Disabling Tap To Pay Debit Cards

XRAY of Debit Card

Some people aren’t too crazy about the rush of RFID enabled credit & debit cards, and the problem is, you don’t really have a choice what card you get if the bank sends you a new one! Well if you really don’t like this on your card for whatever reason, it’s pretty easy to disable.

[James Williamson] recently got a new debit card with RFID technology — the problem is it was messing with his access card at work, the readers would beep twice, and sometimes not work. He decided to disable it because of this and that he didn’t really use the tap to pay feature, nor was he completely convinced it was as secure as the bank said.

Since these RFID chips use antennas made of copper wire, he could have just started slicing his card with a knife to break the antenna — but, since he has access to a CT scanner, he thought he’d scan it to figure out where everything was.

Simply make a small notch in the edge of your card, or snip off one of the corners. This breaks the antenna and prevents power to the chip when held near a reader — though if you don’t have access to a CT scanner you might want to double-check next time you buy something!

Now there is another side to this — maybe you actually like the whole tap to pay thing, well, if you wanted to you could get a supplemental card, dissolve it in acetone, and then install the RFID chip into a finger ring for Jedi-like purchasing powers!

84 thoughts on “Disabling Tap To Pay Debit Cards

    1. How about trying a little more targeted approach – mask all but the necessary area to be with heavy aluminum foil? You may want to try this on a card you don’t value first…

  1. All well and good, but the technology on these cards is not RFID its NFC.

    If it were RFID then I would be doing the same as this guy, but NFC is a far superior technology that uses the physics of Near Field radio, the absolute minimum modulation and a zero knowledge proof as the identity to make the card. Un-activate-able at any distances of more than an inch, Safe from eavesdropping at anything more than a foot and even if you managed to get your sensor between the card and reader, safe from replay attacks because of the cryptographic proof.

    Apart from all that, the credit company limits the maximum transaction value and insures against loss from mistaken or fraudulent transactions. So this person seems to be just cutting off their nose to spite their face.

    1. Indeed. For Contactless Payment to work the purchase needs to be less than £15, and the readers are so fussy I frequently have to slide my card around to find the correct part.

      What is annoying is when you have multiple cards that get misread, or your NFC enabled phone keeps reading them.

    2. Debit cards do not have the same transaction limits and are usually not insured like credit cards. Once money is taken out of an account via debit, it’s usually gone for good.

      And heaven help you if you allow savings to cover insufficient funds in checking.

      1. Most banks will investigate and replace fraudulent charges on debit, but it is gone until they decide to put it back. Unlike credit cards where you have until your bill is due to get it taken care of. I think you may still have to pay for charges that are under protest, not sure though, rules may vary.

      2. False. Debit cards have just as much fraud protection as credit cards if you live in a country with consumer laws (every western country except the USA). Also there is definitely a PIN limit on purchases with debit card too. Where I live it’s $35.

      3. Perhaps that’s true where you bank, but it isn’t true in general. Bank account debit cards have the same protection the credit card company they are associated with provides for it’s credit card holders. You may loose use of your money for a time, but it isn’t gone for good. Maybe if your bank was one of those US banks who used tactics to entrap it’s customers in accumulating excessive fees, some of your money may be gone for good.

    3. NFC and RFID are like square and rectangle. NFC Forum specified additional requirements, but ISO 14443 is a core communication standard for NFC and non-NFC forms of RFID.

      We can see the EMV element in the x-ray, and in fact we could see it without the x-ray because the pads are easily visible on the surface of the card. This card is almost certainly using the NFC secure stack.

      People worried about the security of their cards should do two things: (1) disable the mag-stripe (2) shave off the numbers printed on the front. These are the real backdoors.

      1. An old trick in the knucklebuster days (*) was to iron the card to flatten out the numbers, they wouldn’t transfer to the paper slip and maybe the cashier wouldn’t notice…

        The smarter ones would then punch a different number into the card.

        (* of course the USA is still using them. Maybe 15-20 years since I’ve last seen one?)

    4. First of all, some Debit cards leak transaction logs and even bank account numbers via NFC, so there we have an important information leak, at least for some older cards. And the logs leaked are from both NFC payments and regular “full-contact” payments (not sure, if that’s proper English, but I mean those where you have to plug your card and enter your pin). Then, there are NFC range boosters (sometimes called “patch kits”) for active NFC transmitters that can extend the range to nearly one meter. This enables you to just walk by your target and access its NFC chip(s).

