PayWave & PayPass deletion via RFID antenna kill

I’ve been concerned about the unilateral addition of RFID technology to my bank access cards and to my credit cards for some time. This technology has the potential to be invasive and insecure for the user.

Using RFID PayPass will make you spend 30% more than you had planned, off the top of your wallet. This science is reported by MasterCard. You’re welcome MasterCard.

This HackaDay post explains another reason why RFID is not to be trusted for personal details. Public domain information. The real issues are not publicly reported.

Mythbusters isn’t even allowed to think about discussing RFID issues.

 

Because of these issues, over three years ago, I requested my bank to remove this capability from my cards. But that request was met with a clear message to piss off and not upset their grand plan.

Dear Mr Stevens,

Thanks for your recent email regarding your Visa Debit Card. My name is Christine and I will be helping you with your enquiry today.

Mr Stevens, firstly I apologise for the delay in responding to your email due to current high volumes.

Unfortunately I regret to inform that we are unable to remove the Visa PayWave option from our Visa Debit Cards as all cards have been upgraded to include this function.

We appreciate your understanding on the matter Mr Stevens.

Kind regards,

Christine
Premier Customer Service Consultant
HSBC Bank Australia Ltd 

————

On the 6th of June I requested information on removing the Visa
“Paywave” functionality from my account. The automatic response system suggested that you would provide a response within 48 hours. To date, I have received no email regarding this issue.

To reiterate. I would like to have the Visa paywave functionality removed from my Debit card.

Vendors and merchants are now taking my card and “Waving” it without my express permission. This is very dangerous functionality, as I have no option to check and confirm before my account is debited.

Please confirm the option to remove Visa Paywave from my HSBC Access Card.

Best regards, Phillip Stevens

Ok. So it is up to me to fix this issue myself.

There are many instructions on the Internet which imply that the easiest way to remove the smart card capability is with a hammer, applied with extreme prejudice directly to the chip. This brute force method has the dual effect of killing both the smart card and the RFID capability. That is an issue for me as I actually think that the smart card capability is a good feature, as the use of “chip and pin” significantly increases the security of transactions using the card.

It occurred to me that the RFID capability depends on the antenna contained in the card for generating the power for the chip (through induction), and for carrying the signal between reader and card. So, the RFID capability could be removed simply by interfering with the antenna coil.

I was initially concerned that interfering with the antenna would cause some issue with the “chip and pin” functionality. But then I thought that (if I was the engineer designing the solution) it would be stupid to remove the fallback capability for “chip and pin” if something unforeseen happened to the card RFID antenna. So I thought; worth a shot!

How to kill the RFID via the antenna?

The RFID antenna tracks around the outside of the card as shown in this image. The actual track of the antenna in your card can be checked by viewing with a very intense light (like a LED bicycle headlamp) from behind like an x-ray whilst shielding your eyes from stray light. Using a smartphone flash LED, aka the Torch function, also works very well. The flash LED light is very intense, and from a small source, so you hardly need shielding or a darkened room at all.

Image

PayPass Card Antenna & Chip

The RFID antenna can be segmented anywhere to break the induction loop. But, with respect to the integrity of the card, I preferred not to disturb the chip, the signature panel, the hologram, or the magnetic strip sections of the card. This just leaves a small section on the left side of the card (front view) that can be punctured to delete the antenna.

The puncture can be made anywhere. The only critical measurement is the distance from the card edge. For my cards the antenna was 3mm from the card edge. Use the x-ray view technique to check for your own card. The hole needs to be closer than 3mm to the edge, but far enough away so that the card remains fairly strong.

How to make the puncture without making a mistake?
I made a template using the following method.

RFID delete hole template

RFID delete hole template

  1. IMPORTANT: Use the smartphone flash technique to check your own card for antenna tracks, first!
  2. Get a normal paper hole punch and punch holes in paper as a template.
  3. Make a pen mark on the card at the location that you want to make the hole.
  4. Hold the card over a hole in the paper so that your pen mark can be seen through the hole.
  5. Mark around the card on the paper for alignment.
  6. Reinsert the paper, and the card on the alignment marks, into the hole punch.
  7. Punch a hole (whilst cursing Visa and Mastercard for being an oligopolistic blight on society), and profit!
  8. Rinse, repeat for all RFID cards.

