How Does Contactless Card Skimming Actually Happen? (And What Stops It)

Why this article exists

Most articles about RFID skimming end the same way. They describe a hooded figure in an airport, hint that you might be at risk, and recommend buying a product. The middle part, the part where the actual attack is explained, is usually missing.

That is a failure of the safety conversation. If you do not understand how skimming actually works, you cannot tell whether a sleeve actually protects you. You cannot tell whether the "RFID blocking" label on the wallet you already own is real or a sticker. You cannot make the decision for yourself.

This article is the technical middle that most articles skip. It explains the physics of a contactless transaction, the hardware a skimmer uses, the real-world attack distance, the conditions that make an attack possible, and how a FIPS 201-listed sleeve stops it. By the end you should be able to look at any product claiming to block RFID and judge whether the claim holds up.

A shorter version of this story, focused on the official FIPS 201 standard, is in What FIPS 201 Means For Your RFID Blocking Sleeve. This one goes a layer deeper on the attack itself.

What is happening when you tap a card?

A contactless card is a passive radio device. It contains a small chip and a thin antenna coil wound around the inside of the card. It has no battery. When the card is held near a payment terminal, the terminal broadcasts a radio signal at 13.56 MHz. That signal does two things at once.

First, the signal induces a small electric current in the card's antenna. That current powers the chip. The chip wakes up.

Second, the chip uses the same antenna to broadcast back. It sends the card number, the expiry, a one-time cryptographic token, and a small amount of related data. The terminal reads the response, validates the cryptographic token, and approves the transaction.

The whole exchange takes about one third of a second. The card never needs to be touched, swiped, or held in a particular orientation. The terminal needs to be within roughly four inches of the card to power it. That is the entire interaction.

This is convenient for paying. It is also the entire physical basis of skimming.

Why any reader at 13.56 MHz is a reader

A payment terminal is a 13.56 MHz reader. So is a transit gate. So is a hotel keycard reader. So is a parking garage gate, an office building turnstile, and many gym entry posts. The protocol is standardized. The same card can pay for coffee in London, ride the metro in New York, and unlock a hotel room in Tokyo because the readers all speak the same language.

A reader does not have to be a payment terminal. It has to be a 13.56 MHz device with an antenna, the right protocol, and enough power. A hostile reader is built from the same components as a legitimate one. The cost of the components has fallen steadily for fifteen years. As of 2026, hobbyist hardware capable of reading a 13.56 MHz card at close range can be assembled for under $200 from publicly sold parts. Industry researchers have demonstrated specialized hardware reaching attack distances of up to one metre for under $400.

The point is not that there is a black market of villains carrying around card-stealing rigs. The point is that the equipment exists, costs little, and works on every contactless card that uses the standard protocol, which is almost all of them.

What does an attack actually look like?

Skimming attacks come in three main shapes. None of them look like a thief running away with your wallet.

The proximity tap. A hostile reader is hidden in a bag, a coat pocket, or a backpack. The attacker stands or sits within four inches of your wallet for a few seconds. The reader powers your card, your card responds, the data is logged. You do not notice anything because there is nothing to notice. The card does not buzz. The phone does not warn you. The wallet does not move.

The crowded space approach. Same as above, but in a setting where four inches of personal space is normal: a packed subway car, an airport security queue, a crowded festival entry gate, a market stall. In those settings, the attacker does not have to do anything unusual to get within range. Body density does the work.

The stationary read. The reader is hidden in a fixed location: a chair in a cafe, a bench at a transit stop, a counter near a checkout. The attacker leaves the reader running and collects data from anyone who sits nearby for long enough. This is the lowest-effort version of the attack and historically the most common in industry reports.

What all three have in common is silence. The card responds, the data is logged, and the attack leaves no trace at the moment of capture. The traveler finds out weeks later when an unfamiliar charge appears on a statement.

What is the actual range?

The most common question is: how close does the reader have to be? The honest answer depends on the hardware.

For the average traveler, the relevant range is the four-to-eight-inch space around their wallet, every minute they are within arm's length of a stranger. That is the geometry of a normal city day.

What stops a card from responding?

A contactless card responds because the reader's signal induces a current in the card antenna. The chip cannot decide whether to respond. There is no on/off switch on the card. As long as the antenna can receive enough energy from the reader, the chip will wake up and reply.

To stop the response, you have to stop the antenna from receiving the signal. That is what shielding does.

A Faraday cage is an enclosure that blocks radio-frequency energy. The classic image is a metal box, but the principle works with much thinner materials at the right frequency. At 13.56 MHz, with a wavelength of roughly 22 metres, you do not need a mesh. You need a continuous conductive surface around the card on every side. A thin metallic foil laminated between paper layers does the job if the laminate is engineered to the right attenuation level and seals at the edges.

The Alpine Rivers® RFID Blocking Sleeves achieve this with a four-layer paper-substrate laminate stack. The outer printed paper layer carries the finish and brand mark. The two inner metallic foil layers are tuned for 13.56 MHz attenuation. The inner paper liner protects the card surface and keeps the foil flat against the card body.

The result is a sleeve that adds about two grams of weight and 0.3 millimetres of thickness, blocks the broadcast while the card is fully inside, and lets the card work normally the second you slide it out. The sleeve is a Faraday cage with the card inside.

How do you know a sleeve actually shields?