      Insurance or no insurance, some German engineers / scientists have shown a working attack on German VISA credit cards that allowed them to withdraw large amounts of money from the associated accounts due to an exploit using just a phone, and likely an NFC patch kit. And no limit, like with Debit cards. Also: Without authentication, mind you. Here’s an article about it (in German though, unfortunately): http://www.t-online.de/computer/sicherheit/id_71655704/nfc-sicherheitsluecke-smartphones-koennen-kreditkarten-leerraeumen.html

      So there are dangers here, and there likely will be additional attack vectors on NFC-enabled systems in the future. So I drilled a hole right through the coil in my own card, disabling NFC. No ill side-effects at least for my card.

      Oh, and you don’t need X-Ray to visualize the wires properly, bright visible-spectrum light is sufficient, even a bright smartphone LED in torch mode is good enough to find the coil.

    5. I don’t care if it’s safe as you say (I doubt it) or not. The point is Banks don’t give you the option for not have that in your card. It means an added sec liability/risk, let’s say 20€ that I am not willing to take but, as ALL banks issue their cards with contactless, again me, as a customer, I am left with no other option.

  2. There is another reason additionally to fear of theft why you want to disable the NFC feature: privacy.

    Every card spews out a unique id to everyone who is able to connect to it. If you don’t care about emc laws or are above them, you can easily register these ids from a few meters away. If you have access to the bank databases, you can accurately identify people this way without messing with the errors of facial recognition.
    So the banks either totally messed up the NFC standards by not thinking about this, or it was suggested to them by certain agencies to ignore this point.

    1. Easily register it from a few meters away? Have you actually tried to read a NFC card from that distance? It is fairly easy to do with RFID but that isn’t what is used in a bank card. Unless you have very specialised equipment then you’re limited to a few cm distance when reading NFC and even if you do have the equipment, you’re not doing it from several meters away unnoticed. Loosen your tinfoil hat a bit. Its cutting off circulation to your head. /facepalm

        1. ” certain agencies ” these days are too lazy to get close to you.

          They will instead casually type a few words into their computer remotely, and get everything they want on you. Probably turning your phone and getting your location with a live mic feed.

      1. Anyway, that doesn’t prevent the card to be used to take cash from the account under the stablished limit, if it is stolen. Besides, tech point is not the olnly issue. As citizen and being it MY money last say on the subject is mine but, as all banks lobby to have this implanted, no options given, that right is taken from me.

        1. Probably? Before?

          Yeah, definitely a case of [Citation Needed].

          Maximum distance is cited as 10cm (4″), typical is 1/10th of that, and in theory due to the wavelength is 22 meters (24 yards). Yeah, an antenna that size might get noticed.

          I wouldn’t be surprised if someone managed a metre or so under lab conditions, though no-one seems to claim they have. Just keep two cards together, that’ll solve that problem.

          1. Because of course you can only use full wavelength antennas, that’s the reason all NFC phones are at least 22 meters tall as you know. Although there are miniaturized versions where they loop the antenna to get it as small as 5.5 meters.

          2. Only 5.5 metres?

            That’s absolutely tiny, no-one will notice I’m carrying that!

            (Never mind 22 metres is a theoretical range, and 5.5 as equally unlikely…)

          3. If the antenna has to be 22 metres, how do the readers pick it up within a 4 inch by 6 inch space? That applies to Ham radios.The card pictured above has about a 24 inch antenna for receiving current and transmitting data and the distance from the card is completely relevant to the size of the data receiving antenna. In our experiments an antenna matching the length of the one in the card (with slightly increased induced current) gives about a 7 inch pickup zone. Keeping two or more cards together creates a mess that can be eventually separated, but is not worth anyone’s time. Anyone wearing a light jacket can conceal all that is needed with the antenna being contained in the end of the sleeve. It takes about 2 seconds to get the info.

      1. Did you read his comment? Moron customers might be better reason.

        Here’s a person wondering why people haven’t switched to chip & pin, and there he is prying the chip out of his card when get does get it.

        Cognitive, meet dissonance.

          1. I comprehend just fine.

            “Hey lookie, my card has a chip!”
            “Thud, pry, boiiing!”
            “Say, how come we all still use mag stripe and not that there new-fangled stuff?”

            You silly Americans, with your paper money, check books, mag stripes and what not. Whenever I wonder what the olden days were like, there you are as an example.

            (Ya know about October 1st, 2015, don’t ya?)

    1. I just got mine from one of the big banks upgraded automatically…

      I did use the NFC card I previously had, maybe that’s why they sent me the PIN card because of the risks?

    2. Serious question, what’s the advantage of having the chip over the magnetic strip? I would still think someone would have to steal my card to copy the magnet strip anyways, and if someone had my info wouldn’t they just use it online, where the chip wouldn’t be any help. I really not seeing the advantage.

      1. Online? On services which are traceable via postal address?

        The vast majority of credit fraud will end with the criminals at an ATM or at a physical location in an attempt to extract cash or goods semi anonymously and then dump the card. Only the spectacularly stupid give out postal addresses.

