5

New payment cards in my country are now delivered with the no-contact option that allows pay without putting the card in a machine. The fact is that these cards aren't secured because you can read them easily with a phone or a tablet and retrieve information about the bank account.

Is there a way to manually disable this no-contact thing? I'm either looking for a physical solution (like scratching a part of the card or removing the chip that makes that ) or a software solution that blocks this functionality.

JohnnyBgud
  • 419
  • 1
  • 4
  • 8
  • 4
    Buy a faraday cage wallet? – BadSkillz Dec 21 '15 at 08:06
  • 1
    You can do it by cutting the antenna. There's articles on the web and even videos on YouTube. – Simon B Dec 21 '15 at 19:15
  • Cards usually have the account number they relate to printed on them somewhere too, which can be read without any equipment at all. There are a set of very specific attacks on NFC enabled cards, but they are all a Iot less dangerous than the various magstripe based attacks. – Matthew Dec 22 '15 at 06:46

2 Answers2

6

You will seriously decrease your security by disabling the radio or chip in your credit card.

Chip and PIN is the most secure form of payment available today, followed closely by Chip and Signature; contactless payment is almost as secure; mag stripes are completely not secure, and hand-keyed account numbers (such as on a web page) are the least secure of all.

It may help to understand the different protocols in use. The data provided by the chip, either through electrical contacts or via the Near Field Communications (NFC) radio, follows a different payment protocol (called EMV) than the data provided by the magnetic stripe.

First, be aware that all cards, including chip, mag stripe, and contactless cards transmit data in the clear*. The data includes card number (also called the Primary Account Number, or PAN), expiration date, and some kind of verification value. The bank uses the PAN to look up the account, checks the expiration date, then validates the appropriate verification value. If they match, the bank goes on to approval processing. If they don't match, the bank declines the transaction.

Believe it or not, the account number isn't the problem. The problem is when all of this data is copied together, including the verification value.

There are two different Cardholder Verification Values on a mag-stripe credit card. There is the Cardholder Verification Value (CVV), which is embedded in the mag stripe's data, and the CVV2, which is the 3 or 4 digit number printed on the back of the card, and is for use in "Card Not Present" transactions (such as paying online.)

When a card is mag-stripe read, the entire track of data from the mag stripe is sent to the bank. The bank looks at the track data and will require the CVV from the track to match their records exactly. If a card is hand-keyed (as on a web site), the bank requires the CVV2 from the back of the card to match. Stealing the mag stripe does not get the thief the CVV2 so he can't buy online; stealing the CVV2 from a web site does not enable a thief to recreate a mag stripe and create a counterfeit card.

However, the basic problem with the mag stripe is that all the data is static. Because the track data can't be changed, the CVV is static. Because a credit card is printed, the CVV2 never changes either. That means if the card data is read just once by a thief, it can be copied and replayed again and again, resulting in fraud.

That's where the contactless cards are different. Because they have an on-board chip with a CPU and memory, they generate a single-use transaction-specific verification value. With each subsequent transaction, they generate a different verification value. The bank uses cryptography to validate the verification value was correctly generated on each transaction; this confirms that it was their chip that was present, and not just a copy of the number. This means that copying all of the authorization data, including the PAN, expiration date, and verification value, does not give the thief enough information to replay the information and commit fraud with the data. Similar protocols protect Chip-and-PIN and Chip-and-Signature transactions.

Instead of clipping the NFC antenna, you are much more secure if you use only the contactless radio for payment. However, since many shops don't take contactless payments yet, you still need to use your mag stripe at those locations, where your data is still vulnerable and subject to skimming. And when you use your card online and type in your CVV2, it's also potentially vulnerable to theft.

If you want to increase your security, let the merchants where you shop know that you're unhappy that they don't take contactless forms of payment, or if they don't yet take chip cards. The more they hear from their customers, the more likely they are to upgrade their equipment to a more secure device.

If you're extremely paranoid, you can certainly buy a cheap RF-blocking envelope to keep your card in your wallet from being skimmed by the guy next to you on the bus; but even if he does read it, the data he reads can't be used to create a working clone of your card. (At most, a very sophisticated attacker could have an accomplice paying for a diamond ring at the exact time the guy on the bus reads your card, channeling stolen payment data through him as a proxy. And that's why you should tell your bank you would rather have Chip and PIN than Chip and Signature.)

EDIT For clarity, here’s how I rank the various payment schemes in terms of security, from best to worst:

  1. Chip and PIN
  2. Chip and Signature
  3. Mobile payment systems(Apple, Samsung)
  4. NFC (contactless with dynamic authentication data)

...

  1. Mag stripe
  2. Web entry with two-factor authentication
  3. Web entry

* Some contactless technologies, such as Apple Pay, use a substitute number in place of the PAN. While this sounds more secure than the cleartext account number found on chip cards, this means your banking information is always present inside Apple's systems, where you have to trust they won't be hacked, and that your iPhone and iWatch won't be hacked.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • I find this answer a bit confusing. It seems to imply that contactless is more secure than Chip-and-PIN. Is it not true to say that Chip-and-PIN is the most secure option? You can still use Chip-and-PIN even if you cut the RF antenna to disable contactless. I agree that signatures are totally insecure. – SystemParadox Sep 21 '17 at 11:17
  • Contactless cards can use the same crypto as Chip and PIN and Chip and Signature, so that's equivalent. Both are susceptible to skimming, in that relay attacks are possible on both, but are very difficult requiring precise timing and coordination. A contactless card is certainly more vulnerable to a relay, as they can be read by a seat mate on a bus without your knowledge. – John Deters Sep 21 '17 at 12:09
  • This answer overlooks the fact that someone can use the contactless (or contact) chip interface to get the PAN/expiration/cardholder and then use that information for a non chip and pin transaction. There are plenty of acquirers that allow merchants to charge cards with those three elements only (no CVV, no address validation, etc). Chip and pin protects issuers and merchants, but it doesn't prevent skimming or that skimmed cardholder data is used for subsequent fraudulent transactions. It's designed to protect issuers and merchants, not cardholders. – KristoferA Nov 20 '19 at 00:51
  • @KristoferA , the eventual promise of EMV is that the account number will not have to remain secret. However, that promise will remain unfulfilled until mag stripes are abolished, and until someone develops a standardized secure mobile payment system to replace the CVV. – John Deters Nov 20 '19 at 03:25
  • Yes, but until that happens, which may take a long time, chip and pin does little to protect cardholders from skimming-related fraud. Until the day no acquirer allow card-not-present transactions with only PAN+expiration, I think the chip system should be redesigned to not expose the PAN in cleartext... – KristoferA Nov 20 '19 at 04:53
2

Is there a way to manually disable this no-contact thing? I'm either looking for a physical solution...

There are a few examples of people building Faraday cage wallets, like suggested in the comments. Here are a few that should be easily reproducible to solve any physical requirements to prevent this.

  1. http://www.zdnet.com/article/how-to-build-a-faraday-cage
  2. Can a steel woven wallet prevent RFID scanning of credit card information?
  3. http://briangreen.net/2010/11/diy-ultralight-faraday-cage-pouch.html
  4. http://lifehacker.com/5934635/use-an-altoid-tin-as-an-rfid-blocking-wallet
  5. http://howto.wired.com/wiki/Make_a_Faraday_Cage_Wallet
  • since it gives more textual and various infos, I marked John deters answers as the good one but thanks a lot for all the usefull links, +1 :) – JohnnyBgud Dec 22 '15 at 12:48