolutely saft
You shouldn't be, at least if you're using Google pay or similar. If Google messes things up you'd be sure that they won't take it lightly, besides banks always insures you that your money is safe, no matter how stupid you are.
You could live even without internet just some simple Phones and Messages now it is painful because most of time everything uses Internet for faster communication
good video, notes are..
3 popular ICs
- RDM6300 (125KHz)
- PN532
(13.56Mhz
) - Can handle more RFID tags, but not credit card NFC data (this might work for workplace access card)
- RC522
(13.56Mhz
) - Can’t read credit card NFC data
, Can read and write
Frequencies used (13.56Mhz) HF
MIFARE Classic 1K - (tag based RFID)
Both the card and the tag, holds 1KB of data
Contactless payment uses NFC and not RFID (and has standards) and it uses 13.56Mhz
So credit card’s NFC cant be read with RC522 Card. a HP with NFC maybe able to read NFC card and gives the card type (ISO 1443-4) but cant read memory as the data is encrypted.
NFC limits are way higher here in Australia (think of people buying groceries etc) I killed my antenna but left the chip untouched, so no contactless payment for me (or anyone else if I lost my wallet) 👍
Here in Europe, NFC also works above €25,-. You're just required to enter the PIN after the NFC transmission for those transactions.
@@phsch108 $100 AUD here is the point after which a pin is required, $100 in multiple store would soon deplete a healthy bank account
VERY useful video. I've used RC522 in personal projects before, nice to see a video this detailed!
I always love watching you draw and write on paper in your videos. It's a cool aesthetic you don't see often anymore.
6 months ago i had an implant in my left hand with an ISO 14443 and i use it every day. i think NFC/RFID technology is underrated.
Lemme guess dt NExT? Cuz I have one too but just use it to meme as around as I haven't gotten my hands on a proxmark yet to write the lf side
In a German identity card is a RFID chip as well, and it is readable with the Arduino RFID reader :O
Yeah, but its useless to do so because it sends you any time you do a Reset another ID, at least so is mine. Most Datasheets for RFID Cards are under NDA, so you won't know how to talk to it/decrypt it. You can't even get the Datasheets for a Desfire Card without signing any NDA. Actually, they have done well on it in the "Internet Neuland" ;D
I've been using NFC Tools a lot recently in conjunction with NFC stickers I got for peanuts online - 10 for about £3 with free shipping! I've been experimenting on different ways of using them and I have been finding some great uses. The only real limitation is storage space so you have to program them efficiently.
Great Video, Scott.
Should you want to go into more "in depth" of both NFC and the security around it, I can connect you to people that are on the edge of this technology. I recently got a demo about the NTAG 424 DNA (Followup of the NTAG 413 DNA) which is a great and affordable chip type from NXP and has a very, very high level of security.
Congratulations for one million Subscribers
OK, it sends the data, but encrypted by the manufacturer key. *Safe as long as the card maker* can keep their encryption keys safe. After that, everybody is not safe. The govts can probably pressure the card issues to give them the keys, if they wanted to. OR till real evil people figure out some weakness in the tech.
Why would the govt want the keys?
The way contactless skimming works is that people would get a POS machine using a shell company to tap everyone's bag and if they get lucky they can tap some cards that got contactless payment enabled.
Which kinda makes QR code payment 100X safer IMO. It requires you to take out your phone and reveal the QR code, which is an authentication key. And you can protect that feature using biometric authentication and device lock. And you get almost free skimming insurance with that. Ultimately it's not for paying a lot of money, but what matters is that it does require your acknowledgment in order to make the payment.
well, you've talked about passive RFID, but i think it would make a great video if you'd talk about Active RFID, and maybe made like a security system with it or how safe it is in cars.
Glad to see you with new topic. Stay creative and see you next time
You can also carry two nfc payment cards right up against each other in your wallet, which will confuse the reader.
doesn't even need to be a payment card. I've got my ID card, train ticket, blood donation card, public swimming pool card.... Shit, everything has NFC nowadays
nice 7 cards...x 25 euro ...the bad man can take 175 euro :)) i'm joking..
except it will confuse only shitty readers, because ISO 14443 has collision detection and resolving mechanism described :) With good reader they can bill all your cards at once (except they won't because of reasons I described elsewhere, but having multiple cards isn't the problem)
I thought the cards need energy to activate the chip, so two cards do absolutely nothing to each other.
edit: nevermind, I've read the message wrong.
