R.I.P. PayPass (mBank)

We recently got issued a PayPass-enabled debit card. Not that we wanted one, no. But there seems to be a crazy push for wireless payment going on in Poland and it’s getting hard to get a card without it (or PayWave). Given the security concerns of these solutions (remote cloning), I decided to give it a go and try to disable PayPass while keeping other functions working. Turns out there’s a cheap and fairly reliable way to do it and it involves… x-rays. And drilling. :-)

Here’s what the card I got looks like internally:

You can clearly see where the chip is, how the antenna is connected to it and where it goes on the card. Since it’s basically an RFID chip, it requires an external power source to function. In this case electrical current is inducted in the antenna. In theory it should be enough to break the loop to disable wireless payments. Why not drill through it, then? :D

The card was tested to work OK in ATMs, POS terminals and wirelessly before any changes were made to ensure that it’s the changes that disabled it, not chance. I decided to drill two 3mm holes through it, just to make sure, and here’s what it looked like after the operation:

 

 

As you can see I’ve messed up a little bit and drilled right through the magnetic stripe, but it still works! ATMs, POS terminals do, PayPass… doesn’t. Mission successful!

 

About these ads

9 Responses to “R.I.P. PayPass (mBank)”


  1. 2 Patryk March 14, 2013 at 4:52

    Karol, explain one thing. Is it a card Master Card or Visa? I ask because I found on another site X-ray, mbank card “delfin” Visa payWave. http://4.bp.blogspot.com/-Wf87PCozb9g/UMH4__g8cHI/AAAAAAAAAOI/GvM5_ova7wI/s1600/vi-05-4up-x.jpg

    Do you think mbank cards with the same location of RFID antennas in the cards Master Card and Visa?

    • 3 knowak March 14, 2013 at 4:57

      That one was a Master Card and Visa is going to be different. I’ve had some luck taking photos of these antennas using long exposures with a normal camera and multiple shots of a flash from behind. You may want to give it a try without using X rays first.

  2. 4 SD May 17, 2013 at 11:03

    A quick clip with a set of side cutters at the top middle of the card should do the trick quite nicely as well.

  3. 5 brad July 17, 2013 at 12:52

    Why are people to paranoid of this, Firstly its more secure than magnetic strips, Secondly there is a maximum amount someone could possibly take plus the only reason this technology was legalized was because MasterCard & Visa agreed to guarantee any money stolen will be reimbursed once reported. I’ve had money stolen off me twice once online and the second time my card skimmed BECAUSE OF THE MAGNETIC STRIP.
    Its actually selfish to disable it.
    The whole point is so purchases can be done more efficiently from some machines taking up to a minute compared to PayPass taking less then 5 seconds.
    YOU ARE PROBABLY THE SLOW PERSON AT THE FRONT OF THE LINE AT THE PETROL STATION HOLDING EVERYONE UP.

    Don’t be afraid of technology embrace technology.

    • 6 knowak December 14, 2013 at 11:30

      I beg to differ. It’s hard to read my strip while it’s still in the pocket. Not quite so with the evil antenna.

    • 7 Edward Bear March 23, 2014 at 2:53

      Simple: Security. Ever misplaced something – your wallet, your keys, your phone? Now imagine it was a PayPass-enabled credit card. At the moment of purchase, with the chip or swipe, you still have to either enter a PIN or sign something. With PayPass, there’s no such step. The problem is that cards are found or stolen by the thousands on a daily basis and until the card is found to be missing, someone has accessed your account without your permission. With no PayPass, this is a much lower concern – it can be stopped at the moment of purchase.

    • 8 Not Brad April 24, 2014 at 5:44

      brad, this site may not be for you. I am indeed curious what you were googling for which made you click on the link to this site? Also, what seems to be paranoia for you might be rational thinking for others.


  1. 1 Disabling PayWave « Karol ‘grzywacz’ Nowak Trackback on October 14, 2012 at 8:39

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





Follow

Get every new post delivered to your Inbox.

%d bloggers like this: