Categories
Security Tech (General)

Getting A Non-RFID Credit Card

Chase Freedom VisaThe Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.

It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:

Blink Logo (sm) Chase

For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.

Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.

RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.

Chase Flexible Rewards VisaChase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.

Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):

10. Are blink purchases secure?

Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.

Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).

We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.

I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).

Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.

26 replies on “Getting A Non-RFID Credit Card”

The Chase blink product is not well advertised. Technically, I believe that Chase licenses the technology from MasterCard, and Chase applies it to both their MasterCard credit and Visa credit products. MasterCard still retains their PayPass brand and technology. I guess Chase thought they could do better than the inventor – MasterCard– in promoting the brand – PayPass, Contactless, RFID —whatever.

This poses problems for some Chase credit card holders. I know of a few merchants who only accept (and all swipe cards) PayPass a MasterCard product but they actually will take any contactless device (card, tag, phone) that is linked to a MasterCard branded credit or debit card. So at these merchants if you have blink in your Chase Visa credit, you could not use it at that merchant. Blink MasterCard would work.

MasterCard has been far more successful in promoting contactless payment technology with their PayPass brand. Visa appears to not have a firm name for their contactless brand. I have read “Waveâ€? and I have read “Contactless.â€? American Express’ product called ExpressPay, is only offered in select credit products of theirs, had been a key chain and is now embedded in the card only, which reduces the speed and convenience of this new technology—if you have to take your card out of your wallet anyways it wave it, you might as well swipe it. This is why key chain tags and mobile phones with PayPass are far superior. Citibank issues Payment Tags, and is in trial with mobile phone technology.

I understand your security concern. MasterCard and Visa both offer Zero liability for unauthorized purchases. So if your RFID card info were swiped by a thief, you would not be liable for any charges he or she made. In addition, I don’t believe that ones name on an account is transmitted by RFID. I think that the only data that is sent is card account number, expiration, and a CVC/security code. And even then I read that it is encrypted at 128bit. Plus, the thief would have to know you had an RFID device with you—they are so uncommon to have now that picking someone out of the crowd who has an RFID card or tag would be very difficult for a thief since they don’t work like radar where the signal is transmitted wide range 100% of the time.

Anyways I am loyal to PayPass and MasterCard, and clearly their product is better than the Chase/Visa branded product. I believe Chase Freedom is offered in a MasterCard version should you desire to switch.

N.S.: Your only not liable once it’s proven stolen… otherwise anyone can/would just run their limit and say it’s stolen. This process can take a long time and can be expensive. During the time your credit can be in bad shape. Having a credit card stolen is still a big deal. If this wasn’t the case, nobody would care about their their credit card remaining secure.

Despite the encryption, one can still copy the encrypted output. The RFID card doesn’t process data, it’s essentially just storage (of encrypted data). It can still be copied and used.

RFID readers do exist in small packages (PDA sized). You could easily situate one in your pocket, or in a small bag and just brush by random people. With these cards being more and more common it’s not to hard. You don’t know if someone you pick pocket has a wallet with anything useful either, it’s always a gamble ;-).

Just to let you know, I tried calling Chase and getting a non-Blink enabled card and the only way that I could get one is if I downgraded to a non-Signature Freedom card. Looks like I’ll have to do some drilling.

Few people realize that the card has to be a few inches away from the reader to be activated (i.e. get power), but when it transmits a response (containing your PII), it can be read across the room. The cards and readers are too simplisitc to to use asymmetric encryption, so the information transmitted is encrypted using a pre-shared key. That means every terminal in the world is waiting for someone to hack into it to get the key and publish it on the internet somewhere.

As Josh stated, Chase is making it harder to have a non-Blink enabled card. My card (which was originally a First USA, then BankOne) was recently ‘upgraded’ to a Freedom-Signature with Blink. I did not ask for the upgrade and I was not notified of an ‘upgrade’ before receiving the ‘bink-ed’ card. After two tries to get a non-Blink card, I was told that I would have to change my account to get a non-Blink card. If changing the account (and account number) is what Chase requires to get a non-Blink card for accounts that did not sign up for the ‘feature’. When my current non-Blink card expires (I did not activate the Blink card) or is not accepted anymore, my account change will be to move to another bank. Or maybe that hole punch will work just fine.