@Lucas Cruz who should believe what?
Congratulations for 1 million..
☺️☺️
I would love to see a collab with LiveOverflow again about this
Amazing video!!! It helped me refresh some concepts that I learnt in university, in a very practical way! Greetings from Spain!
Contactless payment is not dangerous since it is a RFIC card instead of RFID card that uses an internal key to sign transactions. Therefore, it is ridiculously hard to clone it even if you get physical access to the chip. Even in that case, just use the CVV is much easier :)
Also, mobile payment is great because it requires you to confirm before release the information. like apple pay or sumsung pay.
In my opinion, ApplePay may be the most safe method since it have a physical chip dedicated to cryptography and generate a unique transaction id to perform the transaction.
BTW, the magnet strip contains card#, date, and CVV. therefore, a card w/o card number is just as dangerous if it have a magnetic strip on it. Therefore, I am disappointed that Apple Card have a mag strip on it and still marketing it to be safer. Is your threat model people who are just taking a picture of your card when it is lying on the table?
I was thinking like, if the card encrypted then what stops people from just copying the cards info directly onto a second (maybe virtual) card? What is it that makes rfic harder to clone? Does it communicate instead of just information dumping?
@@lucasschut4174 so the card contains a asymmetric key to sign transactions inside itself, and it would not allow access to the key without some involved process such as DPA
Try lookup FIDO U2F key or Bitcoin wallet, they work in a similar way
You are correct, but bank card uses NFC (Near Field Communication) which is a subset of RFID, but width a much shorter range Up to about 10 cm or 4 inches. Todays RFID can have ranges up to hundreds of meters.
Congrats on 1 million!!!
Before watching the vid, i thought nfc stands for No Freakin' Cable...
lol
Near Field Communication*
@@iProgramInCpp really? I'm shocked
Congratulations for 1 Million subs
Came here before the notification!
lmao me too haha
You can get the data unencrypted from an android phone. It's an app called "credit card reader" it gets the card number, bank, pin tries, chip manufacturer and other misc details, as well as transaction history if your card supports it.
By standard, EMV cards uses strong security which allows safer data exchange. (e.g. RSA/Asymmetric Cryptography)
I remember a while a go, when contacless payments first arrived in the west there were stories of people walking around with portable payment terminals on packed trains just taking a buck here and there through wallets in pockets.
Payments low enough most people wouldn't notice.
That's not really true...
You can pay with NFC on credit cards with higher values than 25€ ;)
For example I paid 480€ contact less for my TV.
The limit of 25€ is only set by your local Sparkasse bank
depends on the banks, you can also make that limit higher or delete. if limit exceed you need to enter your code
all the info are blocks (lines) and sectors (parts) with further detailed info. exampe, block 0 (first line) containts the UID BCC SAK ATQA and the manufacturer data, etc.
I've reported my card missing then used it afterwards contactless several times. I'm about 200 bucks up atm.
I hope u didnt use it in the same location where you live.
@@VIDE0G4M3Enj0YER Yep I sure did. That was a year ago, not had any backlash yet. Banks aren't going to file police reports and subpoena CCTV footage over a couple hundred dollars, they'll just write it off. If I'd stolen thousands or done this more than once, then maybe they would. Good thing about contactless is there's no clawback from the retailer, the Bank takes all of the hit. The extended story behind this is that a utility provider had mistakenly took a large amount out of my account and the bank allowed it even though there was not enough in the account to cover it. It was all sorted and the utility provider refunded the money but the bank refused to refund the fees they charged (which added up quickly) for the unauthorized "borrowing". Instead of going through all the hoops and legal nonsense to get the fees returned, I just did the card thing, then closed the account.
@@spudhead169 ok then i won't hate you. U did what had to be done. Get your rightfull money back. Thx for the idea though ;)
Super Video👍
Du machst Etechnik wirklich interessant und veranschaulichst alltägliche Praxisnähe👏
I use a contactless card and also my phone for wireless payment in stores
I've been waiting for this video. Nice summary.
