Yeah, the arm cross and thumbs up are super awkward. Content is good, but he always looks so closed off and unconfident. It always makes me feel like he's talking out of his ass instead of being confident with the material.
I actually discovered how to disable RFID/NFC cards the hard way when one day I got the idea, "Hey, what if I hole punch the corner of my badge so I can put it on my keychain?"
Hahaha, I ran into this with smart card access. Our maintenance guys drilled holes in their access cards, to loop a string thru for a lanyard, which nuked the card. So we had to hand out card pouches with lanyards so they would stop punching holes thru the cards.
Years back on a cruise they started using tap access cards instead of the mag stripes for the cabin doors and the same thing: people were poking holes with a hold punch to use with a lanyard and locking themselves out of their rooms. Did also see one couple with what I'm sure was a small knitted pouch around their necks to hold their cards, which can only be described as adorable.
Oh yeah, I remember in college when they switched from physical Medeco keys to "tap your school ID to unlock your dorm room" this was a constant occurrence I cut mine out for a lanyard too but I KNEW the ID cards were NFC so I shined a flashlight through mine and found a spot with no antenna traces to cut out with an Xacto knife.
I think there was a guide in a German tech magazine a while ago on how to disable NFC, and they advised checking with the lamp and then cutting away next to the pads with an exacto knife
Or cut into the side (any side) for about 1/4 inch (and use superglue if the cut annoys you). You'll cut through the antenna coil itself. Works just as well since the chip is powered from the coil and a cut coil will not power it enough.
Also I'm pretty sure Samsung Pay predates Apple Pay, and was significant in that they held the patent on using the wireless charging coil as a magstripe emulating transmitter. Back before NFC payment was ubiquitous and I daily drove a Note5 I would routinely have cashiers say "oh, sorry we don't take Apple Pay" as I held it up to their stripe reader for it to then beep and accept it anyway. It really gave off the "I am a technowizard" vibe.
The Wikipedia pages have Apple Pay launching 10 months before Samsung Pay - but it's possible that Samsung Pay rolled out in a particular locale before Apple Pay did (e.g. Brazil was 2016 for Samsung but 2018 for Apple.)
A few others were in the game before Apple and Samsung. Google Wallet was one of the first mainstream NFC payment services back in 2010 or so. I also remember Isis (cringe… renamed softcard) as being an early NFC payment system. I had a NFC compatible case for my iPhone 5 in 2013, which allowed tap to pay using the Softcard system.
It may be silly, sure. But as someone who hissed at a goose (it hissed at me first) because I wanted to establish dominance and make it move off the sidewalk I was on (I worked), im a firm believer in "it ain't stupid if it works"
I quite like the idea of drilling a hole to disable the antenna. It reminds me of that early Xbox 360 hack that involved carefully drilling into the DVD drive's controller chip to cut a line inside the chip to enable flashing of custom drive firmware that allowed loading of copied discs. Companies even made jigs that sat over the chip, to allow super precise drilling - and if you drilled too deep, or in the wrong spot, you killed the drive.
The first tap-to-pay debit card I got here in Australia in the 2000s was clear plastic on the back, so you could see the little copper wires of the antenna doing laps around the circumference. I don't have any NFC enabled on my phone so I don't need to mod my card.
Oh yea. I had the American Express "Blue Cash" card that was transparent way back in the day - you could see the radio loop which was super cool. Maybe like 2004ish? It had chip and NFC capabilities, I assume for international travel reasons because NO WHERE in the US did any of that ever work to my memory.
Also useful for if you want to protect your card from RFID/NFC sniffers paced near payment terminals. An RFID blocking wallet is useful at protecting the cards normally, but won’t protect if the shady gas station attendant hid a reader right under the counter where you remove your card from the shielding of the wallet.
It doesn't need to be an attendant. It can be just another customer in queue with a reader in pocket. Furthermore, if you actually use the contactless payment, ie. are reading the card with the terminal, there's not even need to be in the same queue, because passive reception is possible from fairly long distance in the moment you do the legitimate reading which in that very moment feeds the power to the card. Even though in all other moments the thief would need to be nearer, in order to feed the power for card to operate. Contactless payment cards are among the most severe security disasters of the entire millenium, and the ongoing prevalence of apologist attitude towards that is something I can never really understand. HUGE thanks for Ollam for having deviance to finally call out the issue! Thanks also for calling out the sluggishness of WinBloats 10!
This is of course why the banks put an upper limit on tap-to-pay transactions & mostly indemnify customers against tap fraud, being that the amount of loss from fraud is way lower that their additional profit from the feature. BTW if your bank will not indemnify you against tap fraud, go elsewhere if you need this service.
@@ts757arse That's inflation for yer, BTW I did some tests a while back with "RFID" shielded wallets, bags etc & although most of them blocked RFID, almost all of them only reduced marginally the reading range of NFC ( I think because its an inductive not radiative process ). Best solution I have found for blocking NFC reads from by wallet is placing all the NFC cards together which seems to prevent most readers getting anything useful.
Hi Deviant! Indeed, phone-based payments do work even if the device doesn't have connectivity. It's all about the secret token that's needed to perform the handshake between the terminal and the card. I saw a video about the NFC implants and how one UA-camr with such an implant had asked, I think Venmo, for such a secret token, so that he can program it onto his implant and pay with his hand.
I too was sure that the payment and authentication information is just stored in trusted memory, and no actual network is required, at least from the phone. The vendor terminal will still require it, at least for larger values, or if you have exceeded the budget for small payments without authentication.
To add to that, if the phone has network, it'll report the transaction to the bank and if there's a discrepancy, it can be shut down, but if not it'll just wait to report the transaction until it comes back online. There are basically three exchanges that go on: The phone to the terminal, the terminal to the bank, and the phone to the bank. The last one doesn't have to happen right away, it is a check on the first two.
Google Wallet, Android pay in 2011 and Apple Pay in 2014 were quite late entry into contactless payment. Contactless (tap and pay) systems have been around since 1995. In the county I'm in we have had contactless bank cards from 2007.
As a Capital One rep, I wish I could recommend this video to certain callers. Also wish we were able to request non tap to pay enabled cards still... And no this does not violate any agreement.
@@z00h It is pretty much a requirement these days and actually would cost more for the bank to issue one or the other as stupid as that sounds, so they just issue the one that is tap enabled.
In Europe financial institutes need to provide non-contactless cards when requested by the customer. I've worked at 2 now and it's just a simple check box on the systems. I think card production is mostly outsourced to a few big plants that handle multiple banks and societies, so it's not a big imposition for the banks to offer it.
As an electrician in Australia, my drivers licence has a chip on it no ever uses.... Never got in trouble if it never worked; so we just smash 1000V DC across it with our test tools lol.
Android Pay (the predecessor Google Pay) was around in 2012. There was even a promotion to use it where you would get a small credit (it was like 5-10 dollars) to use it. I had used it a few times with my Nexus 7tablet to redeem that credit at McDonalds. Apple Pay didn't roll around till 2 years later in 2014. Regardless, like you I hated that I was thrust into having tap and pay cards because my phone picks them up, but I am not brave enough to try and do what you have done here. I just try and keep my wallet and phone air gapped a few inches.
Keep fighting the good fight re: which NFC tech came first. I'm super tired of holding out my Android phone at a drive-thru, getting asked if I want to use Apple Pay, and having to say yes because if I say "no, Google Pay", the cashier's head will explode in confusion.
@@dgwdgw To be fair Google's strategy for NFC payments (amongst many other things) was incompetent and ineffective, and they lost any first actor advantage. I had Google Wallet when it was early in its life, on my Galaxy Nexus. You could only use certain Citi credit cards, or fill the account like debit. And then Verizon was doing its best to stifle Google Wallet because they wanted to push their competitor (ISIS, or I think it was called SoftCard before that), so you needed to download an APK if you wanted to use it on a VZW Nexus. Hell, even the name has flip flopped so many times I forget what it's called anymore. I think it went from Google Wallet to Android Pay to Google Pay back to Google Wallet.
I've noticed what I think is a rather big problem with the nfc Google pay, it's no safer then the tap to pay cards are. because I found out you don't need to unlock anything to use tap to pay. you could have your phone set up to require finger/face to unlock the phone, and have the screen off and tap to pay will still work! you'd have to auth twice to see if the payment went though. (once to get into the phone home screen then again to get into the google pay screen) but to actually pay with it you don't need to auth at all. so those remote reader attacks work just as well on a phone with google pay as they do with a regular card with tap to pay.
@@CrossRoadsOfTime IRC limit is 50USD right into limit where bank can make easy charge back, Also in latest update they require authentication or unlocked device (biometric, or minimum pin u can't use maze to unlock your phone)
Clever. I have to test a lot of card readers in my line of work, so I soft-disabled the tap on my bank card to avoid making any accidental tap payments. But this is even better.
As soon as I saw the title I figured it was to disable tap-to-pay, but I didn't consider hitting just the antenna to keep chip payment active. We've had chip and pin up in Canada for a long time now, with tap to pay being around for a while as well. It always amazes me how far behind payment cards were in the USA. I remember reading about a special USA model of a Samsung phone with "MST" payment, that could somehow transmit card data to a magstripe reader, and I had to ask one of my friends down south why such a thing would be needed.
Transmitting to a magstripe reader is a pretty clever idea, and easy in theory. It's basically a cassette tape reader, and only reads what's in front of it one "line" at a time. So you could trick it using an electromagnet, just like those now-old bluetooth adaptors for tapedecks.