Thank you so much for posting this. I just got a Blink card in the mail yesterday. Without this posting I would not have known I had an option to get a regular card. I called Chase and they are issuing a regular one with no hassle at all. They said that my account # and expiration date would not be changed. I also didn’t see any information about that on their website or that Blink is an RFID chip.

Chase sent us a new card after reporting our security was breached. I had not realized it would have a blink RFID in it. At first, we did not notice, as that is on the back. Then I called them up to replace it. They replaced it…with yet another blink card, after I had objected to the RFID, and told them they had not even alerted the customer, much less explained the possible problems. I was put on hold forever, after they told me they would indeed send a regular old fashioned credit card, for what purpose is not clear. Finally, somebody else came on the phone, and said, oh, yes, the paperwork for a replacement card with no RFID is on the way. That was over a month ago. It never came. My husband got into trouble with a regular subscription renewal, as he had by then forgotten that the Chase card had not yet been replaced. So, I called them yet again. They were very polite, quite nice, they said they would replace the card, and ended the conversation. I called back, to make sure they had gotten the message that the replacement card was NOT to be RFID. They said, ooops, sorry we are sending you another RFID card. But never mind, they said, this one ought to arrive in three to five business days, so ignore it, and I will send you a non-RFID card right now, which will arrive a day or two later. Two days ago, the new RFID cards arrived, and I destroyed them. Today, they sent us FOUR new cards, two for each of us, and GUESS WHAT: all four have BLINKin’ RFID chips in them. Are these people stupid or evil? We want card with no RFID chip in them. We have told them, on several occasions, we want cards with no RFID in them. What part of that do they not understand?

I have called Chase twice to get rid of this card. Today, after disconnecting me and putting me on hold for an endless amount of time I spoke to a rep. The rep was very rude and offended that I wanted a different card. He didn’t seem to understand that I did NOT want to have this card! He kept telling me that its no different then giving my card to a waiter, but he didn’t seem to understand that I don’t want another opportunity to having my information stolen!

If they dont send me a non-blink card this third time around. I am closing my chase account.

when u let someone else have your credit card, there is always a HUGE risk of someone taking the information. It doesnt need to have RFID. The black barcode transmits the same information. Chase probably isnt sending u a new card because there is almost no security problem with RFID. If a person is within an inch of your card with a scanner then yes they can get information. But are u not going to notice someone scanning your purse? RFID is very safe and soon most things will probably have it. relax.

It took me three tries to get a non-Blink card from Chase, without any downgrade or number change. Even the three digit security code was the same, meaning I really did not need to activate the replacement card. Funny also, that I could activate the card from a friend’s phone using information only on the card. Security, WHAT security? This is not optimal, as a thief could have stolen the new card from my mailbox and used it at will. But, this unlikely event did not occur. The first two tries resulted in more than a week’s wait, and each time I was told that the new card was not issued because of “technical reasons.” I would love to believe this is because of huge demand for NON RFID cards. I love technology, but not if it is used in this way. I could have deactivated or shielded the chip, but why not send a message to the corporate *&!!^*^’s who foist this insult on their customers. The only way to be free from credit card safety concerns is to NOT USE THEM.

As a Washington Mutual customer – now Chase, I too received a unwanted RFID card. All I need is a ATM card that has debit capabiliy (buy groceries without carrying 200 cash with me each time). Washington Mutual provided this.

I called Chase to opt out of this new RFID card. I ws told by customer service and her supervisor that this is the ONLY CARD they now offer.

After requesting that this feature be deactivated, I was told it can’t be done.

After much discussion, they said I could get a regular ATM card for bank use only (that doesn’t help if I want to swipe and debit directly from my account at the grocery store.

