« USB to DMX Laser Hacking at Hackerbot Labs | Main | Sudo Make Me A Sandwich Robot »

Protect Yourself From Remote RFID Theft on Paypass Credit Cards By Using Pliers or Vise Grips

Right as soon as you watch this video, go get some pliers or a vise grip and find the little bump on your paypass credit cards. Smoosh it with the pliers or vise grip and test it next time you are at a place where they have remote Paypass RFID readers. Testing is important so that you know the vulnerable RFID tag is smooshed like a bug and you won't be vulnerable to someone swiping the info off your credit card remotely. Got other ideas for destroying the RFID chip? Leave them in the comments!

Follow me on twitter for updates and subscribe to me in iTunes/breTunes to get all my videos, like this MP4, automagically.

References (10)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments (18)

Knowing that the tech is embedded in the card is important, but opting out of using PayPass with vise grips is only one option. I rather like the fact that when I go into my local drug store I can just way the card over the reader, I do not have to hand it to the kid at the cashier and I do not have to sign. However, I also have two thin sheet of brass in my wallet which line the pocket that I slide my PayPass card back into once I've made my purchase.

What would be the optimal method to get rid of a magnetic strip on my credit card?
Since I mostly pay using the onboard chip, I don't want my card to be usable just by someone learning and imitating my signature.

Feb 28 | Unregistered Commentermartian

I'm pretty sure that putting the card in the microwave would destroy the arphid but what would happen to the magnetic strip... there's only one way to find out!

Feb 28 | Unregistered Commenterjeremie

My Canadian PayPass card doesn't have the bump. Different kind of RF circuit maybe?

Feb 28 | Unregistered CommenterMichael

You can get rid of the magstrip by scraping it off with a razor. If you don't like the way it looks, redraw the black back on with a sharpie marker :) putting it into a bulk audio tape eraser "might" work.

Feb 28 | Unregistered Commenterkyoorius

Doktor von Slatt's idea is best. Why destroy the functionality for yourself if there is a way to safeguard it's misuse without going that far?

Mar 1 | Unregistered Commenterpaul

microwave 3 seconds
tho I'd opt for shielding it, and using it, ala von Slatt.

wow... hadn't seen paypasses before...
and wow 2... microwaving credit cards? :D

I like the shielding idea, but the brass sheet idea is to bulky. What about making a for your card, or a wallet liner, from aluminized mylar? Like the potato chip bag stuff. Toss you cell phone into a chip bag and close it up. Now call it.... Nuthin', right?

Good article here on several approaches to dealing with rfid. Note the advice not to mess with your passport, it's a federal felony.

Mar 2 | Unregistered Commenterdgrc

I need a hammer - a hammer - a hammer - a hammer
To hammer them down!

Mar 9 | Unregistered Commenterxa4

Do you know anything about paypass at all? Certain information can be read cleartext, such as your name and account number - that part is true. However, the information is practically useless - the account number is not the same as the one on the contact interface, and can only be used for contactless transactions. Considering that transactions require RSA for authorization, the information is useless (unless you know the card's private key, and good luck extracting that off the EEPROM). So what's the point of this incredibly ill-informed article?

Mar 10 | Unregistered CommenterMatt

Interesting if you don't want the functionality, but you just know it's gonna come up again.

I'm with Jake von slatt on this - as a matter of fact, I usually carry around a wallet made out of stainless steel mesh (ductile 304, baby ;D). The basic upshot is complete scrambling of radio frequency transmissions through the wallet, RFID included.

I've tried it out with my RFID security pass from work - absolutely nothing, even when butted right up to the receiver. Sweet.

Mar 10 | Unregistered CommenterFletch

@Matt umm, do _you_ know anything about paypass? Almost every card uses the exact same account number as what is printed on the card. The only exception is amex. The next generation cards use something called cvc3 or dcvv, which dynamicly changes the three digit code based on the incrementing ATR (automatic transaction record). RSA is not used in any form of contactless payment system using paypass/EMV.

Mar 11 | Unregistered Commenter3ricj

@3ricj: Um, you know this how? I've just written an mchip/paypass implementation about to go onto tens of millions of cards. Have you read the specs? I would refer you to the "MChip specifications for credit and debit", section 5.1, appropriately entitled "Public Key Cryptography". Admittedly, far too many issuing banks are not using proper PKI (DDA), and in my opinion should be shot.

PS: ATR is "Answer to reset" - you're thinking of the ATC (Application Transaction Counter)

Mar 17 | Unregistered CommenterMatt

PPS: It's up to the issuing bank to choose the account number that goes on the contactless interface. If they put your real account number on it, change banks and tell them why. EMV best practices recommend strongly against putting the name or account number on the contactless interface because they know how uppity people get about it.

Mar 17 | Unregistered CommenterMatt
Bajrangi Bhaijaan Full Movie Download, Bajrangi Bhaijaan Download, Bajrangi Bhaijaan Movie Download in HD, Bajrangi Bhaijaan Full Movie, Bajrangi Bhaijaan Movie Download, Bajrangi Bhaijaan full movie free download, Bajrangi Bhaijaan Movie 720p DvdRip
nice article

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.