        This can be seen with the value of online credit card details. On the black market a credit card number + expiry + CCV will fetch less than $1. But a physical cloned card is worth many times more.

        The chip+pin system prevents card cloning, nothing more. There’s also significantly more anti-tamper technology in the cards since they exchange information cryptographically which hampers the ability to record the card information by swiping.

        1. I guess I didn’t realize card cloning was such a big thing. Do they still have to get physical access to the card to clone it, or can get they get the info to make a fake card in other ways?

          1. As a side note, I did have a family member that had their card used online. As traceable as you think it would be, the store didn’t care, the card company didn’t care, and I dont think it was ever investigated. On a plus side, some places only ship to billing addresses so the got a free laptop and printer out if the deal. Again it was astonishing how little anyone cared.

      2. The magnetic strip is just data visible to anybody with the right kind of reading equipment. In a setup with a chip you can add processing and implement proper encryption, challenge/response authentication and so on.

        1. So you still need the physical card right? I guess now I’m thinking of the fake ARM or tampered card reader attack, which the chip could prevent I assume. But then again ist probably still possible just harder.

          1. Be careful. I have seen instances where criminals will still send to the billing address, but they scope out your house and wait for UPS to come by. Anyone who would steal, i don’t want lurking around my house.

          2. One can easily read mag strip cards by a concealed “addon” to a normal ATM, the reader itself is a very thin flex cable you put into the card slot, pin is either taken care of by a hidden camera or more recently a fake panel with a keypad on top of the real thing (apart from being completely automated, the fake panel also gives you a lot of space for batteries and electronics)…This gives you a card clone and the pin, just go an ATM of your choice and max out the card(s) for untraceable cash…
            You can’t do this with a chip card, you’d have to physically open the ATM to install the device (and somehow break the not so weak crypto), at which point it would be easier to just take the cash from the machine…

      3. The difference is the data on your mag stripe is always the same. Once it is read into a cash register, the bytes are known and can be exactly copied. The only reason someone else can’t forge a copy of their own is because it is kept secret, but every breach means those secrets are lost. The chip, on the other hand, is dynamic. It will generate a unique cryptographic code for each transaction, so copying the data doesn’t result in something that can be reused by a thief.

        1. Unless they go full-blown 8051 and use 20-year-old smart card technology. It’s funny how satellite cards are about as secure as you can get, nowadays. And yet, they still have to upgrade them every so many years…

    3. I was disgusted by the credit card security in the USA. When I got back I ended up getting my company card cancelled (was a work trip). Everyone uses mag strip, everything is signature and every restaurant/bar I went to insisted on disappearing into a back room with your credit card and not even finalizing the transaction because they had to wait to find out their tip. Furthermore I was constantly having to provide my license with address and birth date to people who had no right to know it.

      Australia has just officially moved to not even allowing signature, we’ve had chip and pin for as long as I can remember and paywave is 2010’s technology.

      1. Be grateful the USA even has magstripe.

        They still use cheques (that’s checks to you yanks). (The rest of the world: WTF is a cheque?)

        I’ve noticed a few of the POS terminals in Australia won’t let you use the magstripe unless you’ve already tried the chip (insert the card, not RFID) and it failed. I think we’re only keeping the stripe as the USA is so far behind.

        1. Yeah, unless the chip fails about 2 times you can’t use the mag strip. I wonder if us Aussies can still sign in the US even though we can’t over here?

          Another interesting thing is that sometimes a mag strip can be split length ways and still be readable. My wallet has this tendency to crack my cards right in the middle of the strip. While this cracks the RFID antenna, it also split my FlyBuys card in two. I was still able to swipe it through the reader in Kmart fine.

        2. Good luck using a check in almost any non-major store, unless in a town where everyone knows you. Checks have been pretty much useless for the last decade at least. Of course it could just be where I live, but it’s been several states where practically no one other the likes of Wal-Mart or banks take personal checks. As they say, cash is King! Although I love the convenience of not carrying a month’s pay but instead a card, hehe. Now if only it wasn’t clonable…

          1. It’s not just for stores in the US, but bills, rent, payroll, government payments etc.

            In Australia personal cheque use has been extinct for years; in the last 10 years I’ve received exactly two from businesses (closed accounts etc).

            I got the second one recently, and discovered the ATM scans them for you (rather than the old ‘insert into envelope & key amount’ method). Will these advances in technology ever end?

  3. Unless the card is made from solid black plastic you can replace the CT scanner with a 3W LED flashlight, put it against the card and look at the other side, you can easily see the chip and wires in most cards.