Test this by trying to use the paywave functionality at your local vendor. RFID fail! Woot!

Warning: This worked for me. Your mileage may vary. Worst case, you’ll need to get new cards issued by your bank, so do it with cash in your pocket.

In the past two years since 2013, I have received many new cards and the process is just the same. Use the smartphone flash-light to identify where the antenna tracks run, and then use a hole punch to sever some of them. With a bit of practice using the template becomes obsolete.

At no time during the last two years has a merchant ever rejected payment because of the added RFID disabling feature. Payment with Chip&Pin (the secure way) is completely normal.

Mastercard 2015

Deleting the PayWave from the new VISA card was particularly satisfying, as the best location for the hole was, coincidentally, directly on top of the logo.

 

 

 

 

American Express

American Express are now issuing RFID cards too. No specific branding, but equally simply disabled.

 

 

 

 

QANTAS

Finally QANTAS have decided that their frequent flyer membership card was not adequate unless it too contained a payment capability, and hence RFID. Easily disabled.

 

 

 

 

Cards from 3 years ago.

Image

PayPass RFID deleted.

P1040375

PayWave RFID deleted.

47 thoughts on “PayWave & PayPass deletion via RFID antenna kill

  1. Wouldn’t a .5 to 1 MM hole have been slightly less obtrusive? it is certainly greater than the ‘wires’.Perhaps you might tie a string to it. or have that favorite one macrame something on it.
    What You did, I think is Great.. My fear is that someday I’ll be walking past a display for Glass Buster or something similar and it will call me by name and remind me that I haven’t bought any in 6 months… Then my bad dream decays into the display yelling at me and then… Thank God, I wake up..

    Doc

    • Yes, absolutely. Many ways to skin the cat.
      Drills. Leather punches. Ear piercing. Anything really.

      I was just thinking of what tools most people (including me) have to hand when they’re sitting opening letters. My hole punch fell to hand.

      Another option is just to cut a deeper diagonal slice off one corner (probably lower left would be best) with scissors, which should also catch the antenna loop. Perhaps I’ll try that one next time.

      Phillip

  2. This is a great find! I have been looking for a way to disable only the RFID for a long time. There are only 2 banks in Canada that still offer a non-RFID credit card. CIBC and Scotia Bank. It’s only a matter of time before they force this down their clients throats too.

    Thanks Phillip.

    Nez.

    • Hi,
      I did a similar thing with a bankwest card They are pretty hard to see through so I ordered a new card which then got ‘lost’ in the mail. I used a thin flat blade to slice and peel the card apart. No wires in this one, its a conductive foil used for the antenna and ‘traces’, even looks like a capacitive structure in the layout. I used the exposed innards as a template to line up with my (next) replacement card and used a paper punch to disconnect the antenna feed. Chip works, RFID is dead:)
      Mmm, I dont think I’ll leave my name for this one.

  3. Not everybody has an x-ray machine in the garage unfortunately. I had some pretty good success using my home flatbed scanner and an Infrared Red source I had lying around (e.g. http://www.kemo-electronic.de/en/Light-Sound/Infrared/Kits/B223-Infrared-spotlight.php). A typical flatbed scanner can detect the infrared light to a decent extent, so just backlight your card above the scanner and voiala, a “poor-mans” xray:-).
    That way you’ll have a better idea of where to drill.

    • I used a bicycle headlamp of the LED variety held directly against my cards to check the antenna position. They’re black (see pictures), so pretty much worst case. But, I could see the antenna wires through the card, as long as I didn’t blind myself by accidentally shining the light in my eyes. Holding two cards together prevents this.

      I think all the cards are laid out the same.
      But as trades people say: measure twice, cut once.:-)

  4. What a great page – Thank you Philip!

    Did some searching on information on the RFID disable, and think you have by far the best page on the subject. Clearly explained, liiustrated, with suggestions of tools to use.
    The tip on using a bicycle LED headlight is brilliant – it worked great for me, and I have “modded” all of my credit cards now.

    The suggestion of using a second card as a light shield is also very useful, you will need it as we are working near the edges of the card, and light will leak, killing your “night vision” (ability to see the light fainly travelling thru the card)..

    I used the LED light, and would suggest getting into a dark room for best results – at first, under normal lighting conditions in my office, it was hard to see any traces on the cards. Only one of them, lighter blue background, was clearly readable.

    Later, repeated the checking at work, in a dark storage closet, and almost all of the cards were readable them. The only one that wasn’t, I made a “decoration pattern” of holes around the chip, so the traces were likely cut by one or more of these holes.

    Used a small drill press, with a 1/8″or 3 mm drill bit; I later used a large size bit to debur the edges of the holes neatly..Later today I plan to go to a store and check the cards by attempting a Paypass payment.

    Again, huge thank you. Great job!

  5. Successfuly done on an [redacted due to overzealous spam detector], only I’ve used a laser cutter instead of a punch for a 2mm cut. NFC disabled and verified both with my phone and an actual terminal.

    Laser vaporised the plastic along the cut and the conductors were not severed, easy to fix with the pointed edge of an exacto knife. Card looks great, thin cut is very neat and unnoticable at a casual glance. I can post an image.

  6. Use a very sharp knife with hard steel, score a line on the BACKSIDE of the card in the same location as pictured above. Score your line about .5 mm long running East to West. Finish your score line with a metal straight edge and a sharp awl or even a needle. Scratch and score away just enough to severe the Aluminium foil matrix without going through the front (a 20x jewellers loupe helps not to go too deep) . . . job done.

  7. Pingback: Not Canon. Banc card with PayPass | Digital Canon repair Blog

  8. Thanks for your explanation, I successfully removed the RFID threat from a “DKB” customer card. BTW: That card had a different routing of the antenna cable, not going nearby the edge of the card all the way, but leaving out about 1/3 of the card surface. Thanks to the “shine-through-analysis”, this was easy to detect.

  9. I wasn’t able to see the wire using a back light so I was not sure where to cut. I used a utility knife and made cuts through the card on all 4 sides of the chip. I made sure the cuts did not connect. This ensures the chip is still intact and sturdy on the card. The RFID doesn’t work anymore, but the security chip is still functional. Great to know we have a work around to these RFID cards being shoved down our throats.

  10. Note that those 2 linked RFID threats (the hackaday one and the other one) apply to 125kHz unencrypted cards, eg Access Control Cards and such.

    PayPass/PayWave is Mifare (13.56MHz based) with EMV-addon so its impossible to skim a card since to gain all details required for a debit is impossible.

    A real paypass/paywave reader will get a challenge from the bank, run it through card to get a response, which authorizes payment at the bank.

    The challenge/response, is handled by the impossible-to-hack smartcard chip as you see in the Picture, the antenna is directly hooked up to the smartcard chip giving same security as the smartcard chip.

    So this thing is a very dumb idea to do. Think of the future, where you can just walk out the shop with your goods and payment is done!

    And if you don’t accept the charge that is shown in the cash register display, don’t handover the card. Simple as that. Treat it like cash. Don’t handover the cash if you don’t accept the charge. (for example, if the discount that was posted is expired and you wish not to buy the Product any longer).

    If there would be a mismatch between the cash register and paypass/paywave charge appearing on your statement, then the shop is fraudulent.

    And as you know, there’s multitude of ways a shop can defraud you, even if they don’t have your card (whats about accusing you for shoplifting?).

    So simple as this: Don’t enter shops that you don’t trust 100%. If the shop is untrusted, then don’t touch it. Simple as that.

    • The two linked threats are in the public domain. No one is really concerned about them. It is what you don’t know that is the concern.

      The entire premise, that I don’t want RFID identification on my person, is the basis of this post. So calling it dumb is just missing the point.

      I have used prepaid anonymous RFID cards happily since last the last century, so I fully understand their convenience.

      If you like RFID “dog tags” to identify you everywhere you go, then enjoy it, and go read something else.