Thanks for the video. Norfolk Virginia has issues with people sitting in malls with an oversized antenna pulling $1 and $2 dollar transactions off of NFC cards. They get smart and use an in state but out of city business [ read as out of jurisdiction] address. The people are smart - they move like locus from one mall to another then onto another city. Very troublesome to prosecute. Being able to nuke the antenna and keep the chip is great. Also hearing you say "apple pay is secure" is the good house keeping seal of approval.
I believe you can use Tasker with an NFC trigger to ignore certain NFC tags. I have root on my phone so I'm not sure if that requires privileges but I do recall being able to ignore my work badge when it was picked up by NFC on my phone.
My phone will just straight up ignore payment cards. You can open up NFC Tools and read that there is a card there, but it doesn't pop up anything if I'm on the home screen and put the card where the NFC antenna is on the phone.
@@nikomo same. My badge was the only thing that caused issues. I ended up cloningnthe badge and using my phone as my badge in the end but I never really had issues after I set up tasker. My battery was half dead by 11:00 but that wasnt a huge deal
Ignoring the card is one thing. However, being able to read other NFC things in the presence of that ignored card is way more difficult, if not impossible.
Never thought of using a bright light to see where the antenna is. I don't have a need to disable the RFID on any of my cards, but it's still interesting to see. Cards from different banks also seem to us different layouts for the traces. (Also I'm now partially blind from my Nitecore MH12 on full blast accidentally peeking out from behind the edge of a card)
For bonus points, figure if you could splice in a tiny switch (maybe just a membrane keypad dome?) back into the antenna, so that it still works when you squeeze it.
A neat idea for regular use but in this case it may not work if the phone case puts too much pressure on the card. Would be cool to cut a slot for a small jumper you can add/remove
I had a 1970 Plymouth wired up so that the starter relay wouldn't engage unless I shorted two terminals together with my ring. A similar "switch" could be done on the card with two bare pads that a ring could short together while tapping.
I see your camera quality has now by leaps and bounds better video quality than the older videos you had. The audio is clipping quite a lot, so maybe re-check the mic amp settings and post-processing filters?
I ALWAYS request cards without tap to pay. Most of my banks used to give them to me after a little arguing, but I haven't been able to get one without it for a few years now. I am definitley going to try your trick on my cards from now on.
The downside to the "tap and pay" I run into at some frequency is when the POS terminal isn't working with tap and people actually have to put the chip in and can't remember their pin (in Canada we use pin for Debit/creidt transactions almost exclusively).
Agreed. Chip and Signature never really existed in Canada, probably because it's nonsensical. Chip and Pin did predate Contactless payment of course. Contactless in common use predated the announcement of Apple Pay by a full 5 years.
That's why in Europe the POS terminal would ask for the PIN after a set number of contactless payments, I believe it was about 3-5 times. Above a certain value it always asks regardless. (I believe mine is set at payments higher than 25€, as far I recall.)
A lot of smaller credit unions are using these new ones where everything including the antenna is under the contact pads. I assume this is just a manufacturing cost thing but it makes disabling the NFC antenna damn near impossible.
The worst overlap I've experienced was at some European train stations. The turnstiles can both sense NFC and scan a QR code, but if you have your QR code displaying on your NFC enabled phone (because the tickets you have were delivered as a QR code) the phone will pop up your NFC options/wallet when you get too close, hiding the QR code. It took several attempts of trying to sneak up and get the QR code scanned before the NFC could kick in or, in one case, a friendly staff member with a handheld non-NFC scanner to get to my train. All these devices need a simple "stop doing NFC for a minute" switch somewhere...
Any android phone have the ability to toggle NFC at will, either through the settings or by defining a quick icon on the swipe menu. Which is exactly what I used before each payment, since sime versions of Google pay would allow payments as long as the screen was on, even with a locked phone.
When tap first came out I drilled all my cards to protect against remote cloning. That turned out to not be much of a threat in the real world(I also live in rural Canada where criminals think crowbars are high tech) so last time my cards where replaced I didn't drill them and started using tap and it's pretty darn handy.
You can't clone a card via NFC. While it is technically possible to skim the card and make a payment, you not only need the terminal, you also need an agreement with a payment service provider. And those do some serious vetting before they'll give you an account. Combine that with the fact that most cards will only allow small payments without PIN and that hasn't been worth it for criminals to attempt.
@@Hans-gb4mv you can technically copy a card via nfc and use it at a store, but only for a single transaction, and only if the actual owner of the card doesn't use it before the thief tries to use the copy they skimmed. It's pretty similar to a rolling code garage door opener in that sense.
@@Hans-gb4mv While not actual cloning, it is well possible and easy to sniff the card number which you can use to make payments in shops where CVC is not asked, and even if it was, CVC is way too easy to brute force. Even if there are undocumented mechanisms to lock the card after certain amount of failed CVC attempts, it is too easy to circumvent it by writing a simple python script which makes only one or a couple attempts in a row, and then waits a week or couple before trying the next one, so in between the failed attempt counter has in most likelihood been reset. Considering it is extremely easy to sniff thousands of card numbers thanks to the ahh-so-wonderful contactless payment, adding them all into the python script to be tried in turns, you will practically get right hits with CVC all the time, because CVC has only one thousand possible combinations, so for thousand card numbers to try with you by average get one successful hit every round in *first try*. And then go on by giving a couple more tries for each one once every week or two. Furthermore, contactless cards allow real-time relay attacks which is even simpler to implement and evade. So, I warmly recommend everyone to drill their contactless cards, and not let the convenience - which could have been implemented securely but for sake of stupidity wasn't - to lead into apologism.
In a rural village you might be relatively safe with your contactless card, but in everywhere else, the promoted real-world safety is only and merely due to unobservance. Meaning, how many times does anyone check their accounts for transactions? Honest answer is, most do practically never in any memorable interval, nor do I even though I am very security-concious person, if not outright paranoid. And adding the fact that many legitimate shops have totally different actual company name than what reads in their advertisement signs, most beneficiary names in your account sheet is not recognisable anyway, you just think er... don't remember what that might have been, maybe it was some individual corner shop, snackbar, special shop, or a franchise of a known chain, none of which never have their actual name in their neon signs. And most of the time, they were indeed such, completely legitimate transactions. But you never bother to actually dig them out further, you just accept the fact you don't remember where have you shopped, and you don't recognice those company names. Thus, if there was some or a few fraudulent transactions committed by a card number stolen from you, it by all likelihood will go unnoticed as long as amounts are kept somewhat modest. Especially considering that majority of people are way, way more "relaxed" about observing their accounts than I am. Well, even if one notices a seemingly fraudulent transaction from their account, AND bothers to confirm its fraudulence and make a claim, there is absolutely no way to proof it was anyhow caused explicitly by contactless fraud. It will be recorded in statistics as "just another card number fraud". And taking into consideration the heavy marketing push of contactless payment and arrogant denialist propaganda about their "safety", you can be sure they are not even by accident recording any fraud as contactless one unless there is undeniable proof for such. Still, considering how all but impossible it is to prove the contactless fraud to be the source for a specific case of stolen card number, the statistically admitted number (no pun intended) of the contactless fraud is HUGE. And the most sickening is the way they make apologism by stating how small percentage it is per the legitimate transactions. It is same as stating "murdering is not a problem, murders are soooo small percentage per the living people!"
@@TheSimoc Your card has not one, but 3 numbers associated with it. One is printed and encoded on magstripe, second is for the chip and third is for NFC. It's trivial for bank to see that they got a transaction with NFC number using magstripe or online and flag it as fraud. Your only option is to emulate a NFC card at a normal reader, but that only gives you one transaction - and you need to make it before the cards owner uses it. Only the relay attacks are a real threat, but that's easily mitigated by having the bank notify you about every transaction (every bank here in Poland will send you a push notification from the app if you configure it) or use a card with a built-in fingerprint reader needed to perform any transaction (at least one bank here provides it by default).
I believe the reason EMV chips caught on all of a sudden in the US was because the rules changed. Before, the issuing bank was always responsible for handling fraud. But now, if the merchant doesn’t accept the card’s most secure payment method, then the merchant is responsible for any fraud. So they scrambled to support chips. If only it had come a year later, all the merchants would have scrambled to support NFC.
@@jackiecs8190 since October 2015, when credit card issuers said they would hold the merchants liable for accepting fraudulent cards if that merchant didn’t have a chip reader.
The conundrum of a free laptop from Deviant: It's either clean as a whistle or you're pwned the second you open the box. Edit: Possibly as soon as the box gets near any of your devices.
Had the same issue with trying to put an ORCA card (a regional tap to pay transit card) anywhere near a phone with NFC enabled. And of course disabling nfc on that card makes it un-usable. So I end up using rf shield sleeves around my cards
My experience (also Canada) was vendors getting the tech for their POS devices a little before the banks and credit cards introduced the technology. This goes back to "chip" cards as well, of all places my small barber shop (with three people working there) had the first chip reader I saw in person months before my bank even released a statement that they were "coming soon".
Ok so that laptop was Dell trying to compete with the Panasonic Tough Book. Also great idea for how to knock out NFC while still keeping the chip enabled. Another thing worth saying is that if you are trying to do the mod yourself you need to use a drill bit that’s flat on the bottom and I would guess that not many people have a key machine or some tiny end mills laying around so just keep that in mind if you are not trying to go all the way through the card
That's actually a great method to solve this. I bought some cheap rf blocking sleeves on Amazon which is my current solution as I have this trouble regularly... now I'm considering drilling a small hole in my credit card so I don't have to fuss with pulling a card out of a sleeve and putting it back when I need it.
