RFID chip in a credit card?

Aaron
RFID chip in a credit card?

I am sharing the following information with you guys because I want to assist you from having your credit card info stolen and used without your permission. Ignore it at your own peril.

Recently my bank completed a merger with another bank. As the final stage of the merger, new Visa check cards were issued. When I received my new card I noticed the following logo on the upper right corner of the front of the card:

Here is a partial photo of the front of my card:

Upon reading the paperwork included with the new card, I am taught that this logo represents “payWave” technology and allows me to pay for items without swiping my card wherever I see the logo. You can also go to Visa’s website and use a locator by zip code to find merchants that have payWave kiosks. I can simply wave my wallet over the reader during checkout and it picks up the RFID info wirelessly transmitted by my card and completes the transaction. In an innocent world, that is a neat idea. But since we’re a far cry from an innocent world, I immediately worked on remediating this gigantic breach of personal security. It is hard enough to protect myself without walking around transmitting my credit card info everywhere I go. Below I will describe ways to mitigate this risk.

With Visa it is called “payWave.” MasterCard calls it “PayPass” and Amex also puts it into their cards but I’m not familiar with the moniker they gave it. What ticks me off the most is that I didn’t want to be merged with this new bank, and so therefore this card [and the incredible breach of security it represents] was foisted upon me.

There are several ways one can go about reducing or altogether eliminating having your card info stolen by a hacker with a RFID reader that happens to walk by you when you’re out in public. Visa claims you must be within 2″ of the card with a reader, but hackers have proven with beefed up antenna on their scanner they can read cards from across a room (up to 30′ away for the RFID passports). I’ll list the ways in order from risk reduction to complete risk elimination.

1. Make a foil pocket that absorbs the signal; this is also known as a Faraday Cage. I opted for this because I was in a pinch and needed to activate the card and was not able to implement option 2 due to it being a weekend. If for some reason you think this technology is useful and want to keep it on hand here’s what you do. Take a sheet of aluminum foil, (say, 12″x 6″) fold it in half and put a nice crease on the 12″ edge. It should now be ~12″ x 3″. This creased edge will become the opening where you put your card in. Take some sort of tape, I used clear 2″ packing tape but most any tape will suffice, and completely cover one side of the 12×3 foil. This will become the inside of the pocket. Then using your card as a template, fold the thing around your card several times with the taped side of the foil , probably about 2 layers on each side of the card. Leave the top 3/16″ or so of the card sticking out so it is easy to grab from your wallet. Don’t fold it super tight around the ends or it will be nearly impossible to pull your card out. Snug will do. Trim the bottom non-creased edge so that you have about 1/4″ to 1/2″ hanging out passed the bottom edge of the card. Fold it over and then wrap the whole thing a few times with tape for durability. When done it will ideally look something like this:

And another shot:

I took this to McDonald’s (which have payWave readers inside) and my graceful assistant Anna tested it out. Trial one: with card in sleeve, inside wallet, try to get it to read: it wouldn’t scan. Trial two: pull card and sleeve out and try to scan: it wouldn’t scan! Trial three: take card out of sleeve and scan: it scanned and paid for our “food.”

So there you have it, proof of concept that a foil hat for your check/credit card really does work and it cost me about 3min and 10 cents of common household supplies.

2. This is the option I would have gone for had I not been activating this thing on a weekend. CALL YOUR BANK AND DEMAND A NEW CARD WITHOUT RFID CHIPS. I called this afternoon and politely told them I do not appreciate this technology and that I want a new card without the payWave crap. The guy forwarded me to their dept that deals with issuing replacements for stolen or lost cards and the lady disabled payWave. I was only marginally pleased because while payWave may not complete a transaction, the RFID in my card is still active and trasmitting my Name, Card #, Exp. date. Whether payWave works or not, that info is still useful if a thief used it online or cloned a card. This news from the bank was better than nothing, albeit disappointing. I ended the call. Not 2min later she called back to notify me that by her disabling payWave, the system will auto-generate a new card for me WITHOUT RFID IN IT and I should expect it next week. Sweet! You see, I could just use option #1 above, or the next option #3, but unless people call their banks and demand NO BIG BROTHER in their card, then the banks must assume people like this crap and then they’ll move onto the next step in this slippery slide and start pushing RFID implants or something just as heinous. Let them know you will not use it and you’ll switch banks if that is what it takes!

3. This option is the most drastic, but probably easier than option 1 or 2. This involves destruction of the chip. There are several ways to do it, use your imagination. First, locate the chip. I wasn’t sure if I could even do it, but then upon looking at the card from an angle, you can clearly see where they put it. Check it out:

All you need to do is run a drill bit, nail, screw, etc through the chip 4 or 5 times. Even better, take a hole punch and just punch the damn thing out. CAUTION: MAKE SURE NOT TO DAMAGE THE MAGNETIC STRIP OR THE WHOLE CARD IS TRASHED.

As I said, option 3 is the easiest, but in my opinion is only an option for when banks later on will not give you a card that is chip free and there are no other banks that offer chip free cards. Hopefully if enough people make a stink about it by using option #2, banks will not push it upon us all. More info is all over the web about how people have been burned. A comical approach by a company named Identity Stronghold is this commercial. They are innovative, but in my opinion $5 + s/h for a paper and foil sleeve is highway robbery. The banks ought to supply these for free. In fact, I am sure they will once enough people have been scammed and the insurance companies are sick of paying claims. Anyway, here’s the video:

If the following doesn’t scare you into action, wow. Video: How to hack RFID-enabled credit cards for $8:


One Response to “RFID chip in a credit card?”

Leave a Reply

*