I’ve been concerned about the unilateral addition of RFID technology to my bank access cards and to my credit cards for some time. This technology has the potential to be invasive and insecure for the user.
Using RFID PayPass will make you spend 30% more than you had planned, off the top of your wallet. This science is reported by MasterCard. You’re welcome MasterCard.
Mythbusters isn’t even allowed to think about discussing RFID issues.
Because of these issues, over three years ago, I requested my bank to remove this capability from my cards. But that request was met with a clear message to piss off and not upset their grand plan.
Dear Mr Stevens,
Thanks for your recent email regarding your Visa Debit Card. My name is Christine and I will be helping you with your enquiry today.
Mr Stevens, firstly I apologise for the delay in responding to your email due to current high volumes.
Unfortunately I regret to inform that we are unable to remove the Visa PayWave option from our Visa Debit Cards as all cards have been upgraded to include this function.
We appreciate your understanding on the matter Mr Stevens.
Premier Customer Service Consultant
HSBC Bank Australia Ltd
On the 6th of June I requested information on removing the Visa
“Paywave” functionality from my account. The automatic response system suggested that you would provide a response within 48 hours. To date, I have received no email regarding this issue.
To reiterate. I would like to have the Visa paywave functionality removed from my Debit card.
Vendors and merchants are now taking my card and “Waving” it without my express permission. This is very dangerous functionality, as I have no option to check and confirm before my account is debited.
Please confirm the option to remove Visa Paywave from my HSBC Access Card.
Best regards, Phillip Stevens
Ok. So it is up to me to fix this issue myself.
There are many instructions on the Internet which imply that the easiest way to remove the smart card capability is with a hammer, applied with extreme prejudice directly to the chip. This brute force method has the dual effect of killing both the smart card and the RFID capability. That is an issue for me as I actually think that the smart card capability is a good feature, as the use of “chip and pin” significantly increases the security of transactions using the card.
It occurred to me that the RFID capability depends on the antenna contained in the card for generating the power for the chip (through induction), and for carrying the signal between reader and card. So, the RFID capability could be removed simply by interfering with the antenna coil.
I was initially concerned that interfering with the antenna would cause some issue with the “chip and pin” functionality. But then I thought that (if I was the engineer designing the solution) it would be stupid to remove the fallback capability for “chip and pin” if something unforeseen happened to the card RFID antenna. So I thought; worth a shot!
Update. I’ve found a paper, written in 2015 by Roland & Hölzl , which goes into substantial detail about the technology. Essentially they provide substantially the same information as below discussion, but written from a more robust technical perspective.
How to kill the RFID via the antenna?
The RFID antenna tracks around the outside of the card as shown in this image. The actual track of the antenna in your card can be checked by viewing with a very intense light (like a LED bicycle headlamp) from behind like an x-ray whilst shielding your eyes from stray light. Using a smartphone flash LED, aka the Torch function, also works very well. The flash LED light is very intense, and from a small source, so you hardly need shielding or a darkened room at all.
The RFID antenna can be segmented anywhere to break the induction loop. But, with respect to the integrity of the card, I preferred not to disturb the chip, the signature panel, the hologram, or the magnetic strip sections of the card. This just leaves a small section on the left side of the card (front view) that can be punctured to delete the antenna.
The puncture can be made anywhere. The only critical measurement is the distance from the card edge. For my cards the antenna was 3mm from the card edge. Use the x-ray view technique to check for your own card. The hole needs to be closer than 3mm to the edge, but far enough away so that the card remains fairly strong.
How to make the puncture without making a mistake?
I made a template using the following method.
- IMPORTANT: Use the smartphone flash technique to check your own card for antenna tracks, first!
- Get a normal paper hole punch and punch holes in paper as a template.
- Make a pen mark on the card at the location that you want to make the hole.
- Hold the card over a hole in the paper so that your pen mark can be seen through the hole.
- Mark around the card on the paper for alignment.
- Reinsert the paper, and the card on the alignment marks, into the hole punch.
- Punch a hole (whilst cursing Visa and Mastercard for being an oligopolistic blight on society), and profit!
- Rinse, repeat for all RFID cards.
Test this by trying to use the paywave functionality at your local vendor. RFID fail! Woot!
Warning: This worked for me. Your mileage may vary. Worst case, you’ll need to get new cards issued by your bank, so do it with cash in your pocket.
In the past two years since 2013, I have received many new cards and the process is just the same. Use the smartphone flash-light to identify where the antenna tracks run, and then use a hole punch to sever some of them. With a bit of practice using the template becomes obsolete.
At no time during the last two years has a merchant ever rejected payment because of the added RFID disabling feature. Payment with Chip&Pin (the secure way) is completely normal.
Deleting the PayWave from the new VISA card was particularly satisfying, as the best location for the hole was, coincidentally, directly on top of the logo.
American Express are now issuing RFID cards too. No specific branding, but equally simply disabled.
Finally QANTAS have decided that their frequent flyer membership card was not adequate unless it too contained a payment capability, and hence RFID. Easily disabled.
Cards from 3 years ago.