[randomcatuser]

so cool! anyone have any recs for cheap cards (or hardware) that is scannable on iphones?

[walterbell]

The cheapest RFID/NFC "card" tag is an expired tap-to-use transit ticket. It has a unique ID that can be used to trigger an iOS Shortcut to take any action, e.g. speak an audio description, open URL, open app, etc.

For purchase, there are many form factors: https://store.gototags.com/nfc-tags

On Amazon, search NTAG215.

[immibis]

If your city doesn't use NFC transit, you can also buy a box of blank cards. They have unique IDs like transit tickets, even without being programmed.

[stavros]

NTAG215 isn't "magic", right? I have a bunch of NTAG215 stickers and I'm not entirely sure what their difference is with magic cards.

[ewpratten]

Think of it like a subset of MIFARE.

In a simple sense, NTAG cards can do NFC things, but MIFARE can do lots more (access control for example)..and also NFC things..somewhat.

Magic mifare refers to special cards that let you bypass the write-lock of genuine mifare cards. These are mostly used for cloning keys (either for red-team pentesting or for people who want a copy of an office key for whatever reason)

[lxgr]

It's not really a subset:

MIFARE Classic uses a proprietary and mandatory encryption/authentication algorithm and is therefore not ISO 14443-4 compliant. As a result, NFC-compliant readers don't need to support it, and in fact non-NXP ones (including many popular Android phones) usually don't.

On the other hand, as you say, MIFARE Classic supports capabilities beyond NFC/NDEF, but there are fully NFC-compliant tags that do so as well (e.g. MIFARE DESfire, which properly stacks encryption in an ISO 14443-4 compliant way).

[stavros]

Ah, thanks, so I guess to write tags like URLs and things I don't really need Mifare cards, the NTAG cards are fine. Thanks for the info!

[ewpratten]

Many of my cards are just repurposed from other things. Lots of hotel keycards can be rewritten to open URLs on phones for example.

I actually have a hotel keycard taped to my washing machine to do some laundry-based automation with my phone. Maybe I should write about that sometime..

[Eisenstein]

Have you thought about getting one implanted?

[lxgr]

If you're getting an implant already, why not make it an actual smartcard that you can use for WebAuthN, GPG, SSH etc.? :)

On the other hand, the fear of permanently bricking it or messing up the GlobalPlatform card management key has so far prevented me from doing it myself...

[Eisenstein]

Because those cost $350 as opposed to $89, and the install only costs $60, and there is no stopping you from implanting more than one in different locations.

Many people get the small xEM or xM1 first to play with.

* https://dangerousthings.com/product/apex-flex/ * https://dangerousthings.com/product/xm1/

[lxgr]

> there is no stopping you from implanting more than one in different locations.

Good point, although at some point you'll want to make sure your reader implements anticollision properly :)

[ewpratten]

(glances at chip on my desk)

..yes.

Hopefully getting that installed later this week :)

[lxgr]

If you only care about static data that you can optionally freeze to a permanent read-only mode, NTAG21[3|5|6] tags are probably among the cheapest ones that reliably work with all iOS and most Android devices.

MIFARE Classic supports (completely broken and for this use case) useless encryption and doesn't work with some Android devices, as they're not really a part of the standardized NFC stack.

If you want to get really fancy, you can also get a Java Card based smartcard and install an NDEF application yourself. You could then also install a FIDO application and use the same card as a "homebrew Yubikey" :)

[fragmede]

https://www.amazon.com/dp/B0C49SVTCT

are the tags I have, and https://apps.apple.com/us/app/nfc-tools/id1252962749 is the app I used (which is the same as the one used in the post).