I think it should be perfectly okay for the bank. As far as the bank is concerned, your card simply "happens" to have a broken NFC antenna and unless you need a replacement card because of that issue, it just appears to the bank that you simply never ever use the NFC feature. I actually had one card that was still in mint condition visually but its chip features were flakey and I had to replace it. I guess there was a fracture in the chip or one of the wires because it might have been temperature sensitive whenever it happened to work or not. The bank even agreed to replace the card without having to pay for the new card.
Legally, the card is property of the bank, so you are destroying/changing the bank's property. Probably violates the cardholder agreement, and maybe violates a law or two. Functionally, though? No one will care. As for card replacements, they do wear out. I had one for a few years that started getting flakey with the chip read, so I requested a new one and they replaced it for free. Same story with friends and family. Not a big deal to replace, the cards cost em a dollar or two to make. As long as you aren't requesting a new one everyday, they won't care.
I was avoiding this recommendation for so long because it seemed super click baity, but this was a genuinely good video for what it was. I was absolutely not disappointed by the explanation.
Btw, there are tiny sleeves for credit cards that still fit everywhere the card does and block the antenna of the card, so it doesn't work contactlessly unless you remove it from the sleeve.
Minor fact check... adoption of and migration to EMV officially started in 2011 in america. Apple pay was released in 2014. In 2015, liability shifted to merchants for non-emv transactions which explains why it might appear like apple pay was leading the industry forward. However, this 2015 date was set in 2011/12. Feels like we've had these things forever but it's still pretty recent. Anyhow, it didn't sound right but also seemed plausible... needed to know the answer!
Apple Pay works offline because the actual card is on the phones secure element but Android Pay uses “host card emulation” where the actual card is on a cloud server and the phone thus needs internet to work. (To answer the subtitle question). I am not sure if any android or Samsung etc options support a true native card on the phone.
Neither of those services have the actual card or a copy of it. That's the beauty of the system. They just have a token with limited validity that can be used to generate payment information without using the card information. That payment info is then verified between the merchant, the card association and the bank (involving some crazy cryptography), without the merchant ever getting your actual card information. Both Apple Pay and Google Pay can work offline, they just need to refresh the tokens every once in a while.
It occurs to me to wish for a momentary button of sorts built in to the card, that would physically disconnect the RF antenna (much as you did) with the normally-open switch, but then if you squeeze the card in the right way (or perhaps any of several (2? 3? more?) available ways, with multiple electrical paths), it closes the circuit and the card can be used. I imagine this could be done -- either a membrane-type button that's just two contacts around a void in the central plastic (where the user would squeeze the thickness of the card in a particular spot), and/or an edge-based thing where squeezing the edges at a certain spot would close the connection (seems more ergonomic)... that'd solve the phone problem.
lol, I'm pretty sure you have me on your mailing list. I like the controlled way you went at cutting the RFID. Its not the sledgehammer approach of degaussing or microwaving your card. And its so much more controlled then a drillpress or CMC.
@@DeviantOllam lol Yeah, I'm an old retired cop and now a PI, I'm not exactly subtle. I tend to go for the most direct route to get what I need. I'm enjoying the fireside chats.
@@DeviantOllam Back in the days of the early Wave Technology™card b.s. I was not into it, so I took a ball peen hammer to the center of the little chip. Mind, this was back before chip and pin was being attempted, so it only killed the transmitter. Worked a treat.
Wikipedia has Android Pay in September 2015, almost a year after Apple Pay. It was only announced in May 2015, 7 months after Apple Pay debuted in the US. Are you thinking of Google Wallet (which is an entirely different non-EMV thing)?
Here in Poland I remember banks rolling out phone contactless payments way before Apple and Google were a thing. When Apple revealed their solution there was a lot of talk about "why are Americans so excited about this, it's been a thing since ages".
@@ScarfmonsterWR I wonder when Americans and other countries will adopt somethibg alike to blik payments. It's so convenient and I was shocked to find out that's not available outside of Poland.
@@zimpenfish You are right. Google's constant name changes and app merges got me confused. They have done something similar to this recently with the Google meet/duo app.
@@zimpenfish That's indeed just an issue with Google's renames again. Google had NFC mobile payments as early as 2012, maybe 2011. It's not that easy to find now. You can find a 2012 CNET article "Is NFC killing Google Wallet?" (I don't think I can do links here), where they explain how wrong Google was for implementing mobile payments through NFC.
If you want to "opt out" of tap to pay for security reasons rather than interference, some mobile banks let you actually stop your card from being used with tap to pay. I know for the UK Revolut allow this and I think Starling do also.
In reference to 3:40 or so: yes you can use apple/google/samsung pay without network connectivity in my experience. Revolut is good too, with their physical card you can temporarily disable or reenable NFC* *disabling NFC stops you from getting contactless charged on the train or something it won't stop the card from being actually detected by a reader which was your issue.
"apple/google/samsung pay works without connectivity".. Semi true.. The 'users' phone/watch/device doesn't need connectivity.. The 'reader' (eg, the business owner) needs connectivity.
The default android pay uses a cloud based “host card emulation” where it’s in the cloud so does not work without network. Apple Pay does and I think some phones and maybe Samsung pay uses the secure element. But many don’t so need a network connection. See Wikipedia for “host card emulation”
@@lathiat None of OEM pay apps use "host whatever emulation." This tech stack is called tokenisation and works without network for limited amount of times and limited sums. Wallet on the device loads 5 or 10 single use "keys" that are used for each payment and tries to request new ones via internet before they run out. Please stop trying to look smarter than you are buy spewing some words you imagine to be fancy. Or in other words - shut the fuck up and go read some documentation from VIsa or Mastercard on this topic. It all is easily available in their developer portals.
I am pretty sure all android phones have an option in that slide down menu to dissable NFC on your phone completely, just like you can disable wifi or GPS.
@@ColinRichardson of course the payment processor needs connectivity, how else would it charge the card? Print out an old school carbon copy paper and mail it in to the bank??
As a Canadian it's so funny you guys didn't have chip and pin until tap, I got my first card at 7 years old, and all my cards have had chip didn't have tap until the past 10 years. I've only ever swiped or had to sign like 4 times in 20 years.
1. Android Pay was first, but evolved into Google Pay; it was a different approach however in which Google paid for you then you paid Google. This was changed as it meant all transactions were considered to be to Google so rewards reflected that - often only 1%. 2. Most of the card is just useless plastic, you probably don’t need to be careful. My card split right above the mag stripe almost to the end of the card and both chip and stripe still worked. I only replaced it because I forgot my bank uses those ATMs that pull the card into another dimension and it almost got stuck.
I had this exact conversation with my bank, "Can I get a card without tap-to-pay". The answer is a resounding, "Uhhhh, no". I carry several cards in a wad in my pocket and when tapping the whole wad against a reader without taking one card out results in an error on the POS that often says something like, "only 1 card". So I took a strong flashlight, blasted it through the card, and marked a small dot on an antenna line on all cards except the one I use 99% of the time. I drilled a through hole on many cards and I never get a second look, but a partial drill with some nail polish is a nice touch.
Also from Australia, but all my cards (various banks) still have mag stripe (as backup to NFC/chip), and issued within the last couple of years. The no mag stripe might not be as widespread with banks as you think.
This is your bank, we received notice from an un named three letter gov’t agency that they are unable to effectively track you; they have had to move to using outsourced methods from your phone manufacturer and are tired of paying the premium. With this coming to light, we will be issuing you a new card. Thank you -bank manager
Thie video brought to mind an episode of NCIS from awhile ago where a woman was walking down the street with a cell phone and stealing people's credit card information wirelessly. I think the episode aired around the time credit card companies started rolling out this technology in the US.
Note that Australia (and I believe most of Europe) were using tap to pay since 2006 - way before Apple Pay. I believe it’s only new in the USA. I don’t think I ever had my iphone pick my cards up, maybe because Apple Pay can’t receive payment here, only send them? Since digital drivers licenses and Apple Pay I now only carry my phone.
We had tap pay cards in Australia long before android/apple pay, and chip & pin long before that. USA is really behind in banking tech, still using paper cheques like its 1980
Tap to pay was on Android via the original Google Wallet app years before Apple Pay,. It never saw widespread adoption because Google only supported it on Nexus (and later early Pixel) phones and if you didn't have one you needed to root to install it. I remember quite a few times I saw the little contactless symbol on a payment terminal and would just pay with my phone and 9 times out of 10 cashiers looked at me either like I was a wizard or like I was some sort of "hacker".
Reminds me of the Kamikaze hack for the Xbox 360. You'd drill in to one of the chips to short specific traces to bypass a write lockout. Produced one of the funniest console homebrew related images I've ever seen.
I thought it was going to be a tactile dimple, so you always know which way it's oriented without ever looking. I do it with my housekeys. Stopping the NFC makes sense too
Back when NFC first rolled out mainstream to cards around the mid-late 2000's here in the states i had a bank card that i just used a hole puncher on LMAO. I kinda went overkill, but got to the same solution as you.