  4. easiest way to disable RFID but leave the gold finger/smartcard contacts intact is to use a simple whole punch on a corner opposite the mag stripe

    if you dont care for either, then just take a hammer and screwdriver to the center of the chip (usually there is a dimple if the card does not have smartcard contacts
    \)

  5. Getting within 1 inch of the card with a good antenna is all that’s needed to pick $20 from somebody’s back pocket.
    Welcome to the 21st century.
    As soon as the pickpockets figure this out, sales of Chinese POS card readers with external antenna connections are going to skyrocket

    1. Simple metal cardholder would stop it right away, all the ‘clever’ thieves would have wasted their money.
      Also they’d be in first aid by patting down the wrong person I imagine.

  6. Just an FYI, cutting the antenna or microwaving the chip do in fact disable the chip, however around October 2015 expect to be using chips far more then currently.

    “http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/” google it, etc..

    The major processors and banks are shifting the responsibility from card company to merchant at that time. The effect is that merchants like gas stations and retailers will have to pay for fraud rather then banks, if the transaction was not from a chip, IE mag stripe cards or the old carbon sheets. Both will work but the merchant will be accepting liability for fraudulent transactions.. Large retailers like Walmart and others have already begun changing out the readers, in some cases you will not be able to use the card if the chip doesn’t work.

    IE my card company gave me a new card recently, chip enabled, went to Walmart, swiped the card as usual, display says “insert card”, so some bit on the mag stipe flagged it as chip enabled and the retailer enforces its use. I declined to use it and they declined my card and transaction. Tired it again another day, same story so I put the card in the reader as requested and the transaction took a substantially longer amount of time to process but was accepted.

    The take home is sure kill the chip but you will have a slowly dwindling number of locations you can use it. To me the card shown by the CT is a multifactor card, looks like NFC, Smart and traditional Mag/Embossed. I would prefer a physical button, switch or something on the card that would let you enable these features upon request rather then have NFC active at all times. VERY few retailers have NFC enabled points, even the ones replacing readers to accept the new chipped cards.

    If your looking to use your phone to emulate the card, not sure if you can “copy” the card but Google wallet and ISIS both let you use an emulated card tied to the real card. I have used both and the clerks look at you like WTF did you just use your phone?.. YEP :P

    1. You tie the chip-and-pin with NFC/RFID too much, they are separate functions and disabling NFC/RFID should still allow chip-and-pin, which is the whole point of the article here.

      1. Kind of like the ignorance of how a specific phone/SIM is tied to an account for cellular Internet service, and not just some secure login like SSL. Then again, remember when SSL failed due to so many sites using a rare bogus patch to OpenSSL?

  7. If you are handy with a soldering iron a hot 30 watt tip pressed over a chip long enough to burn it out may do the trick. I’ve accidentally fried enough chips in my life using a soldering iron trying to solder contacts to circuit boards that ruining a NFC/RFID should be easy and not leave any burn mark.

  8. EMP via modified camera flash directed at the antenna ought to do it in.
    If the chip & pin doesen’t work afterwards dial down the energy and try again; this is an excellent use for used out of date cards and ensures security before disposal/shredding/etc.

    On all the cards I’ve dismantled the chip that does the PayPwn is separate to the C&P chip for a reason, to prevent faults on one affecting the other.

  9. I called by bank royal bank of canada, and asked them to disable the wave chip on my debit card and they said sure and did it while I was on the phone! The function no longer works but the card still does! No microwave or drill required!!

  10. I sadly live in the USA.
    My new card I got, old one expired, has that wireless icon/feature on by default.
    Even talking to them, they said it was a ‘feature that was enabled by default and no way to disable it, since we aslo think it’s really secure”
    (not there exact words, but you get there general idea from my ~45min long conversation I had with them.

    Can I disable it via a strong flashlight and an exacto knife but keep the rest working perfectly?
    [aka: the mag strip and chip/pin in tact?]
    Would disrupting/cutting the antenna/wires from the chip in 2 places near it be sufficient?

    Thanks!

  11. Have the opposite problem: an expired card which seems to be in good physical shape.
    pair of red LEDs in series should do a good job, plus you get to see if some miscreant is using a “BallBuster 4000” aka long range NFC scanner to do mischief.

  12. is it possible to jam the tap to pay by the conventional radio jamming methods.

    tap works on 13.56 mhz so if you was to broadcast that frequency would the terminal even be able to read the tap or would it error and refuse the transaction forcing dipping?

    i suspect my local gas station convenience stores may be using a transmitter to drown out the 13.56 mhz signal transmitted by the card and terminal preventing transaction forcing dipping.

    and multiple times within a couple weeks i would get a fraud alert saying someone is trying to place a $2000 order from a starlink internet connection and each time visa would catch it so my bank would have to issue a new card.

Leave a Reply to WhatnotCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.