Crazy idea:
What if, your RFID card had a normally-off button built in, to interrupt the energy supplied by the wireless energy coil, until such time as you want to let the information be transmitted?
Those devices usually are miniaturized, and in some cases it would be very difficult to fit a button in... Think for example about credit cards.
But that's just a minor inconvenience, the main issue is that RFID devices are resonant RLC circuits. Their impedance (apparent resistance) is critical for their operation as it determines at which frequency the circuit resonates and works. A button would majorly screw up the circuit's impedance requiring some serious compensation at factory level. That would mean measuring and adjusting every circuit making this idea definitely possible, but very cost inefficient.
In the end, it all comes down to production costs.
Alessandro Celoria
Ah, I see.
Congrats on the 1M!
My bus stops near me have nfc cards in the bus stop and when you scan it you get taken to the time table on the website which is pretty cool but instead of that i read the card and rewrit to the card so now when you scan it you get taken to pewdiepies channel so you can subscribe
Dafaq really? And why did they put rewritable cards on there smh
@@tanmay______ yeah i thought that because in the card writing setting you can actually write protect them
@Joshua Hutton
They probably didn’t think to write protect them because they didn’t think people would write to them
Whoopsie doodles
@@Abdega bus stops did an oopsie
Pewdpie.
Really?!
Ffsk..
Yes. They shouldn't have left the cards unprotected.
But just because you can.
Doesn't mean that you should.
In Australia, there is a $100 point in which after that including that point you have to enter your pin. However you can just keep doing $99 payments without a pin until the bank finally blocks the card.
The title is: "How safe is contactless payment?" which was not covered in the video :/
the answer is on a card, sort of, at least no one should be able to steal a significant sum. From a phone? very secure.
@@joestevenson5568 In the video is used completely different card type than the credit card has
@@tomhyhlik1788 wdym?
@@jakedowling8414 no, he is not giving any info about contactless payment at all :D
@@tomhyhlik1788 Contactless payments are rfid cards that emit the cards encrypted data into the reader. the point is that if a hackers reader gets close enough to your card it can get your data, tho encrypted. phones can turn this function on and off. so up till there you can get a pretty good self thought out answer
Nice! been reading about RFID and NFC but still learned quite a bit here.
Sparkasse?
Felix R, totally looks like. But one thing he didn't research correctly: The NFC blockers don't always have to be bought. Sparkasse and other banks give them out for free if you ask politely.
@@martinrocket1436 I mean, there is literally the Sparkasse Logo on the Card. He taped over the Name of the Bank though, because it gives away his general region
Timbo Jones, haven't we agreed that he lives in Leipzig?
In the channel description stands he's from Fulda.
Ich heiße das ist sein Impressum und nicht seine echte Adresse. Vermutlich nur eine Agentur
Cool. Keep up the great work on your informative videos. You always have great projects to demonstrate your information. Thanks
You totally oversimplified (or just didn't dig enough) the RC522 / PN532 topic. The 13.56MHz tag isn't spitting out data. It won't even spit out ID without being asked, not to tell about the data.
All the data on the card (1KB in case of Mifare Classic 1K) is password protected and your card spit the data out because your reader asked for it and had proper access keys - in case of your card it was transport key, default consisting of loads of 0xFs.
The only card that just spits out data are the 125kHz cards, but there isn't much there to spit - just few bytes of ID.
the important thing to know is that mifare clasic, mifare ultralite (NFC Payments) and Mirefare desfire (ultra high security), it is not a data dump, but rather 2 way communication between the chip on the card (or fob or tag or whatever), so in an access control senario, (wich uses these technologies), you first have to send a password to the card for it to start opperating, then encryption is established on the communication between the card and reader, then the data is sent as per what is requested by the reader.
Ultralite and Desfire, also, have hardware encryption on the card itself
125khz access cards however do data dump there contents, making them far less secure.
Aldi, Lidl, Kaufland, Hornbach, Media Markt, Saturn
Opening applications with the card is a good idea!
This kind of technology is used in shops to prevent from stealing. Am I right?
Sometimes it might be, but RFID is very limited in range. Often in stores it's a far simpler circuit, purely coil and capacitor which resonates at a specific frequency, this is then detectable by the induction coil by the doors.