I keep the wireless cards inside a metallized card pouch (you can get them for cheap, search "nfc blocker") which blocks NFC (I checked, does not read the card if it is in the pouch). Maybe that is an issue for your phone too if you keep them in the same case but for most people where the cards are in a wallet it's ok like that
Yep. My Samsung galaxy Nexus had Google wallet in 2011. And places started enabling the readers until 2014 when apple pay came out and apple had to get their cut from retailer, so retailers started turning off the readers. It took about 2 years to get back to where it was in 2011.
I have an account (not one of those you mentioned) where the phone app allows you to turn on or off certain features of the card, such as whether it's near the phone (uses location and merchant location), Y/N to ATM withdrawals, Y/N to contactless, etc. Kinda handy and it works. Interesting to test whether this is tied to the reader in some way or not. Thanks!!
There are phone cases that also block the chip in cards from communicating. I’m not sure if they affect phone reception but you can always take your phone out of the case in a pinch. Beats disabling features.
The German bank N26 gives out transparent cards as standard. They are slightly smoky plastic but you can clearly see all the antennae running through them. There are even more than one coil. It's a free online bank so if you live in Europe you can just open an account to get the cool card.
Haha, I did the opposite. I don't need more than one NFC device so I just let the card do the work. I did notice that if I had NFC on my phone my card wouldn't work from the case. As a temporary thing to have phone nfc I have just been using the card outside of the case too. Glad to see I wasn't crazy.
Dev, I am one of those few users who uses that style of phone case... and oh my god, I LOVE it even though all of my friends tell me how they couldn't handle the stress of all those eggs in one basket, which is a totally fair risk appetite acceptance model. That being said, I've gone back and forth on enabling the phone-based tap to pay... "Do I want anyone who compromises my Google/Apple account (in that scenario) to also gain access to my credit cards?" and I'm still not sure what my personal risk appetite is on the topic. Either way, good GOD it was annoying to leave NFC turned on on my phone for the very reason you mentioned in the video. I was so confused the first few times NFC tools alerted me to successfully captured data until I realized that me wanting to leave NFC Tools on and the convenience of Tasker IfTTT commands that used NFC were causing me to go crazy... 😅
In Canada you can just ask the bank to disable it, and as far as I am aware it does not scan with anything after that (rather than just scanning and showing a blank tag)
Just FYI all you need is a piece of metal (a sheet the size and thickness of the credit card) and it'll make a barrier so the NFC scanner can't pick it up.
Funny enough a passport card is actually only valid for ground and boat transportation and not valid at an airport (I learned the hardway at an airport ticketing counter without enough time to run back and grab an alternate form of ID)
Well that makes sense to me. And it sounds like something I would do, just mod something until it works the way you want it to. And I could really use that laptop. Hopefully I get picked.
Man, how I wish I would have seen this video a long time ago. I would have loved to have won that laptop. Being in a wheelchair, EVERYTHING falls off my lap, including my laptop. So having a rugged one would probably have saved my last laptop.
I've been reading about "card clash" on the London public transport system. You offer your phone or wallet or purse and there may be multiple chips in there and it's a mixup. As you need to tap in and tap out, confusion can ensue
I figured out why the hole was there immediately, but the reason for it is completely different from what I thought you were gonna say (was expecting something about security, paying something without your knowledge, ...)
You're right that the NFC payment system doesn't require both devices to have an active network connection. They just figure your phone is more likely to than the POS system, so it banks in the phone as the reliable end. IT support will tell you how awful it is keeping that stuff online.
My bank is behind the curve with NFC, but I don’t want to use it once it’s available and I was thinking about this exact topic over the weekend while trying to set up some GPS tracking units that I can hopefully catch some thieves with.
The first time I ever saw a card with a chip in it was at Naval Station Great Lakes back in 1999. Recruits had what looks just like a modern credit/debit card with a chip. But it had their service history and medical and whatnot on it. It wasn't until maybe 10 (or more) years later I first started seeing credit & debit cards with them. Apparently at the time 25 years ago, each of these cost around a hundred bucks. Granted that was what the Navy was paying for them, so who knows how much they would have been for regular people buying them commercially (10x more or 10x less seem equally probable).
CONGRATS! Just imagine, you have a debit card because you interface with shops who prefer cash (that you need to pull cash from your ATM), and the bloody bank refuses to remove the NFC antenna..... *grabs drill & torch*
A few years ago when I was first trying Apple Pay, I was in Canada at a Starbucks and was able to pay while my my iPhone was in airplane and Wi-Fi turned off. That was before most cell plans included roaming in Canada and Mexico lol, but good to know network connection is not required.
Thanks for the tip. That tap-to-read is a huge liability, since you don't need the pin to pay under a certain limit, so scammers can remote--card you and empty your wallet. I hate the tap-to-pay function. UNTIL they ad a physical safety measure like a pin input on the card or fingerprint reader so it cannot be remotely used by a scammer with a radio card and a laptop it is nothing but a security hole. I would much rather use my phone as a payment method.
yes, mobile wallet does work with no network on the phone. it requires network every now and then to check, verify, update etc. but works fine with no network. and also YES. we call it contactless here in the UK but we’ve had those types of payments for years and it’s been brilliant it’s amazing how behind the US is on this front. Chip and PIN has been the only way to pay for years, and is far superior, but contactless has been the norm for years also, like there is precisely 0 locations that don’t take contactless nowadays, it’s so impossibly easy to pay nowadays, contactless and mobile wallet is expected, if you try and do a cash payment or a chip and pin the employee will just go ‘eh wtf are you doing??’
FWIW I just put my two most used cards in a RFID blocking sleeve and put that in my phone case. The sleeve itself doesn't add enough bulk to be problematic, but granted I use more of a folding wallet phone case which has a little extra wiggle room to begin with so your YMMV. And, so, I can use apple pay w/out any issues, but if a merchant doesn't have apple pay and I still need to spend money there, I still have the option with the CC to tap, dip, or (heaven forbid) swipe. (for ultimate last resort, I also keep a bit of emergency cash in the case too. I always try to keep enough for cab ride home no matter where in the city I am. Just in case.)
How long do you sit there with your arms crossed staring at the camera before you start your "hay everyone"??
Approximately 20 seconds.
Yeah, the arm cross and thumbs up are super awkward. Content is good, but he always looks so closed off and unconfident. It always makes me feel like he's talking out of his ass instead of being confident with the material.
@@xmikemurphyx Who are you, Rivelino?
@@xmikemurphyx really? That may be a you problem. I got none of those feelings. I just thought it was funny.
@@xmikemurphyx That's just you
I actually discovered how to disable RFID/NFC cards the hard way when one day I got the idea, "Hey, what if I hole punch the corner of my badge so I can put it on my keychain?"
Hahaha, I ran into this with smart card access.
Our maintenance guys drilled holes in their access cards, to loop a string thru for a lanyard, which nuked the card.
So we had to hand out card pouches with lanyards so they would stop punching holes thru the cards.
oh we see this all the time, too, with those little lanyard punches
Years back on a cruise they started using tap access cards instead of the mag stripes for the cabin doors and the same thing: people were poking holes with a hold punch to use with a lanyard and locking themselves out of their rooms. Did also see one couple with what I'm sure was a small knitted pouch around their necks to hold their cards, which can only be described as adorable.
or order the card with the hole already there
Oh yeah, I remember in college when they switched from physical Medeco keys to "tap your school ID to unlock your dorm room" this was a constant occurrence
I cut mine out for a lanyard too but I KNEW the ID cards were NFC so I shined a flashlight through mine and found a spot with no antenna traces to cut out with an Xacto knife.
Punch the hole further from the edge of the card and it would work
I think there was a guide in a German tech magazine a while ago on how to disable NFC, and they advised checking with the lamp and then cutting away next to the pads with an exacto knife
Or cut into the side (any side) for about 1/4 inch (and use superglue if the cut annoys you). You'll cut through the antenna coil itself. Works just as well since the chip is powered from the coil and a cut coil will not power it enough.
@@blerrik that's what I did!
@@blerrik Exactly what I do
Yep. Just clip the coil
Which mag would that be?
Also I'm pretty sure Samsung Pay predates Apple Pay, and was significant in that they held the patent on using the wireless charging coil as a magstripe emulating transmitter. Back before NFC payment was ubiquitous and I daily drove a Note5 I would routinely have cashiers say "oh, sorry we don't take Apple Pay" as I held it up to their stripe reader for it to then beep and accept it anyway. It really gave off the "I am a technowizard" vibe.
The Wikipedia pages have Apple Pay launching 10 months before Samsung Pay - but it's possible that Samsung Pay rolled out in a particular locale before Apple Pay did (e.g. Brazil was 2016 for Samsung but 2018 for Apple.)
I was using my nexus 5 to pay for things like 8 years ago. I am not sure why everyone thinks apple invented this.
A few others were in the game before Apple and Samsung. Google Wallet was one of the first mainstream NFC payment services back in 2010 or so. I also remember Isis (cringe… renamed softcard) as being an early NFC payment system. I had a NFC compatible case for my iPhone 5 in 2013, which allowed tap to pay using the Softcard system.
@@dfgsdja because many people think that Apple invented everything. The GUI, the mouse, the smartphone, ...
Samsung bought that tech from a company called LoopPay. It was available separate from Samsung phones before it became the basis for Samsung Pay.
It may be silly, sure. But as someone who hissed at a goose (it hissed at me first) because I wanted to establish dominance and make it move off the sidewalk I was on (I worked), im a firm believer in "it ain't stupid if it works"
That's easy to say for someone with balls the size of Jupiter.
