Jun 22 2012

Recently there has been much press coverage of the security flaws around contactless credit and debit cards and how the card details can be read without your knowledge.

I wanted to find a simple and effective solution that disabled this contactless feature.

Today I read that this task has been made simple for Android phone owners with a convenient app to read these cards.

There are many forums and threads out there about people asking their banks to provide cards without this feature to no avail.

You even have STUPID people drilling out or damaging the chip used for ‘Chip and PIN’ purchases – not very clever if you live in the UK since just about all in-store purchases and ATMs use this chip. Also this leaves the contactless feature intact! (OK, he is an Aussie I suppose – maybe they still use the magnetic stripes there).

If you really are a paid-up member of the tin-foil-hat brigade then you could use some to shield your cards in your purse or wallet. Yes, this mostly works but it’s too much trouble for my liking and there is a risk that a fat wallet without foil coverage at the sides might ‘leak’ enough to allow the card to still be read up-close.

I decided to do some research of my own. I had cards from Santander, Barclays and MBNA to play with.

Normally these cards have a second chip for the contactless feature that is independent from the chip-and-PIN chip. This chip must have a loop antenna connected to it to allow remote energisation from an RFID reader. This loop in normally a coil of 4-5 wires.

I thought it would be easy to find this second chip and drill it out but on my cards there was no indent or easy way to determine where it was hidden without totally destroying the card. And of course it could be different on each card.

So plan B was to break the loop antenna. I started by cutting some of my debit and credit cards. I then looked for any severed wires inside of the cuts. I found one place where all my cards had these wires and it was at the top centre of the card approximately 4-7 mm below the top edge. Incidentally, I could find no place on the card where the antenna was closer to the edge.

So all you need to do is to use a pair of scissors and make a vertical cut at the top approximate centre of the card. It only needs to be around 7mm. You can check by closely looking for severed wires in the cut. If your eyesight is good and you cannot see any shiny cut wires then there is a chance your card is different from all of mine. The Chip-and-PIN part still works for me and so do ATM transactions.

If you are totally paranoid I recommend you test the effectiveness of your work by going to the nearest ‘wave and pay’ outlet to see if it can detect your card.

22 Comments

  • On September 6th, 2012, peter said:

    HSBC contactless Debit Card – on renewal without asking csms first.
    I have just now received one such.
    Phoned HSBC in NORMAL WAY, and they quickly agreed to send replacent card with NO contactless facility. Card details (otherwise) would be CLONED, NB.

    I see easily exploitable tech.-scam issues with this, waiting to destroy banks!

    • On May 26th, 2014, Jaikanga said:

      I wish this would catch on in Australia!
      I cannot imagine any bank bringing in any system that would benefit any other than themselves! You may be safe in the shops but as soon as you leave there is someone waiting to pick up your details as they walk past you in the street. I cannot count how many people I work with that this has happened to.
      If these contactless cards are so safe why is everyone having to buy card protectors for them?
      I rest my case.

    • On March 19th, 2013, Joanna said:

      Any idea where it is on a Mastercard? Thanks for this infro

      • On March 20th, 2013, linuxcentre said:

        I believe it should be very similar if not the same- it’s not really to do with the payment system but more to do with the actual card manufacturer. I suggest you try the small cut and see if the wires are in there.

        • On January 4th, 2014, jason said:

          I just carefully made 2 small cuts just above the magnetic strip (one mill apart from each other) at the top and centre of my RBS Debit card. I had to use a jewellers eye magnifier and then removed the tiny piece of the card to reveal 4 tiny copper wires that run all the way around the card.

        • On May 18th, 2013, Nigel said:
          • On May 21st, 2013, Tim Watts said:

            I will point out that the Royal Bank of Scotland will replace Contactless debit cards with non-Contactless versions on request. I was horrified by the whole idea and told them. Strangely they did not argue and simply issued new cards and made a note on my record that I did not want Contactless ever again.

