I got a new credit card in the mail, and I noticed the PayPass logo in the top right corner. I’m no fan of RFID, especially with so many documented weaknesses. Also troubling is the loss of two-factor authentification that we’ve had for decades in Australia; both Visa and Mastercard require only the presence of the card for EMV transactions under $100. I like my credit card, I don’t like that other people can spend my money with it. I thought about trying to convince my bank to give me one that wasn’t PayPass enabled, but Mastercard won’t issue cards without PayPass, so it seems I need to make my new credit card compliant with my privacy and security policies.
Admittedly, all the exploits for RFID enabled cards seem to affect cards in the USA, whose banking system (as best I can tell) is run by a bunch of morons. I assume that the cards in Australia leak no information other than an identifying card number… but even that. RFID can allow unintended transactions, so I’d prefer my transactions to be intentional. I considered killing the whole chip in the microwave, but there’s a risk that would affect the mag-stripe. You don’t need a radiographer to lend you an xray machine to locate the RFID antenna. Turns out that a light globe is plenty bright enough to spot the antenna tracks, or the sun (if you can spot it at this time of year).
I lay my card on a horizontal compact fluorescent light globe, and look what I could see:
I dutifully marked the point where the antenna traces all converged on the one location, then drilled that point out with a hole made with a 3mm drill bit. I took it off to my local Kmart, and it worked. However, it failed at the Coles, and every subsequent retailer (dozens) I’ve tried using it. Apart from that one Kmart (others haven’t worked) the PayPass functionality is now turned off.
I’ll update here if I make additional modifications that are successful.