Don't Like RFID In Your Credit Card? Ask 'Em To Turn It Off

While the danger of someone long-distance slurping the account information communicating out the RFID chips being increasingly embedded in credit cards is, for the time being, remote, reader Eyebrows McGee reports success in asking AmEx to turn it off…

I told the representative that I didn’t like RFID as a consumer or a citizen and I worried about the potential privacy issues and was it possible to get a card without RFID on it? She said what she could do for me was disable the RFID function at AmEx’s end. (She did not actually answer me about whether non-RFID cards are available.) So I had her disable the ExpressPay function, which took about two minutes on hold (for which she apologized).

No word to as to whether this works for other companies. Hardware based solutions for the same include foil and Dremel.

PREVIOUSLY:
No-Swipe Credit Cards Pose Risk Says Senator
Long-Distance RFID Snagging Possible, Already Done
No-Swipe Credit Card No Problem For Thieves

Comments

Edit Your Comment

  1. KevinQ says:

    Yeah, but did it work? An RFID chip cannot be remotely disabled, so if the reader already had her card when talking to Amex, then the chip is still active. All they did was disallow those types of transactions from her card. Somebody with an RFID sniffer could still get the information, though, and create a new card with that account number.

    K

  2. godai says:

    Wouldn’t this just make it so it couldn’t be used at the quick pay.

    However the information could still be captured via rogue devices and possibly used to make a false transaction.

  3. stopNgoBeau says:

    @KevinQ: From what I understand, the information on your RFID chip isn’t the same information that is embedded in the magstrip or printed on the front of the card. That way they can disallow certain types of processing, i.e. magstrip not present (phone or internet) or RFID purchases.

    Someone correct me if I’m wrong.

  4. QuantumRiff says:

    I’m not an expert, but have played with RFID and smart cards quite a bit. The CC company most likely does not put the account number on the chip.. That is way too slow, and error prone (not to mention, more expensive). They most likely get a card with a huge serial number (think hundreds of letters and numbers) already imprinted on it. Then they “link” in their back office systems, the RFID Serial number, to the CC Number. If someone copies the RFID Serial number, the bank can remove the link between the serial and accounts, and it won’t work.

  5. gorckat says:

    While the danger of someone long-distance slurping the account information communicating out the RFID chips being increasingly embedded in credit cards is, for the time being, remote

    Why yes…yes it is remote :P

  6. KevinQ says:

    @stopNgoBeau and @QuantumRiff: That may be. I’m not too familiar with the implementation of RFID tags in credit cards. However, it still seems like the customer is not getting what she has asked for. She wants the card to stop broadcasting her personal information, and Amex has just agreed to stop receiving it. Disabling the method of payment does not seem to solve the privacy issues.

    K

  7. Art Vandelay says:

    WaMu recently sent my new check card and it has RFID. I called them up and asked for one without it. The CSR had to speak to her manager a few times, but other than that it was easy to request an non-RFID card. The first one they sent was lost in the mail and I’m awaiting the arrival of my new card, so I still may not have it.

    Barring it not arriving a second time, the only pain will be going to a branch to get my old pin on the card.

  8. BluthBanana says:

    My girlfriend went through this process about a year ago only to find that the RFID chip still worked when she went to pay for her lunch using her Amex card. When she came home that night, she used the only method that truly works, taking a hammer and nail and piercing it right through the hart of that little RFID chip. Problem solved.

  9. LatherRinseRepeat says:

    You just need an X-Acto knife and a steady hand to cut the RFID chip out of the card. ;-)

  10. @KevinQ: “An RFID chip cannot be remotely disabled, so if the reader already had her card when talking to Amex, then the chip is still active.”

    AmEx uses different account numbers in the RFID and the magnetic strip, so if someone sniffs my RFID # and tries to use it, it shows up as fraud. And that charges don’t go through, of course. :)

    I did specifically check on that because the CSR was clear that it didn’t “disable” my chip, just “disallow” it at AmEx’s end.

  11. KevinQ says:

    @Eyebrows McGee: I did specifically check on that because the CSR was clear that it didn’t “disable” my chip, just “disallow” it at AmEx’s end.

    Good. I wasn’t sure from the post above if you got what you had wanted.

    Hope it gives you the privacy and security you’re looking for.

    K

  12. twoply says:

    I drilled holes through the RFID chips in two of my cards with no problem, but for some reason my KeyBank card doesn’t read now after I drilled through it. However, I never actually tried using it before the drilling so maybe the card never worked in the first place.

  13. twoply says:

    Also, would banks or credit card companies consider drilling through the chip suspicious activity? I don’t want to bring my card into KeyBank to have them see what’s wrong with it and be suspected of something because of the hole..

  14. azntg says:

    I think American Express maintains a separate subaccount for RFID payments (maybe like as Quantumriff said above). Every time I get back a receipt, I notice that the card # is different from the actual card number. That said, for some reason, I find it faster to just swipe that card than use the Expresspay feature, namely because authorization seems to take longer at the POS terminal if you do use the RFID payment.