Something can be stupid as hell and still work fine.
Hmmm 🤔 will have to try the goose tip...
@@NithinJune Hisses at goose...promptly gets ass kicked 🤣🤣
The bank not giving out no-tap cards is the real sucker here
I quite like the idea of drilling a hole to disable the antenna. It reminds me of that early Xbox 360 hack that involved carefully drilling into the DVD drive's controller chip to cut a line inside the chip to enable flashing of custom drive firmware that allowed loading of copied discs. Companies even made jigs that sat over the chip, to allow super precise drilling - and if you drilled too deep, or in the wrong spot, you killed the drive.
The first tap-to-pay debit card I got here in Australia in the 2000s was clear plastic on the back, so you could see the little copper wires of the antenna doing laps around the circumference. I don't have any NFC enabled on my phone so I don't need to mod my card.
I still have an AMEX card like that. You could easily see the antenna. ;-)
Yeah, same here - a debit card from CommBank that was mostly transparent, you could see the coils, it was pretty cool
Oh yea. I had the American Express "Blue Cash" card that was transparent way back in the day - you could see the radio loop which was super cool. Maybe like 2004ish? It had chip and NFC capabilities, I assume for international travel reasons because NO WHERE in the US did any of that ever work to my memory.
oh youre so smart and know everything dont ya? lol so many folks missing the actual point here
I think N26 did the transparent card for a while too. 2010s minimalism take on 90s transparent plastic everything.
Also useful for if you want to protect your card from RFID/NFC sniffers paced near payment terminals. An RFID blocking wallet is useful at protecting the cards normally, but won’t protect if the shady gas station attendant hid a reader right under the counter where you remove your card from the shielding of the wallet.
A bump for this comment
totally true
It doesn't need to be an attendant. It can be just another customer in queue with a reader in pocket. Furthermore, if you actually use the contactless payment, ie. are reading the card with the terminal, there's not even need to be in the same queue, because passive reception is possible from fairly long distance in the moment you do the legitimate reading which in that very moment feeds the power to the card. Even though in all other moments the thief would need to be nearer, in order to feed the power for card to operate.
Contactless payment cards are among the most severe security disasters of the entire millenium, and the ongoing prevalence of apologist attitude towards that is something I can never really understand. HUGE thanks for Ollam for having deviance to finally call out the issue! Thanks also for calling out the sluggishness of WinBloats 10!
This is of course why the banks put an upper limit on tap-to-pay transactions & mostly indemnify customers against tap fraud, being that the amount of loss from fraud is way lower that their additional profit from the feature. BTW if your bank will not indemnify you against tap fraud, go elsewhere if you need this service.
@@ts757arse That's inflation for yer, BTW I did some tests a while back with "RFID" shielded wallets, bags etc & although most of them blocked RFID, almost all of them only reduced marginally the reading range of NFC ( I think because its an inductive not radiative process ). Best solution I have found for blocking NFC reads from by wallet is placing all the NFC cards together which seems to prevent most readers getting anything useful.
I was worried this was going to be a weird paranoid thing at the start. This is actually really cool. Thanks for the tip!
Hi Deviant! Indeed, phone-based payments do work even if the device doesn't have connectivity. It's all about the secret token that's needed to perform the handshake between the terminal and the card. I saw a video about the NFC implants and how one UA-camr with such an implant had asked, I think Venmo, for such a secret token, so that he can program it onto his implant and pay with his hand.
There's also this great presentation from Leigh-Anne Galloway & Tim Yunusov ua-cam.com/video/YmJ4ULncNwg/v-deo.html
I too was sure that the payment and authentication information is just stored in trusted memory, and no actual network is required, at least from the phone. The vendor terminal will still require it, at least for larger values, or if you have exceeded the budget for small payments without authentication.
To add to that, if the phone has network, it'll report the transaction to the bank and if there's a discrepancy, it can be shut down, but if not it'll just wait to report the transaction until it comes back online. There are basically three exchanges that go on: The phone to the terminal, the terminal to the bank, and the phone to the bank. The last one doesn't have to happen right away, it is a check on the first two.
@@Sycraft My virtual wallet, when tap'd uses GPS on phone to veryficartrion also. U need no less than 30m .
Google Wallet, Android pay in 2011 and Apple Pay in 2014 were quite late entry into contactless payment. Contactless (tap and pay) systems have been around since 1995.
In the county I'm in we have had contactless bank cards from 2007.
As a Capital One rep, I wish I could recommend this video to certain callers. Also wish we were able to request non tap to pay enabled cards still... And no this does not violate any agreement.
Are the non tap enabled cards not available to regular punters anymore? Or does it depend on the bank?
@@z00h It is pretty much a requirement these days and actually would cost more for the bank to issue one or the other as stupid as that sounds, so they just issue the one that is tap enabled.
In Europe financial institutes need to provide non-contactless cards when requested by the customer. I've worked at 2 now and it's just a simple check box on the systems. I think card production is mostly outsourced to a few big plants that handle multiple banks and societies, so it's not a big imposition for the banks to offer it.
@@AdvancePlays I am very well aware, but at the same time, we're in the US where things are different.
I mean you’re a rep not a lawyer I wouldn’t make that guarantee lol
As an electrician in Australia, my drivers licence has a chip on it no ever uses.... Never got in trouble if it never worked; so we just smash 1000V DC across it with our test tools lol.
Wait...The drivers licenses have chips in them? Is that all of australia or just your part? im in SA.
@@greatleader4841 we have them in Qld as well
@@greatleader4841 no chip in NSW (the main state ;) )
We just use barcodes in the US. Passports and Passport Cards do have chips and they do scan them.
@@greatleader4841 Seems to only be QLD.
Android Pay (the predecessor Google Pay) was around in 2012. There was even a promotion to use it where you would get a small credit (it was like 5-10 dollars) to use it. I had used it a few times with my Nexus 7tablet to redeem that credit at McDonalds.
Apple Pay didn't roll around till 2 years later in 2014.
Regardless, like you I hated that I was thrust into having tap and pay cards because my phone picks them up, but I am not brave enough to try and do what you have done here. I just try and keep my wallet and phone air gapped a few inches.
Keep fighting the good fight re: which NFC tech came first. I'm super tired of holding out my Android phone at a drive-thru, getting asked if I want to use Apple Pay, and having to say yes because if I say "no, Google Pay", the cashier's head will explode in confusion.
@@dgwdgw To be fair Google's strategy for NFC payments (amongst many other things) was incompetent and ineffective, and they lost any first actor advantage. I had Google Wallet when it was early in its life, on my Galaxy Nexus. You could only use certain Citi credit cards, or fill the account like debit. And then Verizon was doing its best to stifle Google Wallet because they wanted to push their competitor (ISIS, or I think it was called SoftCard before that), so you needed to download an APK if you wanted to use it on a VZW Nexus.
Hell, even the name has flip flopped so many times I forget what it's called anymore. I think it went from Google Wallet to Android Pay to Google Pay back to Google Wallet.
I've noticed what I think is a rather big problem with the nfc Google pay, it's no safer then the tap to pay cards are. because I found out you don't need to unlock anything to use tap to pay. you could have your phone set up to require finger/face to unlock the phone, and have the screen off and tap to pay will still work! you'd have to auth twice to see if the payment went though. (once to get into the phone home screen then again to get into the google pay screen) but to actually pay with it you don't need to auth at all. so those remote reader attacks work just as well on a phone with google pay as they do with a regular card with tap to pay.
@@CrossRoadsOfTime IRC limit is 50USD right into limit where bank can make easy charge back, Also in latest update they require authentication or unlocked device (biometric, or minimum pin u can't use maze to unlock your phone)
Clever. I have to test a lot of card readers in my line of work, so I soft-disabled the tap on my bank card to avoid making any accidental tap payments. But this is even better.
As soon as I saw the title I figured it was to disable tap-to-pay, but I didn't consider hitting just the antenna to keep chip payment active.
We've had chip and pin up in Canada for a long time now, with tap to pay being around for a while as well. It always amazes me how far behind payment cards were in the USA. I remember reading about a special USA model of a Samsung phone with "MST" payment, that could somehow transmit card data to a magstripe reader, and I had to ask one of my friends down south why such a thing would be needed.
Transmitting to a magstripe reader is a pretty clever idea, and easy in theory. It's basically a cassette tape reader, and only reads what's in front of it one "line" at a time. So you could trick it using an electromagnet, just like those now-old bluetooth adaptors for tapedecks.
the normal way to do this is just a hole punch a few mm from the edge of the card. You can find a heap of instructions online
Thanks for the video. Norfolk Virginia has issues with people sitting in malls with an oversized antenna pulling $1 and $2 dollar transactions off of NFC cards. They get smart and use an in state but out of city business [ read as out of jurisdiction] address. The people are smart - they move like locus from one mall to another then onto another city. Very troublesome to prosecute.
Being able to nuke the antenna and keep the chip is great.
Also hearing you say "apple pay is secure" is the good house keeping seal of approval.
I had an indentation made into a access badge once by the card holder, just where the antenna was. Hardly noticeable, killed the NFC entirely
I believe you can use Tasker with an NFC trigger to ignore certain NFC tags. I have root on my phone so I'm not sure if that requires privileges but I do recall being able to ignore my work badge when it was picked up by NFC on my phone.