    • Do you carry the same amount of cash on your person as you have in your account? Is your everyday banking account linked to you mortgage account or perhaps a interest bearing short term savings account? Telling others to treat the RFID cards like cash is naive. The potential for someone to make several transactions in a short space of time before you realize your card is gone is significant and before you know it you could be hundreds, if not thousands of dollars down with little or no recourse to your bank due to their limited liability provisions. RFID and Paypass worry me enormously.

      And now they are making signatures obsolete too in a couple of months. The importance of signatures cannot be understated. More reasons and personal experience than I can express to explain why this worries me so, but with my 86 year old parents now facing the reality of having to remember a PIN rather than sign as they have for their whole lives, I worry about the security of their limited remaining finances. Banking has becoming far too blaze.

      • Hate RFID, killed it. (Awful time backlighting the very reflective card).
        PIN vs Sign, PIN is far better, used it for years. Worked in banks, friends still work in banks, no real checking of signiture, too much bother. As for point of sale, generally manned by minimum wage illiterates who at best pretent to look at the signitures.

  11. So the EMV technology was devised by Europay, Visa and Mastercard. So when I looked at the different Visa cards issued by different banks, they all look the same – meaning the location of the paywave, chip and magnetic strip are on the same place. So one would think that if it worked for you by punching on the left bottom left just beside the 4 digit small number on the card, it should work for my Visa debit and credit card. I am going to try it on one of my cards, I have nothing to lose, I can always request a new card if it doesn’t work.

  12. Having a rash of fraudulent transactions in Australia. Card stolen and then several purchases just under the $100 limit in a short space of time. By the time you get to cancel the card the damage is done. The bank can refuse liability because you didn’t inform them.
    I don’t want to put all my small payments on credit. I’m not given a choice with PayPass.
    Merchants wave the card before you get a chance to refuse.
    Sometimes the PayPass scans with an errant hand movement.
    The worst scams are probably still only just being invented.
    Blow your RFID tech out your fundament , I say!

    • I don’t understand your statement: “Merchants wave the card before you get a chance to refuse.” Why do you hand the merchant your card before you approve? I have never seen a time where I am asked for any sort of payment before the total is calculated.

      • The comment refer to the process where the merchant requests your card to conduct the transaction, which is the normal case where they have to enter the value of the transaction into their machine before proceeding, and then attempting to wave the card rather than inserting it into the chip reader. Every merchant attempts to wave unless verbally instructed NOT to wave when you have over the card.

        This happens today, and the merchant usually comments “oh, your card seems to be broken”. And I say “No, just insert it into the reader. I have deleted paypass”. Situation resolved and a longer conversation follows, which ends up with them saying “that’s a good idea”.

      • Some retailers hand you the machine. Others take your card and do everything up to when you enter the pin. It’s their habit. I don’t want to have to have a major confrontation at every transaction or have to be on guard every time. The merchants took the card to complete and, instead of inserting the card they pay-waved it. N.B. I do not want to make small purchases on credit. If the system was legit you’d be able to specify which account paypass debits. It’s just a way to get people into putting everything on credit and then ending up with more credit fees. If society goes cashless you will pay a fee for every purchase you make; even the smallest. Paypass is the gateway drug for that abomination.
        My Paypass is disabled and will stay that way.

  13. Best bet is to do what I did – use a laser engraver to cut a hole.
    No pressure, clean, fast, no risk of other damage…

  14. I disabled the TD Aeroplan paywave with a sharp utility knife. Thanks! I used your LED flashlight trick – a bit trickier with a black card, but workable in a complete dark room. On this card, the antenna goes across the middle of the card about 1 mm below the card number, then down the edge like your diagram, back along the edge under the bottom of the magstripe and back up to the chip.

    I cut the antenna with a utility knife, scoring the card from the back deep enough to leave a visible indent in the card – did this in two spots, one from between the middle sets of numbers almost to the expiry date, and another between the signature and the magstripe 1mm from the edge for 4 mm or so.

    This disables the paywave but not the chip function inserted in a terminal (using the metal contacts).

  15. Just used my wallet to shield the view of my pin number while paying for grocery’s at countdown. Walla instantly the card supplied by my employer took over and payed . I didn’t even know I had a pay wave card till then. What a lot of hassle That I don’t need. This is crazy you cant opt out . Will use the drill , But shouldn’t need to do that..!!!!