This issue was not resolved with Chase.

Upon reading a few suggestions on line as to how to deactivate the RFID chip, I gleefully wacked the chip with a ball ping hammer. Drilling though it is a pleasant alternative.

My girls and I we’ve owned more prepaid credit cards over the years than we can count, including Bank Freedom, Greendot, etc. But, the last few years I’ve found that one is the best for are family AccountNow Visa. Why? Because I was thrilled to discover how well-designed and child’s play to use the underappreciated (and widely mocked) AccountNow Visa’s are.

It looks like you can’t get them without blink anymore. I just recieved a replacement to my chase freedom card, 2 years before the expiration, and the new one has blink. I called, and they said they no longer offer a card without blink. The new card has a different exparation date than the old one, and could cause problems with verification if i continue to use the old one.

I told them i’d have to think about whether i will cancel the card, or not. I guess i could intentionally damage the RFID chip. It’s clearly visable as to it’s location. Does anyone offer a card with similar rewards that i can get without an RFID chip?

Some of the points that the credit card companies make is that:
The issuee is protected from fraud.
The data is encrypted.

Having stuff put on your credit card is a big deal, as one commenter stated. You are at the mercy of the credit card company, weather or not they agree with you on the point your card has been ‘stolen’. If they so not, your on the hook. Plus, we all pay for stolen credit cards in higher fees, interest rates (for those who don’t pay off every billing period) and in higher merchandise costs.
Tests by a university showed that at least one card sent the owners name and credit card number and expiry date in plain text, un-encrypted.
As the music industry has learned, with DVD, Super Audio CD, and DVD Audio, all encrypted devices, and all with broken encryption almost out of the gate. The only way the companies are protecting themselves is with the DMCA laws, which only law abiding citizens abide by. Crooks and organized crime certainly don’t care about breaking the DMCA laws.

Now, I don’t know if anyone has broken the encryption on the credit cards. If they have, the credit card companies are NOT going to announce it. The criminals are NOT going to announce it. That leaves the consumer in a poor place, unable to trust either the crooks (at least we know we can’t trust them) and unable to trust the credit card companies and anyone with smarts knows you shouldn’t trust them, either.

Neither have your best interests in mind. If you don’t believe me, ask a credit card company who much money they lost due to fraud in previous years. Ask what they are doing to prevent fraud. Be prepared for a song, and a dance.

FYI: here is a good article on the subject and also contains information on so called ‘chipped’ cards, which have a very large security hole, with criminals able to spoof or fool the system into taking a false pin code, but registers as a real pin code. The real holders of the cards cannot prove the fraud, and are fully liable for fraudulent purchases.

http://www.cbc.ca/consumer/sto.....cerns.html

As the story points out, the Banks are not trying to prevent fraud, they are reducing their risk, and that risk is being put right on the consumers shoulders.

The security has been broken and criminals are actively exploiting this feature. The recomendation is to get a card envelope that contains lead to prevent it from being scanned. 60-minutes had the report and it’s all over the net now..

So much for secure .. Thinking I may have to cancel my card..

Dave

The high-handedness of Chase in issuing a credit card with Blink that I didn’t request and don’t want is a cue to me to shop around for a replacement bank. In the meantime, does anyone know if a thin layer of tin foil lining the wallet compartment of the card will block transmission of the data?

hi there.. had a blink chase card there and i found a nasty rfid deal there . i taken that off i still use the card for my transactions with chase there but my credit union card they dont have it yet thank godd. but my u.s passport card that another story there altoghther .

While I was just in Miami someone apparently read my Chase card number while standing in line at the airport. Only a few charges were made in Peru before Chase security called me about the charges and closed the account. I told them to send replacement cards WITHOUT the blink chip technology. We’ll soon see if they honor my request.

Take an office paper hole punch and “punch out” the RFID, it’s the same size…cards still works great but the RFID is gone.

Leave a Reply

Your email address will not be published. Required fields are marked *