October 27, 2006
Spychipped Credit Card Q & A
The recent NY Times article that reveals the security flaws of RFID-enabled credit cards has consumers wondering if the cards in their own wallets are putting them at risk. We've been getting lots of questions and thought it might be helpful to share some thoughts here about what steps cardholders can take to protect themselves and their identities.
Q. Am I really at any risk if I carry an RFID-enabled credit card?
A. Security researchers have demonstrated that someone can siphon your name, credit card number and other information from these cards right through your purse, backback, or wallet--without your knowledge or consent. If you tote the "spychipped" cards, you could be opening yourself up to identity theft and surreptitious tracking of your movements and behavior. This "someone" could be the credit card issuer or a retail store--it could also be a stalker or thief.
Q. Does my credit card contain an RFID tag? How can I tell?
A. Call your credit card company and ask if your card contains an RFID tag. RFID tags are so small and thin that they can be hidden within the plastic. An RFID tag communicates by silent, invisible radio waves. If you don't ask, you might never know that your card can beam back information like your credit card number, name etc. The exception is the American Express Blue card. You can see the RFID tag through the clear plastic.
Q. Don't credit card companies tell you when they send RFID-enabled credit cards and alert consumers to the information security issues?
A. Millions of RFID-enabled credit cards have been issued with innocent-sounding names like "Blink" and "EasyPay." Most consumers don't understand this is a way the card companies have been trying to get the public to accept the cards without needing to explain the serious privacy concerns. After all, the RFID industry's own studies have shown that 75% of consumers object to RFID on privacy grounds once they understand how it works and how companies plan to use it.
Q. What credit card brands contain RFID tags that have security issues?
A. I spoke with one of the researchers quoted in the NY Times article. He wouldn't reveal the names of the issuers of cards tested in the sample, but he said the team found problems across all brands, including Visa, MasterCard, and American Express.
Q. What should I do if my credit card contains an RFID tag?
A. We believe credit card companies should recall RFID-enabled credit cards that leak information about consumers. However, we haven't heard of any company taking this responsible action. It's going to be up to you to demand a replacement card that is spychip-free.
Most credit card issuers will send you a new card without an RFID tag at no charge. However, we've heard that American Express customer service representatives are telling consumers who call with concerns not to worry because they can disable the RFID functionality from headquaters.
The RFID-enabled American Express Blue card has dual functionality and contains two distinct credit card numbers. One number resides on the mag stripe. The other number resides on the embedded RFID tag. AMEX customer service representatives are likely disabling the card number that resides on the RFID tag in the company database. This should help prevent unauthorized purchases via numbers read by radio waves. HOWEVER, this is only a partial solution.
The tag within the card could still be read by authorized and unauthorized persons and be used to track you and your behavior. We are recommending that consumers demand a spychip-free version or take their business elsewhere. Do you really want someone to scan information about you through your purse, backpack or wallet without your knowledge or consent?
Note: Do not mail or throw away the RFID-enabled credit card before destroying the RFID tag. Tags can be read right through envelopes and trash. You can destroy the tag by shredding the card or by cutting or crushing the chip.
Q. Can I disable the RFID tag in my microwave?
A. Don't do it. While putting an RFID tag in the microwave can disable a tag, doing so can also start a fire and damage the microwave. (We recount our microwave disabling trials in our book "Spychips.")
If you have any other questions, send them to me, and I'll try to share an answer:
- Liz McIntyre
Posted by liz at October 27, 2006 5:54 PM
A paper hole puncher will suffice to remove the obvious chip from the amex blue card. Regardless, you're best off not using the card at all and calling amex to make a statement about it.
Posted by: gpshead at November 16, 2006 3:08 AM
Where on the card is the spychip located. If I know, I can disable it wtih a hammer.
Posted by: M Fowler at December 7, 2006 9:28 PM
I received my new AX Blue card and it contained the RFID chip. I called up American Express, and the representative was very accomodating in sending out a new non-RFID card overnight. It was encouraging to see that American Express is understanding in listening to their customer's concerns.
Posted by: Danny Tech at December 22, 2006 11:02 AM
We received the new Amex Blue cards with the RFID chips. Called Amex, asked for non RFID cards, they said they no longer provide them but they would disable the chip (how? neutron bomb on my locale?). They said any purchase transaction made by an RFID reader would be rejected. Duh! But the chip is still active for anyone else who wants to get my info or track my shopping habits. Well Amex, I took a drill to your precious RFID card because you make it easy to see where the RFID is. A 1/8" drill bit sent the RFID chip to hell.
Posted by: Joe at April 17, 2007 2:23 AM
Thank you for the post. I've just started using credit cards and I still do not know the all the peculiarities. I'll certainly contact my bank and will find out.
Posted by: at June 18, 2007 2:01 AM