The label "RFID blocking" is unregulated. Anyone can print it on a wallet. The question is whether the product behind the label has been tested by an independent third party against a real standard.

The standard most travelers will recognize is FIPS 201, the US federal shielding standard for sleeves protecting government Personal Identity Verification cards. The General Services Administration maintains a public Approved Products List (APL) of sleeves that have passed independent shielding tests.

In 2016, Alpine Rivers® RFID Blocking Sleeves achieved FIPS 201 US government approval, listed as GSA APL #1424. That listing is the public record that an independent third-party lab tested our sleeves against the same shielding standard the US federal government uses for its own credentials.

Two field tests anyone can run, on any sleeve they already own:

Test 1. The transit gate. Slide a transit card into the sleeve. Approach the gate. If the gate opens, the sleeve is leaking. A sleeve that meets FIPS 201 attenuation will not open the gate while the card is inside.

Test 2. The contactless terminal. Hold the sleeved card against a contactless terminal. The terminal should not register a tap, beep, or show a pending transaction. If it does, the sleeve is not shielding at terminal range.

Both tests work for any sleeve, including ours. If your sleeve passes both, keep it. If it fails either, replace it with a sleeve that has independent shielding test data.

Where does the shielding extend beyond a sleeve?

The sleeve is the smallest piece of the Alpine Rivers® range. The RFID Blocking Money Belt and RFID Blocking Neck Wallet are RFID-blocking by design, with three layers of shielding material built into the body of each unit. Any contactless card stored inside the belt or pouch is shielded by the body walls.

Each money belt and neck wallet also ships with bonus FIPS 201-listed RFID Blocking Sleeves. The pouch shields what stays inside. The sleeves shield the cards that leave the pouch for everyday use. Together that is what we mean by Security Beyond Travel™.

For the full story of how the four layers of the Alpine Rivers® range fit together, see What Does A Complete Travel Security Stack Look Like?.

What is the realistic risk profile?

A useful rule: skimming risk goes up when crowds, queues, and standing still come together. The places that hit all three are the places where a card in an unprotected wallet is most exposed. A fuller field guide to those scenarios is in Where Does RFID Skimming Actually Happen?.

For a US-specific breakdown of how the risk plays out across a normal day of travel (airport, transit, hotel, kiosk), see How Safe Are Your Cards When You Travel In The US?.

Frequently asked questions

Is contactless card skimming actually common, or is it overblown?

It is more common than card networks publicly report and less common than the marketing of some "RFID blocking" wallet brands suggests. Industry research has documented real attacks in the field. Card issuers offset most fraud losses through zero-liability policies, which reduces the visible cost to consumers but does not remove the underlying attack surface. A sleeve is a low-cost, no-effort precaution that closes the surface entirely.

Will the chip in my card ever turn off?

No. The chip is purely passive. It powers up whenever it receives a 13.56 MHz signal at the right strength. There is no switch, no software setting, no battery to remove.

Do I need to worry about my passport too?

Yes if you carry a US, UK, EU, AU, NZ, JP, or KR passport issued after October 2006 (US dates; other countries similar). All of those contain a 13.56 MHz contactless chip storing your name, date of birth, photo, and document number. The Alpine Rivers® passport sleeves are sized to fit the current passport books including the 52-page versions.

Does aluminum foil work as a homemade RFID block?

Partial. Aluminum foil is conductive but very thin and easy to tear. A single sheet wrapped around a card can reduce read range, but the seal is unreliable and the foil degrades quickly. A purpose-made laminate sleeve does the same job better, lasts years, and includes a verified shielding standard.

Is contactless skimming the same as ATM skimming?

No. ATM skimming uses a physical overlay on the card reader at the ATM that captures the magnetic stripe data and a hidden camera that captures the PIN. Contactless skimming is wireless, requires no physical contact, and targets the chip not the stripe.

Does putting cards together in a stack confuse a reader?

Sometimes. A reader trying to power two cards at once gets ambiguous responses and may not complete a read. This is not reliable shielding. A real sleeve isolates each card individually, which is the only reliable approach.

How long does a FIPS 201 sleeve last?

Years with daily use. The laminate does not degrade with normal handling. Replace if the inner liner tears or if you can see metallic foil through the paper.

What the Alpine Rivers® range looks like today

Every production run, every variant, goes through independent batch inspection. That has been true since 2015 and it has never stopped.

If you have a question about RFID skimming or shielding that this article did not answer, contact us at info@alpine-rivers.com. We answer every message.

Related reading

• Where Does RFID Skimming Actually Happen?

• Does FIPS 201 Matter For Civilian Travelers?

• How Safe Are Your Cards When You Travel In The US?

About the author

This post is by the founder of Alpine Rivers®. The brand was founded in 2015, designed in Houston, Texas, and headquartered in London. Alpine Rivers® operates the official Alpine Rivers® Brand Store on Amazon with over 19,000 verified reviews across the product range at 4.7 stars. The founder writes about RFID shielding, travel-grade product engineering, and the gap between marketing claims and independent testing.

Alpine Rivers® and the Alpine Rivers® logo are registered trademarks of Alpine Rivers® (USPTO Reg. 5,122,373 and 6,325,028). PolyShield™ and Security Beyond Travel™ are trademarks of Alpine Rivers®.

California residents: see our Proposition 65 Warning.