Secrets In Websites II

This post is a follow up to the first Secrets In Websites. For those who don’t remember the first time, I point out odd, interesting, funny things in other websites’ code. Yes it takes some time to put a post like this together, that’s why it’s just about a year since the last time. Enough with the intro, read on for the code.

Continue reading

Getting A Non-RFID Credit Card

Chase Freedom VisaThe Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.

It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:

Blink Logo (sm) Chase

For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.

Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.

RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.

Chase Flexible Rewards VisaChase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.

Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):

10. Are blink purchases secure?

Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.

Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).

We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.

I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).

Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.