    If you’re really hell bent on removing the RFID function of your card, I think you have to take matters into your own hands. There’s always the concept of applying blunt force (of course, it is advisable that you shield the card itself so it doesn’t shatter, but allow enough force to penetrate the card). My friend majoring in Engineering tells me that if you have access to an NMR apparatus (what they use for MRIs, I believe unless I’m mistaken) or someplace with a strong magnetic field, that’ll pretty much fry the RFID chip.

  15. @KevinQ: “Hope it gives you the privacy and security you’re looking for.”

    I’d prefer a chip-free card, but we just had to switch companies after our last CC company compromised my identity and was the worst customer service experience of my life generally, so I’m frankly not up to finding ANOTHER new one. AmEx has strong cardholder protections and it’s getting harder and harder to find a non-chipped CC, so I’ll call this a decent compromise for now. I did express my displeasure with the chip to the CSR and I will write the company to make the point again, so at least they know there’s consumer demand for non-chipped cards.

    There isn’t anywhere where I live yet that even HAS the RFID-pay thingies, and we’ve had no reported incidents of “sniffers” yet. So I’m not SUPER-worried about someone tracking me around town with the RFID chip on my card, but I’d prefer not to have it all the same.

  16. kirschey says:

    I called Amex yesterday about getting a new card without it, but they only have two cards that don’t have an RFID inside and they both have an annual fee!

  17. Beerad says:

    @azntg: “if you have access to . . . someplace with a strong magnetic field, that’ll pretty much fry the RFID chip.”

    Wouldn’t that also scramble the magnetic strip on the card and thus make it totally unusable?

  18. Klink says:

    Just wrap it in tinfoil in your wallet. I hear that works.

  19. WV.Hillbilly says:

    The ultimate hardware solution:
    a hammer.

  20. CumaeanSibyl says:

    @twoply: At this point I’d just report it lost/stolen and get them to send you a new one. Test that one first before you take out the RFID.

  21. Karl says:

    @Beerad: “Wouldn’t that also scramble the magnetic strip on the card and thus make it totally unusable?”

    Yep. In fact, it’s much more likely to kill the mag stripe than it is to kill the RFID chip. To kill an RFID chip electronically, you need to induce a large voltage. A static magnetic field won’t do anything.

  22. EtherealStrife says:

    I used a drill on my RFID cc, and a hammer for my friend’s passport (a drill mark would be too conspicuous). Having the bank’s assurances that it’s turned off simply isn’t enough for me. I’d like to tinker up an RFID Guardian of my own, but for now I’ll stick with the basic mods.

    I wouldn’t advise using a hammer on the cc. The way my chip was placed, blunt force would likely shatter or severely damage the card.

  23. swedub says:

    My father just drilled a hole through that part of his AmEx card. As soon as I have a RFID enabled card or once I get a new U.S. Passport I will spend $20 to $30 on a faraday cage wallet. They will block all RFID signals from being read when inside this type of wallet. Just Google ‘faraday cage wallet’ to find some. I’ve seen standard bi-fold wallets and passport size wallets available from various manufacturers.

  24. Veeber says:

    Is your passport still valid if you disable the RFID?

  25. digitalgimpus says:

    I “emailed” (used the contact form on their website) Chase about it, and Chase had no problem mailing me new cards which aren’t RFID. They were a slightly different (a diff promotion) but the same account type.

  26. buddhaboy76 says:

    Keep the functionality of your RFID card but keep it safe with a wallet. I bought a wallet from http://www.RfidBlockr.com and will get their passport case soon. It actually uses wire mesh unlike others that use “tinfoil”

  27. azntg says:

    @Karl: Thanks for correcting me. So, I suppose the only application for that method is for disabling the RFID in the passport then ;-)

    @Chris Vee: Tampering with your passport is a crime, but then again, if the RFID chip malfunctions and you don’t leave an obvious sign that you “tampered” with it then what’re they going to do? Make a fuss over something that many airports don’t even have a reader for?

  28. dantsea says:

    This is hilarious.

  29. aikoto says:

    There are two kinds of RFID: magnetic field and radio. The mag variety is harder to read at a distance so is more secure (and is probably what the credit cards are using… at least, it better be).

    Either way, the data on the card isn’t an account number as much as it’s an index number to a database (at least it should be). Putting actual data on an RFID chip would be asinine (of course, so is using RFID for these purposes).

    Anyway, if you cut the antenna anywhere, it fully prevents the RFID chip from recieving power and being able to transmit its data. Just use a small knife to pierce it or the chip itself and you should be fine.

    Testing it is as easy as going to a store and trying to pay for something.

  30. gamabunta says:

    Get a hole puncher and go to town on the RFID chip. Worked for my AmEx card and I can still use it on those self feeding readers they use at Target without the card getting jammed.

  31. hwswconsult says:

    It seems that AmEx is telling their computers not to allow transactions that use your RFID encoded number. Although your card still broadcasts that number, you can’t buy anything with it (in this scenario).

    Now it’s true your card hasn’t physically changed, so the RFID chip will still broadcast, and someone could still skim the number off of it. But they will get a number that won’t let them buy anything! I don’t see the danger in this.

    If you really want the card to stop broadcasting it’s info, you can try Smart Tools’ RFID Shield, with more info here:
    [smarttools.home.att.net]

    This lets the cardholder decide when any RFID enabled card will talk to another machine.