How to manually disable the no contact card?

You will seriously decrease your security by disabling the radio or chip in your credit card.

Chip and PIN is the most secure form of payment available today, followed closely by Chip and Signature; contactless payment is almost as secure; mag stripes are completely not secure, and hand-keyed account numbers (such as on a web page) are the least secure of all.

It may help to understand the different protocols in use. The data provided by the chip, either through electrical contacts or via the Near Field Communications (NFC) radio, follows a different payment protocol (called EMV) than the data provided by the magnetic stripe.

First, be aware that all cards, including chip, mag stripe, and contactless cards transmit data in the clear*. The data includes card number (also called the Primary Account Number, or PAN), expiration date, and some kind of verification value. The bank uses the PAN to look up the account, checks the expiration date, then validates the appropriate verification value. If they match, the bank goes on to approval processing. If they don't match, the bank declines the transaction.

Believe it or not, the account number isn't the problem. The problem is when all of this data is copied together, including the verification value.

There are two different Cardholder Verification Values on a mag-stripe credit card. There is the Cardholder Verification Value (CVV), which is embedded in the mag stripe's data, and the CVV2, which is the 3 or 4 digit number printed on the back of the card, and is for use in "Card Not Present" transactions (such as paying online.)

When a card is mag-stripe read, the entire track of data from the mag stripe is sent to the bank. The bank looks at the track data and will require the CVV from the track to match their records exactly. If a card is hand-keyed (as on a web site), the bank requires the CVV2 from the back of the card to match. Stealing the mag stripe does not get the thief the CVV2 so he can't buy online; stealing the CVV2 from a web site does not enable a thief to recreate a mag stripe and create a counterfeit card.

However, the basic problem with the mag stripe is that all the data is static. Because the track data can't be changed, the CVV is static. Because a credit card is printed, the CVV2 never changes either. That means if the card data is read just once by a thief, it can be copied and replayed again and again, resulting in fraud.

That's where the contactless cards are different. Because they have an on-board chip with a CPU and memory, they generate a single-use transaction-specific verification value. With each subsequent transaction, they generate a different verification value. The bank uses cryptography to validate the verification value was correctly generated on each transaction; this confirms that it was their chip that was present, and not just a copy of the number. This means that copying all of the authorization data, including the PAN, expiration date, and verification value, does not give the thief enough information to replay the information and commit fraud with the data. Similar protocols protect Chip-and-PIN and Chip-and-Signature transactions.

Instead of clipping the NFC antenna, you are much more secure if you use only the contactless radio for payment. However, since many shops don't take contactless payments yet, you still need to use your mag stripe at those locations, where your data is still vulnerable and subject to skimming. And when you use your card online and type in your CVV2, it's also potentially vulnerable to theft.

If you want to increase your security, let the merchants where you shop know that you're unhappy that they don't take contactless forms of payment, or if they don't yet take chip cards. The more they hear from their customers, the more likely they are to upgrade their equipment to a more secure device.

If you're extremely paranoid, you can certainly buy a cheap RF-blocking envelope to keep your card in your wallet from being skimmed by the guy next to you on the bus; but even if he does read it, the data he reads can't be used to create a working clone of your card. (At most, a very sophisticated attacker could have an accomplice paying for a diamond ring at the exact time the guy on the bus reads your card, channeling stolen payment data through him as a proxy. And that's why you should tell your bank you would rather have Chip and PIN than Chip and Signature.)

EDIT For clarity, here’s how I rank the various payment schemes in terms of security, from best to worst:

  1. Chip and PIN
  2. Chip and Signature
  3. Mobile payment systems(Apple, Samsung)
  4. NFC (contactless with dynamic authentication data)

...

  1. Mag stripe
  2. Web entry with two-factor authentication
  3. Web entry

* Some contactless technologies, such as Apple Pay, use a substitute number in place of the PAN. While this sounds more secure than the cleartext account number found on chip cards, this means your banking information is always present inside Apple's systems, where you have to trust they won't be hacked, and that your iPhone and iWatch won't be hacked.


Is there a way to manually disable this no-contact thing? I'm either looking for a physical solution...

There are a few examples of people building Faraday cage wallets, like suggested in the comments. Here are a few that should be easily reproducible to solve any physical requirements to prevent this.

  1. http://www.zdnet.com/article/how-to-build-a-faraday-cage
  2. Can a steel woven wallet prevent RFID scanning of credit card information?
  3. http://briangreen.net/2010/11/diy-ultralight-faraday-cage-pouch.html
  4. http://lifehacker.com/5934635/use-an-altoid-tin-as-an-rfid-blocking-wallet
  5. http://howto.wired.com/wiki/Make_a_Faraday_Cage_Wallet

Tags:

Credit Card

Related

Did KeePassX ever have an audit funding? Router being infected by malware What does the Juniper backdoor actually allow an attacker to do? XSS via JSON: Why does a web application not sanitize either its incoming params hash or its outgoing JSON values of malicious tags like Script? Should I be concerned that Google no longer trusts specific Symantec root CA cert that is also on my Windows system? How to defeat doubling up apostrophes to create SQLi attack? Phone call to try and gain access What is happening now with the Grub backspace key security vulnerability? My country is attempting to block WhatsApp, what to do? Why would the government collect Wi-Fi SSIDs via manual door-to-door questioning of citizens? Samsung SSD 850 EVO. Best way to protect personal data against thiefs How to choose a password that I have to remember for a long time but do not use a lot

Recent Posts