The Invisible Pickpocket
We dive deep into RFID cloning. How Niko Webb steals your digital credentials just by standing next to you in an elevator.
THE COUNTERMEASURE
Dispatch #008
Niko Webb doesn’t need to pick your pocket to steal your keys. He doesn’t need to break into your house while you’re sleeping.
He just needs to stand next to you for three seconds in a crowded elevator.
Picture it: You’re in the lobby of a high-rise. You get into the elevator, headed for the 40th floor. It’s packed. A guy in a nondescript jacket is pressed up against your right side. The elevator jostles. His hip bumps yours. He murmurs an apology.
By the time the doors open on your floor, that guy has a perfect digital copy of the access card tucked in your wallet. He can now enter your building, your office, and your secure server room as if he were you.
Today, we are looking at the RFID Clone: the invisible pickpocket trick.
To understand how Niko does it, we have to look at the technology inside that piece of plastic hanging around your neck.
The Science of the “Bump”
The Technology: Passive RFID
Look at your office access badge. It’s just a thin piece of plastic, right? No battery compartment, no charging port.
So, how does it talk to the reader on the wall?
It’s called Passive RFID (Radio-Frequency Identification). Inside that plastic card is a tiny microchip connected to a coil of hair-thin copper wire that acts as an antenna.
Because it has no battery, the card is “dead” 99% of the time. It’s just inert plastic and metal.
The “Handshake” (How it’s supposed to work):
When you hold your badge up to the reader on the wall to unlock a door, a very specific sequence of physics happens:
The Shout: The reader on the wall is constantly emitting an electromagnetic energy field. Think of it like an invisible flashlight beam that is always on.
The Wake-Up: When your card enters that energy field, the copper coil inside your card acts like a sponge. It “absorbs” that energy from the air, converting the magnetic field into a tiny burst of electricity.
The Echo: That burst of electricity wakes up the microchip just long enough for it to shout its unique serial number back to the reader via radio waves.
The Unlock: The reader checks the serial number against a database. If it’s on the list, the door clicks open.
The Hack: The Digital Vampire
Niko knows that your card is dumb. It doesn’t know who is asking for its ID number. It’s programmed to wake up and shout its credentials to any device that provides enough energy.
Niko carries a device (perhaps something like a Flipper Zero, a Proxmark3, or a custom-built rig hidden in a messenger bag) that acts exactly like the reader on the wall, but portable.
The Elevator Attack:
Niko stands next to you in the elevator. He knows your badge is likely in your back pocket or clipped to your belt.
He activates his device hidden in his own pocket. The device sends out a powerful electromagnetic “shout” (the excitation field).
Even through the fabric of your pants and his jacket, that energy field hits your card.
Your card wakes up, thinking it’s at the office door, and politely shouts its ID number directly into Niko’s device.
Niko’s device saves that number.
The whole process takes less than a second. There is no noise. There is no vibration. You feel nothing but a crowded elevator.
Later, Niko can take that saved number and write it onto a blank card, or just have his device replay the signal to the door reader.
The door opens. The system logs show that you just entered the building.
Reality Check
Are all cards this easy to clone?
No. Many modern systems use high-frequency, encrypted smart cards (like MiFare DESFire) that require a cryptographic challenge-and-response, not just a simple serial number shout. Those are much harder to clone quickly.
But you would be shocked at how many Fortune 500 companies, government buildings, and luxury apartment complexes still use older, low-frequency (125kHz) HID cards because they are cheap and “good enough.”
To a physical pen-tester like Niko Webb, “good enough” means “open for business.”
So, the next time you’re squeezed into a crowded space and someone bumps your hip, check your wallet. The cash might still be there, but your digital identity might be gone.
Stay dangerous,
Alex Holt