My phone will just straight up ignore payment cards. You can open up NFC Tools and read that there is a card there, but it doesn't pop up anything if I'm on the home screen and put the card where the NFC antenna is on the phone.
But that doesn't solve the issue of a payment terminal reading both the card and the phone.
@@nikomo same. My badge was the only thing that caused issues. I ended up cloningnthe badge and using my phone as my badge in the end but I never really had issues after I set up tasker. My battery was half dead by 11:00 but that wasnt a huge deal
@VoidField101x Yes, it will make sure that your phone is not freezing below 0 degrees with this nifty automatic heater-system below.
Ignoring the card is one thing. However, being able to read other NFC things in the presence of that ignored card is way more difficult, if not impossible.
Never thought of using a bright light to see where the antenna is. I don't have a need to disable the RFID on any of my cards, but it's still interesting to see. Cards from different banks also seem to us different layouts for the traces.
(Also I'm now partially blind from my Nitecore MH12 on full blast accidentally peeking out from behind the edge of a card)
For bonus points, figure if you could splice in a tiny switch (maybe just a membrane keypad dome?) back into the antenna, so that it still works when you squeeze it.
Almost like this would be a more secure default for the cards.
A neat idea for regular use but in this case it may not work if the phone case puts too much pressure on the card. Would be cool to cut a slot for a small jumper you can add/remove
@@DomThatDubstep 1.2-2.2kg to press the dome should be enough, looking at Snaptron site, especially SQ, F and GX series of domes
Or just exposed metal plus some foil tape next to the hole and you move the tape whenever you need the antenna?
I had a 1970 Plymouth wired up so that the starter relay wouldn't engage unless I shorted two terminals together with my ring. A similar "switch" could be done on the card with two bare pads that a ring could short together while tapping.
I see your camera quality has now by leaps and bounds better video quality than the older videos you had. The audio is clipping quite a lot, so maybe re-check the mic amp settings and post-processing filters?
I ALWAYS request cards without tap to pay. Most of my banks used to give them to me after a little arguing, but I haven't been able to get one without it for a few years now. I am definitley going to try your trick on my cards from now on.
The downside to the "tap and pay" I run into at some frequency is when the POS terminal isn't working with tap and people actually have to put the chip in and can't remember their pin (in Canada we use pin for Debit/creidt transactions almost exclusively).
Agreed. Chip and Signature never really existed in Canada, probably because it's nonsensical.
Chip and Pin did predate Contactless payment of course.
Contactless in common use predated the announcement of Apple Pay by a full 5 years.
That's why in Europe the POS terminal would ask for the PIN after a set number of contactless payments, I believe it was about 3-5 times.
Above a certain value it always asks regardless. (I believe mine is set at payments higher than 25€, as far I recall.)
A lot of smaller credit unions are using these new ones where everything including the antenna is under the contact pads. I assume this is just a manufacturing cost thing but it makes disabling the NFC antenna damn near impossible.
Might require a pulse laser.
The worst overlap I've experienced was at some European train stations. The turnstiles can both sense NFC and scan a QR code, but if you have your QR code displaying on your NFC enabled phone (because the tickets you have were delivered as a QR code) the phone will pop up your NFC options/wallet when you get too close, hiding the QR code. It took several attempts of trying to sneak up and get the QR code scanned before the NFC could kick in or, in one case, a friendly staff member with a handheld non-NFC scanner to get to my train.
All these devices need a simple "stop doing NFC for a minute" switch somewhere...
Any android phone have the ability to toggle NFC at will, either through the settings or by defining a quick icon on the swipe menu.
Which is exactly what I used before each payment, since sime versions of Google pay would allow payments as long as the screen was on, even with a locked phone.
When tap first came out I drilled all my cards to protect against remote cloning. That turned out to not be much of a threat in the real world(I also live in rural Canada where criminals think crowbars are high tech) so last time my cards where replaced I didn't drill them and started using tap and it's pretty darn handy.
You can't clone a card via NFC. While it is technically possible to skim the card and make a payment, you not only need the terminal, you also need an agreement with a payment service provider. And those do some serious vetting before they'll give you an account. Combine that with the fact that most cards will only allow small payments without PIN and that hasn't been worth it for criminals to attempt.
@@Hans-gb4mv you can technically copy a card via nfc and use it at a store, but only for a single transaction, and only if the actual owner of the card doesn't use it before the thief tries to use the copy they skimmed. It's pretty similar to a rolling code garage door opener in that sense.
@@Hans-gb4mv While not actual cloning, it is well possible and easy to sniff the card number which you can use to make payments in shops where CVC is not asked, and even if it was, CVC is way too easy to brute force. Even if there are undocumented mechanisms to lock the card after certain amount of failed CVC attempts, it is too easy to circumvent it by writing a simple python script which makes only one or a couple attempts in a row, and then waits a week or couple before trying the next one, so in between the failed attempt counter has in most likelihood been reset. Considering it is extremely easy to sniff thousands of card numbers thanks to the ahh-so-wonderful contactless payment, adding them all into the python script to be tried in turns, you will practically get right hits with CVC all the time, because CVC has only one thousand possible combinations, so for thousand card numbers to try with you by average get one successful hit every round in *first try*. And then go on by giving a couple more tries for each one once every week or two.
Furthermore, contactless cards allow real-time relay attacks which is even simpler to implement and evade.
So, I warmly recommend everyone to drill their contactless cards, and not let the convenience - which could have been implemented securely but for sake of stupidity wasn't - to lead into apologism.
In a rural village you might be relatively safe with your contactless card, but in everywhere else, the promoted real-world safety is only and merely due to unobservance. Meaning, how many times does anyone check their accounts for transactions? Honest answer is, most do practically never in any memorable interval, nor do I even though I am very security-concious person, if not outright paranoid. And adding the fact that many legitimate shops have totally different actual company name than what reads in their advertisement signs, most beneficiary names in your account sheet is not recognisable anyway, you just think er... don't remember what that might have been, maybe it was some individual corner shop, snackbar, special shop, or a franchise of a known chain, none of which never have their actual name in their neon signs. And most of the time, they were indeed such, completely legitimate transactions. But you never bother to actually dig them out further, you just accept the fact you don't remember where have you shopped, and you don't recognice those company names.
Thus, if there was some or a few fraudulent transactions committed by a card number stolen from you, it by all likelihood will go unnoticed as long as amounts are kept somewhat modest. Especially considering that majority of people are way, way more "relaxed" about observing their accounts than I am.
Well, even if one notices a seemingly fraudulent transaction from their account, AND bothers to confirm its fraudulence and make a claim, there is absolutely no way to proof it was anyhow caused explicitly by contactless fraud. It will be recorded in statistics as "just another card number fraud".
And taking into consideration the heavy marketing push of contactless payment and arrogant denialist propaganda about their "safety", you can be sure they are not even by accident recording any fraud as contactless one unless there is undeniable proof for such.
Still, considering how all but impossible it is to prove the contactless fraud to be the source for a specific case of stolen card number, the statistically admitted number (no pun intended) of the contactless fraud is HUGE. And the most sickening is the way they make apologism by stating how small percentage it is per the legitimate transactions. It is same as stating "murdering is not a problem, murders are soooo small percentage per the living people!"
@@TheSimoc Your card has not one, but 3 numbers associated with it. One is printed and encoded on magstripe, second is for the chip and third is for NFC. It's trivial for bank to see that they got a transaction with NFC number using magstripe or online and flag it as fraud. Your only option is to emulate a NFC card at a normal reader, but that only gives you one transaction - and you need to make it before the cards owner uses it.
Only the relay attacks are a real threat, but that's easily mitigated by having the bank notify you about every transaction (every bank here in Poland will send you a push notification from the app if you configure it) or use a card with a built-in fingerprint reader needed to perform any transaction (at least one bank here provides it by default).
I believe the reason EMV chips caught on all of a sudden in the US was because the rules changed. Before, the issuing bank was always responsible for handling fraud. But now, if the merchant doesn’t accept the card’s most secure payment method, then the merchant is responsible for any fraud. So they scrambled to support chips. If only it had come a year later, all the merchants would have scrambled to support NFC.
exactly, it was a really 'nice' trick by the banks
That's why u get cheap stip reader, and scramble strip. Or just neodymium magnet
No, merchants have been held responsible for fraud for a long while now
@@jackiecs8190 since October 2015, when credit card issuers said they would hold the merchants liable for accepting fraudulent cards if that merchant didn’t have a chip reader.
The conundrum of a free laptop from Deviant: It's either clean as a whistle or you're pwned the second you open the box.
Edit: Possibly as soon as the box gets near any of your devices.
Deviant's box. You dont know which state it is until you open it.
@@gaveintothedarkness Schroedinger's laptop? 😆
Had the same issue with trying to put an ORCA card (a regional tap to pay transit card) anywhere near a phone with NFC enabled. And of course disabling nfc on that card makes it un-usable.
So I end up using rf shield sleeves around my cards
Here, (Canada) tap-to-pay first appeared, at least in my experience, on gas pumps. The cards definitely came out before NFC phones.
My experience (also Canada) was vendors getting the tech for their POS devices a little before the banks and credit cards introduced the technology. This goes back to "chip" cards as well, of all places my small barber shop (with three people working there) had the first chip reader I saw in person months before my bank even released a statement that they were "coming soon".
Reducing the skimmer problem.