  16. It’s happened to me a few times since that stores have tried to paywave without asking.
    But my card was disabled . I say was…it stopped working at all for no reason. Can systems be set to kill the chip on a card that has paywave disabled? Maybe paranoid but if it’s happening to anyone else leave a comment.
    I haven’t disabled my new card yet.
    Also, some people are suggesting that the card must be close to the reader. This is RF technology-dial up the power and you dial up the range. Someone could at least build a detector that fires your card from many meters away.
    The tag in my toll pass works at 5-10 meters. Is it not the same tech in action?

  17. I have a Capitol One Master Card and when I talked to them they said the RFID chip is embedded inside the large chip and pin chip and could not be disabled. I shone a very bright light through the card and could not find this RFID chip, so I assume they are right. Is there any other way to disable this RFID chip?

    • I am not sure that you are reading the article. You are looking for thin antenna traces. The antenna traces develop power through induction for the one chip, and carry RF signal to that chip. These antenna traces are what you need to cut to disable the RFID function, and still retain the Chip&PIN function.

  18. Here in Australia the mind numbingly STUPID things (and shown on tv current affairs show by one smug wally in the banking sector) is that they plan to introduce eye and fingerprint scans for security in the future along with facial recognition and voice prints. Are you clowns JOKING ??
    These ‘security’ methods have ALL been cracked and largely worthless ! An iris can be read from across a room !
    Nothing is safe anymore, nothing.

  19. I’m reading your interesting article two years after it’s been uploaded, so I don’t know if you, the author, are still reading replies and questions.
    Being very ignorant in technologies, I wuold appreciate if you could indicate with an arrow or a red point which one is the antenna in the image you titled “PayPass Card Antenna & Chip”.
    Thank you
    Adriana

    • The antenna is the dark line, like a thin straight wire, which you can see when you look through the card. There will be several of them, so just find the best place to punch that doesn’t affect other card features.

  20. Pingback: Does mechanically disabling payWave/PayPass by punching a hole formally invalidate the card? – Finance & Money &Loans & Mortgage

  21. Pingback: 11 formas mediante las cuales se pueden robar tus datos de tarjeta de pago y cómo protegerte - PCI HispanoPCI Hispano

  22. For those wondering where the RFID on an Amex Gold Rewards Card is, they’ve sneakily put it right behind the chip. With my iPhone flashlight held right up against the card, you can see a light pink vertical strip to the right of the chip. I poked two holds through it with a thumbtack and am looking to test it out soon!

  23. I just received my Costco Citi Visa with Chip reader and RFID. There does not seem to be an antenna connected to the chip.

    • There needs to be an induction coil to power the chip. The power generated is proportional to the area of the coil and the number of turns. So it can’t simply not be there. The wires may be finer than previously.

      The antenna itself can be smaller, but that doesn’t matter. Killing the power supply through breaking the coil is enough.

      • I’ll be interested to hear if your other readers can find it. There is a swirly pattern on top of the card, but it doesn’t seem to connect to the chip. Wish I had a CT scanner.

    • i cut my costco card up from middle, and took the chip out, i think there is this rfid right behind the chip, and the what’s looks like copper wires comes from both left and right with wires.
      Anyway, i took pic of it for u to see it clearly, not sogood pic, but it explains. where i think 1 and 2 is where we can cut the wires, the mark 3 is just a sign of where the actual metal chip was

  24. I also disassembled a Costco Citi card and found that the antenna array is to the right of the contact chip. It is an arrary of traces running from just beow the top of the chip to the bottom edge of the chip. Each loop is about .3 mm wide. I did not expose the entire array, but is continues under the chip.. I took some high resolution photos of the traces that I’d like to upload here, but I cannot see how to do that.

    However, it appears that if a 1 mm or larger is drilled at the lower right corner should break the antenna. Drilling a 2 mm hole adjacent to the right of of the first gap in the chip from the top will further isolate the RFID chip from its antenna and power source.

    If someone can advise me how to post pictures, I will update this post.

    Good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s