How can RFID/NFC tags not be cloned when they are passive technology?

Because the cards contain a chip which are powered by a coil. The coil is not really a antenna, but half of a transformer.

Think your regular mobile charger. This contains a transformer, that will transform the voltage from 230V or 120V AC to 5V DC. This is done by having a coil magnetize some iron, and this iron magnetizes the "receiving coil". If you draw current from the receiving coil, the primary coil will also draw more current.

Now, let's go to the "passive" card again.

The reader is one half of a transformer, and the card is one half of a transformer, but this transformer does create a magnetic field in the air instead of magnetizing iron. When you put the card close to the reader, the reader and card becomes a full transformer, and thus the card can be powered, like it was connected to a battery.

For the reader to transmit information to the card, the reader only needs to vary the frequency or amplitude of the AC voltage that powers the primary coil. The card can sense this and act on this information. For the card to send information back to the reader, the card simply short-circuits its own antenna via a transistor and a resistor. This will, like the mobile charger, cause the primary coil, i.e. the coil in the reader, to consume more current, and the reader can sense this (by having the primary reader coil via a resistor and then measure the voltage over the resistor) and read the data the chip sends to the reader.

This means that half-duplex bidirectional communication is possible with RFID, thus the chip can do anything, and work like a contact smart-card. And as you know, a contact smart card with a security chip, that can securely store a key, and only perform operations with the key, is impossible to "clone" or "copy" as the key cannot be extracted. That's the security of smart cards, they cannot be cloned, and that's why they are preferred over magnetic strip cards.

Thus, the same applies to wireless/contactless RFID card.


NFC (Near Field Communications) cards are not passive. NFC readers constantly transmit RF (radio frequency) energy; this is called a carrier signal. Very close to the reader (within about one wavelength, putting the "Near" in Near Field Communications,) the RF transmission is strong enough to induce enough energy into the receiving antenna to power the circuit in the card. The card contains a computer chip that has a CPU that can process received data, a small amount of static memory, and the ability to "transmit" a response (transmission is achieved by attenuating the carrier signal.)

Mag stripe cards (those that have no embedded chip) are passive. They have only "static" authentication data, which is probably what you're thinking of. The data is encoded on the stripe at the bank when it's issued, and it's always the same data, read after read after read. The mag stripe is technically very limited, and contains only a few pieces of information. They are the PAN (Primary Account Number), cardholder name, expiration date, service code, and a secret value called the CVV (Cardholder Verification Value). In total, no more than 79 characters can be encoded on the first track of a mag stripe.

NFC chip cards used for payments are programmed to emulate the same 79 characters that you might find on a mag stripe card, with a couple of exceptions: they can listen for variable data transmitted by the reader, they can respond with whatever the chip is programmed to send, and each card contains a secret key that is known only to the bank that issued the card.

To communicate, the reader sends the chip some data about the transaction including a random "challenge" number. The chip then encrypts the challenge value (and other transaction data) using the secret key stored in the card. The chip then emits this computed value in place of the CVV. This is called "dynamic" authentication data, because the number is different with every transaction and challenge.

The reason these cards are not easily clonable is that nobody but the bank knows the secret key hidden in the chip, so nobody else can produce a card that will react the same way to the challenge that came from the reader, thus the cloned card cannot produce the correct CVV. The bank is responsible for detecting the incorrect CVV and rejecting the request from the cloned card.

Not all the systems in use today are perfect. Researchers (and criminals) have figured out several attacks. Some cards are inherently insecure because they use weak encryption (such as the MiFare cards often used in transit systems.) Some cards have had their secret keys read by using side channel attacks, such as power analysis or timing analysis. Some have been examined using ion beam microscopy, revealing the bits containing the secret keys. And some banks did a poor job initially implementing their secret keys such that they didn't validate the CVVs correctly.

Once a system is properly implemented, chip cards are very very difficult to clone, whether they be NFC read or inserted into a chip reader.


How can RFID/NFC tags not be cloned when they are passive technology?

Your question assumes 2 things:

  1. That RFID tags cannot be cloned
  2. And they are passive, not active.

Both points are incorrect:

  1. RFID tags can be cloned. Tags which do not make use of password-protection or over-the-air (OTA) encryption can have their data banks copied into new tags.
  2. RFID tags (at least Class 1 Generation 2 tags, aka UHF RFID tags) are computationally active, not passive. Their "passive" nature refers to their not needing an attached power source.

RFID tags (at least "Class 1 Generation 2" tags) are transponders and they're powered by the very RF wave sent to query them.

The majority of RFID tags are not encrypted or have any secrets - they act like a barcode does and merely repeat the same information every time they're queried, in which case they can very easily be cloned.

However the Class 1 Gen 2 tags (at least) support features like passwords (the scanner includes a password in the RF signal sent to query the tags) and over-the-air encryption, though this is not a mandatory feature and not every Class 1 Gen 2 chip supports it.

Research has been done into the security of RFID, here is one such recent paper: The security of EPC Gen2 compliant RFID protocols.