Ok so that laptop was Dell trying to compete with the Panasonic Tough Book. Also great idea for how to knock out NFC while still keeping the chip enabled. Another thing worth saying is that if you are trying to do the mod yourself you need to use a drill bit that’s flat on the bottom and I would guess that not many people have a key machine or some tiny end mills laying around so just keep that in mind if you are not trying to go all the way through the card
Just use a sharp knife like a razor blade and cut the antenna. Way less people will ask about holes in your card.
or just use a hole punch near the edge of teh card like people have been doing for a decade
What actually is so bad about going all the way through the card?
I just asked my bank for a card without rfid.
That's actually a great method to solve this. I bought some cheap rf blocking sleeves on Amazon which is my current solution as I have this trouble regularly... now I'm considering drilling a small hole in my credit card so I don't have to fuss with pulling a card out of a sleeve and putting it back when I need it.
I think it should be perfectly okay for the bank. As far as the bank is concerned, your card simply "happens" to have a broken NFC antenna and unless you need a replacement card because of that issue, it just appears to the bank that you simply never ever use the NFC feature.
I actually had one card that was still in mint condition visually but its chip features were flakey and I had to replace it. I guess there was a fracture in the chip or one of the wires because it might have been temperature sensitive whenever it happened to work or not. The bank even agreed to replace the card without having to pay for the new card.
Legally, the card is property of the bank, so you are destroying/changing the bank's property. Probably violates the cardholder agreement, and maybe violates a law or two. Functionally, though? No one will care.
As for card replacements, they do wear out. I had one for a few years that started getting flakey with the chip read, so I requested a new one and they replaced it for free. Same story with friends and family. Not a big deal to replace, the cards cost em a dollar or two to make. As long as you aren't requesting a new one everyday, they won't care.
You snort through it once you've carded up the power just be str8 with us 😂😂✌🏽
The lengths we go to in order to keep our tech happy.
I was avoiding this recommendation for so long because it seemed super click baity, but this was a genuinely good video for what it was. I was absolutely not disappointed by the explanation.
Btw, there are tiny sleeves for credit cards that still fit everywhere the card does and block the antenna of the card, so it doesn't work contactlessly unless you remove it from the sleeve.
Or you could just stick aluminium foil to the card and it would work similarly well.
Minor fact check... adoption of and migration to EMV officially started in 2011 in america. Apple pay was released in 2014. In 2015, liability shifted to merchants for non-emv transactions which explains why it might appear like apple pay was leading the industry forward. However, this 2015 date was set in 2011/12. Feels like we've had these things forever but it's still pretty recent. Anyhow, it didn't sound right but also seemed plausible... needed to know the answer!
Apple Pay works offline because the actual card is on the phones secure element but Android Pay uses “host card emulation” where the actual card is on a cloud server and the phone thus needs internet to work. (To answer the subtitle question). I am not sure if any android or Samsung etc options support a true native card on the phone.
Google and Samsung pay are able to work offline. Android pay is not common around here, so I do not know about that.
I doubt people would use it much if that was the case, having to hold the phone there waiting for the spotty mobile connection to download the key
Neither of those services have the actual card or a copy of it. That's the beauty of the system. They just have a token with limited validity that can be used to generate payment information without using the card information. That payment info is then verified between the merchant, the card association and the bank (involving some crazy cryptography), without the merchant ever getting your actual card information. Both Apple Pay and Google Pay can work offline, they just need to refresh the tokens every once in a while.
I've been meaning to extract the NFC coil/etc from a bank card and put it into a ring. Just so I can wave my hand over the machine to pay for stuff.
I wonder how long it took him to notice he gave everyone his card information
I'm pretty sure it's fake info
1111 2222 1111 2222 isn't a real card number
Commenting just to improve the UA-cam algorithm. Keep up the great work and the good content!
Thanks! Will do!
TLDW is that he put a hole in his card to disable tap-to-pay
It occurs to me to wish for a momentary button of sorts built in to the card, that would physically disconnect the RF antenna (much as you did) with the normally-open switch, but then if you squeeze the card in the right way (or perhaps any of several (2? 3? more?) available ways, with multiple electrical paths), it closes the circuit and the card can be used. I imagine this could be done -- either a membrane-type button that's just two contacts around a void in the central plastic (where the user would squeeze the thickness of the card in a particular spot), and/or an edge-based thing where squeezing the edges at a certain spot would close the connection (seems more ergonomic)... that'd solve the phone problem.
lol, I'm pretty sure you have me on your mailing list.
I like the controlled way you went at cutting the RFID. Its not the sledgehammer approach of degaussing or microwaving your card. And its so much more controlled then a drillpress or CMC.
credit to Babak for thinking of the TigerShark. i'm more of a seldgehammer guy. 😂
@@DeviantOllam lol Yeah, I'm an old retired cop and now a PI, I'm not exactly subtle. I tend to go for the most direct route to get what I need. I'm enjoying the fireside chats.
@@DeviantOllam Back in the days of the early Wave Technology™card b.s. I was not into it, so I took a ball peen hammer to the center of the little chip. Mind, this was back before chip and pin was being attempted, so it only killed the transmitter. Worked a treat.
@2:37 android phones had tap to pay at least a full 3 years before apple pay came out
Google's confusing naming and constant changes got me confused with another app. Comment is irrelevant now
Wikipedia has Android Pay in September 2015, almost a year after Apple Pay. It was only announced in May 2015, 7 months after Apple Pay debuted in the US. Are you thinking of Google Wallet (which is an entirely different non-EMV thing)?
Here in Poland I remember banks rolling out phone contactless payments way before Apple and Google were a thing. When Apple revealed their solution there was a lot of talk about "why are Americans so excited about this, it's been a thing since ages".
@@ScarfmonsterWR I wonder when Americans and other countries will adopt somethibg alike to blik payments. It's so convenient and I was shocked to find out that's not available outside of Poland.
@@zimpenfish You are right. Google's constant name changes and app merges got me confused. They have done something similar to this recently with the Google meet/duo app.
@@zimpenfish That's indeed just an issue with Google's renames again. Google had NFC mobile payments as early as 2012, maybe 2011. It's not that easy to find now. You can find a 2012 CNET article "Is NFC killing Google Wallet?" (I don't think I can do links here), where they explain how wrong Google was for implementing mobile payments through NFC.
If you want to "opt out" of tap to pay for security reasons rather than interference, some mobile banks let you actually stop your card from being used with tap to pay. I know for the UK Revolut allow this and I think Starling do also.
In reference to 3:40 or so: yes you can use apple/google/samsung pay without network connectivity in my experience. Revolut is good too, with their physical card you can temporarily disable or reenable NFC*
*disabling NFC stops you from getting contactless charged on the train or something it won't stop the card from being actually detected by a reader which was your issue.
"apple/google/samsung pay works without connectivity".. Semi true..
The 'users' phone/watch/device doesn't need connectivity.. The 'reader' (eg, the business owner) needs connectivity.
The default android pay uses a cloud based “host card emulation” where it’s in the cloud so does not work without network. Apple Pay does and I think some phones and maybe Samsung pay uses the secure element. But many don’t so need a network connection. See Wikipedia for “host card emulation”
@@lathiat None of OEM pay apps use "host whatever emulation." This tech stack is called tokenisation and works without network for limited amount of times and limited sums. Wallet on the device loads 5 or 10 single use "keys" that are used for each payment and tries to request new ones via internet before they run out.
Please stop trying to look smarter than you are buy spewing some words you imagine to be fancy.
Or in other words - shut the fuck up and go read some documentation from VIsa or Mastercard on this topic. It all is easily available in their developer portals.
I am pretty sure all android phones have an option in that slide down menu to dissable NFC on your phone completely, just like you can disable wifi or GPS.
@@ColinRichardson of course the payment processor needs connectivity, how else would it charge the card? Print out an old school carbon copy paper and mail it in to the bank??
Was nice to hear a shout-out to floatplane.
As a Canadian it's so funny you guys didn't have chip and pin until tap, I got my first card at 7 years old, and all my cards have had chip didn't have tap until the past 10 years. I've only ever swiped or had to sign like 4 times in 20 years.
1. Android Pay was first, but evolved into Google Pay; it was a different approach however in which Google paid for you then you paid Google. This was changed as it meant all transactions were considered to be to Google so rewards reflected that - often only 1%.
2. Most of the card is just useless plastic, you probably don’t need to be careful. My card split right above the mag stripe almost to the end of the card and both chip and stripe still worked. I only replaced it because I forgot my bank uses those ATMs that pull the card into another dimension and it almost got stuck.
An NFC blocking sleeve on the card would have worked just as well and still given you the flexibility to still tap with the card.
It would prevent Apple Pay from working on his phone though which he says is a higher priority for him.
@@NithinJune I see what you mean, it would also shield the phone's NFC. I didn't think about that.
I had this exact conversation with my bank, "Can I get a card without tap-to-pay". The answer is a resounding, "Uhhhh, no".
I carry several cards in a wad in my pocket and when tapping the whole wad against a reader without taking one card out results in an error on the POS that often says something like, "only 1 card". So I took a strong flashlight, blasted it through the card, and marked a small dot on an antenna line on all cards except the one I use 99% of the time. I drilled a through hole on many cards and I never get a second look, but a partial drill with some nail polish is a nice touch.
Huh. Your cards still have mag stripes? Here (Australia) there are few that have that still, but all new cards for a while are just NFC + chipcard.
