Getting A Non-RFID Credit Card
The Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.
It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:
For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.
Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.
RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.
Chase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.
Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):
10. Are blink purchases secure?
Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.
Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).
We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.
I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).
Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.
Tags: chase, credit-card, finance, rfid, Security
April 3rd, 2007 at 8:57 am
The Chase blink product is not well advertised. Technically, I believe that Chase licenses the technology from MasterCard, and Chase applies it to both their MasterCard credit and Visa credit products. MasterCard still retains their PayPass brand and technology. I guess Chase thought they could do better than the inventor – MasterCard– in promoting the brand – PayPass, Contactless, RFID —whatever.
This poses problems for some Chase credit card holders. I know of a few merchants who only accept (and all swipe cards) PayPass a MasterCard product but they actually will take any contactless device (card, tag, phone) that is linked to a MasterCard branded credit or debit card. So at these merchants if you have blink in your Chase Visa credit, you could not use it at that merchant. Blink MasterCard would work.
MasterCard has been far more successful in promoting contactless payment technology with their PayPass brand. Visa appears to not have a firm name for their contactless brand. I have read “Waveâ€? and I have read “Contactless.â€? American Express’ product called ExpressPay, is only offered in select credit products of theirs, had been a key chain and is now embedded in the card only, which reduces the speed and convenience of this new technology—if you have to take your card out of your wallet anyways it wave it, you might as well swipe it. This is why key chain tags and mobile phones with PayPass are far superior. Citibank issues Payment Tags, and is in trial with mobile phone technology.
I understand your security concern. MasterCard and Visa both offer Zero liability for unauthorized purchases. So if your RFID card info were swiped by a thief, you would not be liable for any charges he or she made. In addition, I don’t believe that ones name on an account is transmitted by RFID. I think that the only data that is sent is card account number, expiration, and a CVC/security code. And even then I read that it is encrypted at 128bit. Plus, the thief would have to know you had an RFID device with you—they are so uncommon to have now that picking someone out of the crowd who has an RFID card or tag would be very difficult for a thief since they don’t work like radar where the signal is transmitted wide range 100% of the time.
Anyways I am loyal to PayPass and MasterCard, and clearly their product is better than the Chase/Visa branded product. I believe Chase Freedom is offered in a MasterCard version should you desire to switch.
April 3rd, 2007 at 8:14 pm
N.S.: Your only not liable once it’s proven stolen… otherwise anyone can/would just run their limit and say it’s stolen. This process can take a long time and can be expensive. During the time your credit can be in bad shape. Having a credit card stolen is still a big deal. If this wasn’t the case, nobody would care about their their credit card remaining secure.
Despite the encryption, one can still copy the encrypted output. The RFID card doesn’t process data, it’s essentially just storage (of encrypted data). It can still be copied and used.
RFID readers do exist in small packages (PDA sized). You could easily situate one in your pocket, or in a small bag and just brush by random people. With these cards being more and more common it’s not to hard. You don’t know if someone you pick pocket has a wallet with anything useful either, it’s always a gamble ;-).
April 11th, 2007 at 4:16 pm
Very well written thorough investigation. It seems largely a solution without a problem.
July 2nd, 2007 at 2:50 am
RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing.
October 5th, 2007 at 12:36 am
[...] our government is also keen on RFID in passports. In the case of Chase, it turns out you can simply request new cards or get creative with a drill. I was going to do the latter, but ended up doing the former, because [...]
June 22nd, 2008 at 4:31 pm
Just to let you know, I tried calling Chase and getting a non-Blink enabled card and the only way that I could get one is if I downgraded to a non-Signature Freedom card. Looks like I’ll have to do some drilling.