To presne neviem, ale je to možné.
@@dronemansk2121 JJ
V knižniciach sú také karty/nálepky proti krádeží.
@@jonny11bonk jáj už viem, ktoré myslíš
Create a project where it uses an active rfid. It should transmit different data in every x second. Make the change synchronized with the Arduino so everytime you authenticate, it would pass. Ex. encrypt "qwerty" with unix time as salt, the mcu(with rfid reader ofc.) and active rfid (also with mcu) will generate the same output as long as their time is in sync.
where is the quadcopter????Oh...and also FIRST!
The video will come out when it is done.
@@greatscottlab r/technicallythetruth
But in all seriousness, take your time. It shurely will be an awesome project, so waiting a but longer will be worth it.
Greetings from Luxembourg!
@@greatscottlab This is one of the questions which made Scott mad. And the one made him hide his "to-do list" 😉😉
@@tonpa8888 maybe he burn it :D
Fortunately for you, MIFARE Plus is the secure version, which uses AES so it's practically unhackable without the key.
It might use, but it also might use compatibility mode. Also, if it is running in compatibility mode, it is hacked already.
I only use Samsung pay, make a video on MST technology
MST works by emulating a magnetic stripe being read. Magstripe is no longer in use for payments in Europe, hasn't been for a long time. But that also means that it's just as insecure as magstripe, so, not much to learn there.
@@nikomo They are still used in Denmark
@@nikomo That is not the case, the Samsung pay is way safer. I don't know the terms, but it only works one time with each code generated and ofc you can only read the code when the user wants to pay. The only way to scam someone with Samsung pay except for hacking and such would be to have a powerful receiver and read the code and jam the real reader. Would be hard to do in practice and you still need to trick the bank.
@@marcusm5127 It wouldn't have to be that powerful. Also one could just hijack the phone through blue tooth. Then next time they go to use it the token is relayed to your phone instead of the coil. just only do it on a percentage of first tries and the user won't even realize what's going on and just thing it's a normal failure. And both the bluetooth hack and the token relay have been tried and worked. And the relayed of token even worked when relayed to another country that at the time wasn't on Samsung pay's availability list, many miles away from the originating phone, meaning Samsung pay didn't even sanity check it. "oh you're buying a snack in a country we don't support hundreds of miles away from the phone? No problem"
Nice video! I recently got a contactless card and I highly enjoy the convenience of just holding it to the reader briefly, compared to inserting it and typing a code. Faster than paying with cash. I assume the banks have calculated risks carefully, and that it's cheaper for them to occasionally eat a small disputed charge, rather than to design a 100% safe system. After all, the card number is printed on the card for cameras to see, and attacks where someone has a reader in their pocket would also mean that the fraudulent charge would be deposited into an account that could be investigated. Would love more analyses on that subject though.
Not all cameras will be able to pick up numbers on the card.
I would gently ask you to reconsider the faith you place in banks.
All this technology (RFID, NFC, Magnetic Cards, etc) Is not dangerous in mater of security. But is extremely dangerous in mater of privacy. So If you want to have privacy in your life, simply reduce the use of them of even better stop use them.
That doesn't make any sense, in terms of of payments your purchases are logged the same by both the store and credit card companies either way you pay, only way around that is to use cash for everything...
Now if you were talking about working at some place that uses wireless tags in order to get around the building, then you kinda have a point.
@@vgamesx1 If I was in charge of building security tech, it would include near range fingerprint scanning, palm line scanning, hair and dot configuration fingerprinting of arms, fingerprint of bare foot characteristics, voice analysis, retina scanning, breath and over all air fingerprinting (seeking most unique possible set of particulate mixture put off by a given person [how animals with a strong sense of smell identify]), as well as checking visible physical characteristics of the body, posture and movement. Not necessarily impossible to fool, but if someone did, every living other spy would blush upon it being proved. Most likely armed security would catch them trying to penetrate a wall, floor or ceiling surface that they can't detect is being monitored.
The greatest explanation EVER
Minus four 😢 It's dash or hyphen.
In Ireland the limit for contactless payments is € 50.00. Aldi raised their limit to € 100.00 last Christmas for the duration of the shopping season.
I keep my Credit Cards in an aluminium wallet for safekeeping.
Dublin Bus offers a contactless service for fare collection. I had 2 multi journey tickets in my hand and when the bus started I stumbled into the card reader and both tickets were debited with the fare. My duplicate fare was refunded in cash when I called to the office and explained what happened. 8:51
disable contactless by poking a hole in the card where the antena cable is. if the limit is 100 without pin and you lose your card/wallet you are screwed. before you cancel it people will use it. I work in retail and often times I get visits from the police requesting cam footage because a stolen card with no pin contactless was used. So you better add your card to your phone's nfc and poke a hole on the card itself. I even pijed a hole on the cvv number so people can't shop online
When you walk on street, then a man bumped accidentally to you. Who has a pin machine in his pocket and takes 25 euros (because thats the limt in our country) by passing the pinmachine along your pinpass...
How to earn 500 euros each day!
That pin machine needs to be linked to a bank account (maybe a merchant account?) so he will soon get caught.
but it might be a stolen account that is just used to get the money physically to then put it somewhere else.
And all his personal information becomes available to your bank to press charges.
I'd much prefer that to someone running off with my wallet.
It was just pure sarcasm but oke😂😂
You probably can build a high power transmitter and drive around. It's illegal to do so, but if you're one person stealing people's money I guess you wouldn't care about that.
@GreatScott your video does not make enough distinction between NTAG, Mifare and EMV contactless cards. They are pretty different to each other.
Each of these has their own "API" and access control systems which run over the ISO standards including ISO 14443. The debit card you showed has both RSA and 3DES, and can be accessed using standard ISO7816 commands. The EMV specifications are the open standards for this, and are available from their website.
EMV cards, both contact and contactless, use 3DES or AES session keys which generate a unique cryptogram for each transaction, which signs the transaction amount, the date and a random number from the terminal. This chip data is very difficult to counterfeit or replay (other comments have also made this point).
Cooles viedeo sehr interessant und hilfreich. Kannst du vieleich mal ein paar viedeos auf deutsch machen?
Schau mal in sein (erstes?) q&a rein er will es auf englisch machen ende
Nein
NFC-Near Field Communication
RFID-Radio Frequency Identification
They both are great 😃
This is why the old gen samsung smartwatch is so popular. The newest one took away the payment option that simulated your magnetic strip, so it worked EVERYWHERE.
Also for security, it only ever worked when you activated it, so nobody can steal it without your consent
I certainly enjoy and appreciate all of your videos. Keep up the great work!
I learned a lot about RF. Thank you so much! ❤️
All hail the Great Scott!!
You don't need to spend money to buy the metal envelope to protect your credit cards, just use the aluminum foil bag (1 or 2) (perhaps from the candies you just ate) to hold the card(s), that should be able to shield the NFC signals.
The app probebly recognised that it is a debit/credit card and defaults to "I don't understand". As with near feild. There was a couple flif French guys at defcon 14 who showed that with amplification you can read nfc and rfidfron a further distance
Interesting, the modulation scheme uses what is called LSK(load shift keying). this is also used in implantable medical devices to communicate with the implant.
You are great teacher.
I always wait for your video
Excellent video as usual.
Here in the USA, we have electronically protected stickers which is basically a coil and a capacitor in parallel. When the cashier scans the price tag, the scanner sends out a high voltage magnetic field that shorts out the capacitor. When it is a failed attempt the customer breaks the infrared beam which activates the anti-theft sensors and it sends an electromagnetic field to the tag and the lc oscillator circuit inside the tag lowers the frequency. Please correct me if I’m wrong.
Decent security is based on a combination of something you have (a card f.e.), something you know (a code or password) and/or something you are (figerprint, facial recognition, ...). If only one factor is used, or both can be cracked together (like writing your code on your card), it's not safe. NFC isn't safe, the risk is only limited to a small amount.
security is always at odds with convenience.
the safest option possible is also the most inconvenient.
different people have different thresholds of what they would consider "worth" the added security.
You've inspired me to setup some RFID wizardry to enable my cat to let itself in'
Cool, keep it up
Thank you for letting me sleep easy after seeing this