Also from Australia, but all my cards (various banks) still have mag stripe (as backup to NFC/chip), and issued within the last couple of years. The no mag stripe might not be as widespread with banks as you think.
USA hasn't been cutting edge for a while now. Even in EU many newer cards just don't have magnetic strip anymore
When it comes to banking, USA is a couple decades behind in most aspects.
@@Thermalions Huh. Probably just my bank being an early de-adopter.
This is your bank, we received notice from an un named three letter gov’t agency that they are unable to effectively track you; they have had to move to using outsourced methods from your phone manufacturer and are tired of paying the premium. With this coming to light, we will be issuing you a new card. Thank you -bank manager
Jump to 7:00
Jump to +0:00 this isn't meant to be a how to video
Thie video brought to mind an episode of NCIS from awhile ago where a woman was walking down the street with a cell phone and stealing people's credit card information wirelessly. I think the episode aired around the time credit card companies started rolling out this technology in the US.
Note that Australia (and I believe most of Europe) were using tap to pay since 2006 - way before Apple Pay. I believe it’s only new in the USA. I don’t think I ever had my iphone pick my cards up, maybe because Apple Pay can’t receive payment here, only send them? Since digital drivers licenses and Apple Pay I now only carry my phone.
This also applies if you use an NFC FIDO key (e.g., YubiKey 5 NFC) and want to authenticate with it on your phone.
We had tap pay cards in Australia long before android/apple pay, and chip & pin long before that. USA is really behind in banking tech, still using paper cheques like its 1980
oh god paper checks 🤪
Tap to pay was on Android via the original Google Wallet app years before Apple Pay,. It never saw widespread adoption because Google only supported it on Nexus (and later early Pixel) phones and if you didn't have one you needed to root to install it.
I remember quite a few times I saw the little contactless symbol on a payment terminal and would just pay with my phone and 9 times out of 10 cashiers looked at me either like I was a wizard or like I was some sort of "hacker".
I used to get that look all the time.
Reminds me of the Kamikaze hack for the Xbox 360. You'd drill in to one of the chips to short specific traces to bypass a write lockout. Produced one of the funniest console homebrew related images I've ever seen.
I guess having a hole in your credit card sure beats your credit card blowing a hole in your pocket
Next video: thin-film explosives.
I thought it was going to be a tactile dimple, so you always know which way it's oriented without ever looking. I do it with my housekeys.
Stopping the NFC makes sense too
Or makes it easier to remove because it stops it sticking to the card that it's up against.
Back when NFC first rolled out mainstream to cards around the mid-late 2000's here in the states i had a bank card that i just used a hole puncher on LMAO. I kinda went overkill, but got to the same solution as you.
5:25 TLDR, to kill the antenna on the NFC so that tap to pay does not work, but chip and magstripe do work.
Just got my new Capital one card and immediately thought of this video! So glad for the info!
I keep the wireless cards inside a metallized card pouch (you can get them for cheap, search "nfc blocker") which blocks NFC (I checked, does not read the card if it is in the pouch).
Maybe that is an issue for your phone too if you keep them in the same case but for most people where the cards are in a wallet it's ok like that
Yep. My Samsung galaxy Nexus had Google wallet in 2011. And places started enabling the readers until 2014 when apple pay came out and apple had to get their cut from retailer, so retailers started turning off the readers. It took about 2 years to get back to where it was in 2011.
I remember my days in helping my elementary/HS over the summer set up 2 carts.... 65 laptops each, for those... very rugged and hard to damage.
I have an account (not one of those you mentioned) where the phone app allows you to turn on or off certain features of the card, such as whether it's near the phone (uses location and merchant location), Y/N to ATM withdrawals, Y/N to contactless, etc. Kinda handy and it works. Interesting to test whether this is tied to the reader in some way or not. Thanks!!
I know with my bank, the settings just tell the bank to block transactions
There are phone cases that also block the chip in cards from communicating. I’m not sure if they affect phone reception but you can always take your phone out of the case in a pinch. Beats disabling features.
The German bank N26 gives out transparent cards as standard. They are slightly smoky plastic but you can clearly see all the antennae running through them. There are even more than one coil.
It's a free online bank so if you live in Europe you can just open an account to get the cool card.
😂”Be really careful where you are piercing your plastic”😂
Thank you, thank you, thank you for solving a problem i was too lazy to solve myself.
Haha, I did the opposite. I don't need more than one NFC device so I just let the card do the work. I did notice that if I had NFC on my phone my card wouldn't work from the case. As a temporary thing to have phone nfc I have just been using the card outside of the case too. Glad to see I wasn't crazy.
Dev, I am one of those few users who uses that style of phone case... and oh my god, I LOVE it even though all of my friends tell me how they couldn't handle the stress of all those eggs in one basket, which is a totally fair risk appetite acceptance model.
That being said, I've gone back and forth on enabling the phone-based tap to pay... "Do I want anyone who compromises my Google/Apple account (in that scenario) to also gain access to my credit cards?" and I'm still not sure what my personal risk appetite is on the topic.
Either way, good GOD it was annoying to leave NFC turned on on my phone for the very reason you mentioned in the video. I was so confused the first few times NFC tools alerted me to successfully captured data until I realized that me wanting to leave NFC Tools on and the convenience of Tasker IfTTT commands that used NFC were causing me to go crazy... 😅
Hey you forgot to cover your number in one of the shots. Great video.
you sure about that? =)
In Canada you can just ask the bank to disable it, and as far as I am aware it does not scan with anything after that (rather than just scanning and showing a blank tag)
Just FYI all you need is a piece of metal (a sheet the size and thickness of the credit card) and it'll make a barrier so the NFC scanner can't pick it up.
That was about 10 seconds of really good information... ... ...
Interesting fella has a room with wall-to-wall red fur.
Funny enough a passport card is actually only valid for ground and boat transportation and not valid at an airport (I learned the hardway at an airport ticketing counter without enough time to run back and grab an alternate form of ID)
Well that makes sense to me. And it sounds like something I would do, just mod something until it works the way you want it to.
And I could really use that laptop. Hopefully I get picked.
Man, how I wish I would have seen this video a long time ago. I would have loved to have won that laptop. Being in a wheelchair, EVERYTHING falls off my lap, including my laptop. So having a rugged one would probably have saved my last laptop.
I've been reading about "card clash" on the London public transport system. You offer your phone or wallet or purse and there may be multiple chips in there and it's a mixup. As you need to tap in and tap out, confusion can ensue
I figured out why the hole was there immediately, but the reason for it is completely different from what I thought you were gonna say (was expecting something about security, paying something without your knowledge, ...)
You're right that the NFC payment system doesn't require both devices to have an active network connection. They just figure your phone is more likely to than the POS system, so it banks in the phone as the reliable end. IT support will tell you how awful it is keeping that stuff online.
My bank is behind the curve with NFC, but I don’t want to use it once it’s available and I was thinking about this exact topic over the weekend while trying to set up some GPS tracking units that I can hopefully catch some thieves with.
Ha yes, same problem here, and a neat solution to it too
The first time I ever saw a card with a chip in it was at Naval Station Great Lakes back in 1999. Recruits had what looks just like a modern credit/debit card with a chip. But it had their service history and medical and whatnot on it. It wasn't until maybe 10 (or more) years later I first started seeing credit & debit cards with them.
Apparently at the time 25 years ago, each of these cost around a hundred bucks. Granted that was what the Navy was paying for them, so who knows how much they would have been for regular people buying them commercially (10x more or 10x less seem equally probable).
CONGRATS!
Just imagine, you have a debit card because you interface with shops who prefer cash (that you need to pull cash from your ATM), and the bloody bank refuses to remove the NFC antenna.....
*grabs drill & torch*
A few years ago when I was first trying Apple Pay, I was in Canada at a Starbucks and was able to pay while my my iPhone was in airplane and Wi-Fi turned off. That was before most cell plans included roaming in Canada and Mexico lol, but good to know network connection is not required.
Thanks for the tip. That tap-to-read is a huge liability, since you don't need the pin to pay under a certain limit, so scammers can remote--card you and empty your wallet. I hate the tap-to-pay function. UNTIL they ad a physical safety measure like a pin input on the card or fingerprint reader so it cannot be remotely used by a scammer with a radio card and a laptop it is nothing but a security hole. I would much rather use my phone as a payment method.
Haven't thought about that hack. Love it...
yes, mobile wallet does work with no network on the phone. it requires network every now and then to check, verify, update etc. but works fine with no network. and also YES. we call it contactless here in the UK but we’ve had those types of payments for years and it’s been brilliant it’s amazing how behind the US is on this front. Chip and PIN has been the only way to pay for years, and is far superior, but contactless has been the norm for years also, like there is precisely 0 locations that don’t take contactless nowadays, it’s so impossibly easy to pay nowadays, contactless and mobile wallet is expected, if you try and do a cash payment or a chip and pin the employee will just go ‘eh wtf are you doing??’
FWIW I just put my two most used cards in a RFID blocking sleeve and put that in my phone case. The sleeve itself doesn't add enough bulk to be problematic, but granted I use more of a folding wallet phone case which has a little extra wiggle room to begin with so your YMMV. And, so, I can use apple pay w/out any issues, but if a merchant doesn't have apple pay and I still need to spend money there, I still have the option with the CC to tap, dip, or (heaven forbid) swipe. (for ultimate last resort, I also keep a bit of emergency cash in the case too. I always try to keep enough for cab ride home no matter where in the city I am. Just in case.)