            • On May 30th, 2013, Steve said:

              Interesting! Just got issued my first ‘contact-less’ card from Metro bank. Read an article about payment errors and ended up here: very useful! The thing I’ve just done is hold the card up to a down-lighter and can see the card insides quite well. I can see the coil and where it runs and the connections to the chip. Where the magnetic strip is the light is not strong enough to see inside. I may have a play! :)

              • On June 6th, 2013, Alan Clifford said:

                I took a photo of what appear to be the relevent innards of a Metro Bank card

                http://blog.clifford.ac/2013/06/contracless-card-from-metro-bank.html

                • On June 17th, 2013, John Stumbles said:

                  Just got contactless debit card from CoOp and phoned to say I didn’t want it but they’re not offering non-contactless instead or to disable the contactless feature

                  • On August 30th, 2013, Alice said:

                    I have got lloyds tsb master card with this shit iand i cannot find the wires in the outer side. i have just talked to the man at lloyds credit cards department and he ensured me that there should be no problem with using this and paying twice, like at oyster card readers in london public transport. but my friend had already had an issue with that. having both cards in the wallet he was not able to get to the tube due to error on the reading machine. he had to take the oyster card out and touch the reader separately. so there is a hassle with this shit. and there is no option to get the old version one anymore as the man said. idiots. i want my old card back!

                    • On October 30th, 2013, buttlord said:

                      I just did a cut at the top of a french Caisse d’épargne visa card and it disabled the contactless function just fine. I had to cut right to the edge of the magnetic strip for it to work, though, so it would seem the antenna passes right above the magnetic strip.

                      Tip: if you have an android phone with NFC, you can use an app called “CardTest” to check if your card responds to wireless communications.

                      Of course even within the same bank the layout of the antenna in the card can probably vary depending on who manufactured the card, although I guess that they probably all coil around the entire perimeter and can’t overlap the magnetic strip along the entire side so making a cut at the top as shown here is likely to work on any card.

                      • On January 26th, 2014, Jon said:

                        When my Smile credit card arrived with the dreaded contactless logo on it, I found the antenna easily by shining a bright torch through the card. Instead of cutting at the edge, I used a small drill to break the loop (3 wires) near the top right corner of the signature strip on the back.

                        • On February 5th, 2014, JT said:

                          This is the exact method I have just used to disable the card that arrived today.

                        • On February 21st, 2014, Ben said:

                          Don’t really see what the problem is, contactless just makes buying small odds and sods that little bit easier.

                          Very good idea r.e. snipping the wire though!

                          • On March 13th, 2014, Doug Chandler said:

                            NatWest’s options for debit cards are: Contactless which is the default, or non-contactless FULL AUTHORISATION card. This means that it will not work in petrol pumps, trains, planes, and anywhere in an offline terminal. If you bank with NatWest and want to use offline terminals then you have no option but to disable the contactless technology.
                            Before requesting a non-contactless card from your bank, check that it is not a full authorisation card.

                            • On April 2nd, 2014, Paul said:

                              UK HSBC Visa debit card, used a very sharp scalpel to cut through from the back of the card just into the magnetic strip disabled NFC. Didnt need to go all the way through the card. Verified with NFC Reader app. Thanks for the info

                              • On June 6th, 2014, HelenJ said:

                                Why do the banks insist we have this stupid feature when every single customer hates it? Why don’t they listen to what customers want? I’m just going to start writing cheques for anything less than £20! – I don’t see why I should be forced into using something I don’t want (AND you don’t even get a receipt when using the stupid contactless thing!)

                                • On August 30th, 2014, Martin said:

                                  Barclays contactless cards use the same chip for contactless and the chip/pin thingy…. the downlighter method works well, drill 2 holes where the antenna connects to the card, no issue at all

                                  • On September 25th, 2014, Mark said:

                                    Hi. I was really paranoid about this but then I found this company who makes covers for contactless cards and blocks the signal so nobody can read them from distance. Bought one. It actually looks great. Follow the link to the website: http://idblock.co.uk
                                    There is no need to cut anything :-)

                                    • On October 2nd, 2014, Ian said:

                                      NatWest issue debit cards without the contactless facility but you have to request them. I received my NatWest credit card this morning and it has the contactless facility. I called them but they do not issue credit cards without contactless so told them I would probably move to another provider. They seemed surprised and sought my views which they will pass to their management team. I worked in IT until retirement and there are certain aspects of contactless technology which are not secure. My android phone can read the card details so using a small hacksaw I cut the card as shown in the picture above, making sure the cut did not extend into the magnetic stripe. Hey presto the contactless facility doesn’t work but Chip and PIN are unaffected. If you do not wish to have long arguments with your bank on the validity of contactless transactions then I suggest you do the same. Also I would avoid paying via mobile phone as they use the same technology so ensure NFC is switched off.

                                      • On October 6th, 2014, mark said:

                                        I have just received a contactless card from Lloyds Bank, which I didn’t want. I phoned them and they are sending one which is not contactless. They have a flag on their system which allows this option, but this obviously and predictably is set to contactless by default.

                                        (Required)
                                        (Required, will not be published)


                                        WordPress Themes