How to manually disable the no contact card?

You will seriously decrease your security by disabling the radio or chip in your credit card.

Chip and PIN is the most secure form of payment available today, followed closely by Chip and Signature; contactless payment is almost as secure; mag stripes are completely not secure, and hand-keyed account numbers (such as on a web page) are the least secure of all.

It may help to understand the different protocols in use. The data provided by the chip, either through electrical contacts or via the Near Field Communications (NFC) radio, follows a different payment protocol (called EMV) than the data provided by the magnetic stripe.

First, be aware that all cards, including chip, mag stripe, and contactless cards transmit data in the clear*. The data includes card number (also called the Primary Account Number, or PAN), expiration date, and some kind of verification value. The bank uses the PAN to look up the account, checks the expiration date, then validates the appropriate verification value. If they match, the bank goes on to approval processing. If they don't match, the bank declines the transaction.

Believe it or not, the account number isn't the problem. The problem is when all of this data is copied together, including the verification value.

There are two different Cardholder Verification Values on a mag-stripe credit card. There is the Cardholder Verification Value (CVV), which is embedded in the mag stripe's data, and the CVV2, which is the 3 or 4 digit number printed on the back of the card, and is for use in "Card Not Present" transactions (such as paying online.)

When a card is mag-stripe read, the entire track of data from the mag stripe is sent to the bank. The bank looks at the track data and will require the CVV from the track to match their records exactly. If a card is hand-keyed (as on a web site), the bank requires the CVV2 from the back of the card to match. Stealing the mag stripe does not get the thief the CVV2 so he can't buy online; stealing the CVV2 from a web site does not enable a thief to recreate a mag stripe and create a counterfeit card.

However, the basic problem with the mag stripe is that all the data is static. Because the track data can't be changed, the CVV is static. Because a credit card is printed, the CVV2 never changes either. That means if the card data is read just once by a thief, it can be copied and replayed again and again, resulting in fraud.

That's where the contactless cards are different. Because they have an on-board chip with a CPU and memory, they generate a single-use transaction-specific verification value. With each subsequent transaction, they generate a different verification value. The bank uses cryptography to validate the verification value was correctly generated on each transaction; this confirms that it was their chip that was present, and not just a copy of the number. This means that copying all of the authorization data, including the PAN, expiration date, and verification value, does not give the thief enough information to replay the information and commit fraud with the data. Similar protocols protect Chip-and-PIN and Chip-and-Signature transactions.

Instead of clipping the NFC antenna, you are much more secure if you use only the contactless radio for payment. However, since many shops don't take contactless payments yet, you still need to use your mag stripe at those locations, where your data is still vulnerable and subject to skimming. And when you use your card online and type in your CVV2, it's also potentially vulnerable to theft.

If you want to increase your security, let the merchants where you shop know that you're unhappy that they don't take contactless forms of payment, or if they don't yet take chip cards. The more they hear from their customers, the more likely they are to upgrade their equipment to a more secure device.

If you're extremely paranoid, you can certainly buy a cheap RF-blocking envelope to keep your card in your wallet from being skimmed by the guy next to you on the bus; but even if he does read it, the data he reads can't be used to create a working clone of your card. (At most, a very sophisticated attacker could have an accomplice paying for a diamond ring at the exact time the guy on the bus reads your card, channeling stolen payment data through him as a proxy. And that's why you should tell your bank you would rather have Chip and PIN than Chip and Signature.)

EDIT For clarity, here’s how I rank the various payment schemes in terms of security, from best to worst:

  1. Chip and PIN
  2. Chip and Signature
  3. Mobile payment systems(Apple, Samsung)
  4. NFC (contactless with dynamic authentication data)

...

  1. Mag stripe
  2. Web entry with two-factor authentication
  3. Web entry

* Some contactless technologies, such as Apple Pay, use a substitute number in place of the PAN. While this sounds more secure than the cleartext account number found on chip cards, this means your banking information is always present inside Apple's systems, where you have to trust they won't be hacked, and that your iPhone and iWatch won't be hacked.


Is there a way to manually disable this no-contact thing? I'm either looking for a physical solution...

There are a few examples of people building Faraday cage wallets, like suggested in the comments. Here are a few that should be easily reproducible to solve any physical requirements to prevent this.

  1. http://www.zdnet.com/article/how-to-build-a-faraday-cage
  2. Can a steel woven wallet prevent RFID scanning of credit card information?
  3. http://briangreen.net/2010/11/diy-ultralight-faraday-cage-pouch.html
  4. http://lifehacker.com/5934635/use-an-altoid-tin-as-an-rfid-blocking-wallet
  5. http://howto.wired.com/wiki/Make_a_Faraday_Cage_Wallet

Tags:

Credit Card