American Express Blue
Update: Embedded the BoingBoing TV segment on reading AmEx blue cards.
American Express decided to “automatically upgrade” my plebeian green card to an American Express Blue card.
Beyond giving me the “privilege” of paying AmEx a monthly exorbitant interest rate if I don’t pay the full balance, the card has an embedded RFID chip that is used to “wave and pay” at a bunch of locations.
Hell, AmEx is so proud of the RFID feature that the card is transparent such that the chip and antenna are clearly visible.
How incredibly stupid.
Why?
Because this is the exact same chip that can be read and decrypted with about $8 in hardware and a some freely available software.
Without touching the card.
From a distance, even.
Better yet, AmEx embeds a bunch of personal information in the card.
Now I have to call American Express and demand a replacement non-RFID card. Others have done this and been stymied. Or, alternatively, I think I’ll just take a drill to this one and apply some rotational entropy to the RFID chip.
Sadly, I’ll have to renew my passport in the next couple of years and US passports now also embed equally as insecure RFID accessible chunks of personal information.
May 17th, 2008 at 5:18 am
Speaking of cheap hardware for hacking RFIDs, Cory Doctorow’s new novel Little Brother is a fun read. An underground movement of teenagers have fun scrambling RFIDs to screw with an insanely overzealous Department of Homeland Security.
May 17th, 2008 at 7:28 am
My bank has been putting RFID chips in the ATM/Debit cards for a couple of years now. It is annoying. I don’t think I’ve ever encountered a POS terminal that allowed just waving of the card either.
They try to market this as a convenience for me, but it really isn’t. After I’ve taken my wallet out, and dug the card out, swiping vs. waving is not a significant difference.
May 17th, 2008 at 8:13 am
You mean they do that to passports now? Ugh. I have to renew this year (plus grab new ones for the children and my husband) and that just kind of sucks.
May 17th, 2008 at 1:57 pm
You can whack it with a hammer and disable the chip.
May 17th, 2008 at 3:44 pm
A second or so in a microwave oven should do nicely (I’d love to hear about the results of any experiments along those lines), or you could make an RFID-blocking wallet; definitely going to be making some passport cases like that…
May 17th, 2008 at 4:29 pm
Passport, meet microwave. Microwave, meet passport.
You two get to know each other
May 17th, 2008 at 7:12 pm
Close the AMEX account. It’s the only thing that they’ll pay attention to.
-jcr
May 18th, 2008 at 11:40 pm
…and if u do not pay the full amount on the card it will cost u about 30% in interest. and they say there r no more shylocks around!!
May 19th, 2008 at 2:53 am
Do the rfid chips in your tires bother you as well? They became mandatory in 2004 as part of the Transportation Recall Enactment, Accountability and Documentation Act (TREAD).
May 19th, 2008 at 10:01 am
Do the rfid chips in my tires contain my name, potentially my social security number, my address, and my credit card number?
Didn’t think so. Vastly different risk. The AmEx Blue encodes enough information to be an identity theft risk.
May 19th, 2008 at 10:14 am
very true. Don’t disagree with you on that. My only concern would be that the chips in the tires can be used for
even more sinister uses. I just don’t like RFID all together. And Amex should give the end user a choice as should every major bank that now throws the chips in all their ATM cards. RFID is evil.
May 19th, 2008 at 12:02 pm
This whole thing is actually a bit suspect, American Express has always claimed that your name is not on the RFID chip, and the number on the chip is an alternate number that is not on the card, and that number combined with a unique challege response per transaction allows it to be secure enough not to require a signature (which is supposed to be the time saver). So if you don’t want the RFID they just disable the alternate account number, but I don’t know if American Expresses marketing is BSing about the account information or this guy is, however the POS terminal used in the video has been identified, and is not found on ebay, and costs a couple hundred dollars, so we know this guy is sensationalizing at least on that point, not that being harder to get is anymore comforting if the full account info is actually on the chip.
I think the hammer idea sounds like a good idea. In Missouri, I’ve had probably had 6 opportunities in the last 3 years to use the RFID express pay, and because it requires them to hit an extra button somewhere to actually work, 4 of those times the merchants just made me swipe because they couldn’t figure out how to get it to work, one other time the manager came up and said that it had worked and was done, even though there wasn’t a receipt (and later i was never charged) and one of those times the person actually knew how to handle it on the register and it worked as advertised. All of those place are ones that i would not spend more than $25 and so they wouldn’t require a signature anyway, so it’s never been a time saver for me.
I would be careful about drilling though, make sure that it’s small and non obvious and possibly not drilled all the way through, if your card looks modified in some way some merchants may think there is some kind of fraud going on and thus not accept your card. They tend to be a little bit more discriminating on American Express cards, I think maybe Amex is more aggressive on issuing chargebacks to the merchants.
May 19th, 2008 at 12:10 pm
I shall add a link to the boing boing tv video as it implied name and # were on the RFID chip…
Thank you for the feedback, btw. Very much appreciated.
May 19th, 2008 at 12:38 pm
Just to be clear, I was referring to the guy in the video and his hacking as being suspect, not that i can truly verify either way, it’s just not how the technology is supposed to work for American Express cards, but it’s not like there is anything more that marketing QA about how the Amex RFID works, but then again there isn’t anything but a BoingBoingTV video of this hack too.
May 19th, 2008 at 12:44 pm
Good point; someone should ask Xeni and/or Hacker Dude for some clarification.
May 29th, 2008 at 1:24 pm
I’ve had the Blue Cash card for about 18 months now, and can agree that the chip is a waste of time. Ironically, the only place that it easily works is at McDonald’s, and I rarely eat there.
We use the card to generate cash back, and at the time, it was the best deal going. After an initial amount of spending each year, they paid 4% on groceries, prescriptions, and gas; and 1.5% on everything else. We use the card for literally everything, except we can’t figure out a way to pay our mortgage with it yet (they pay no cash back on cash advances, and there is no grace period on them). We pay the card off in full each month. Last year they paid us something like $1,800. Revenge is sweet.
Anyway, about a month ago, I got a letter from AMEX, also describing an automatic “upgrade” to my blue cash card. The upgrade offered some trivial additional features (track your points online, etc.), and the most excellent feature upgrade of lowering our cash back percentages across the board. I’d have to go back and look at the letter, but it was now something like 1.5% on the groceries/gas/prescriptions, and 0.5% on everything else. Come to think of it, they might have even eliminated gas from the higher category, given the cost of gas lately.
Needless to say, we are shopping for a new card. There is always someone willing to extend crazy bonus terms because most people don’t use the card like we do, and the card company makes out. And some of them now charge a “no balance carried fee” if you pay it off for too many months in a row. Gotta love it. Do the usury laws of the 1800s no longer exist?
As a side note, I live on an island with no natural gas, so we all have propane tanks. Ferrell Gas is the absolute king of bogus fees and fleecing their lease customers. Two of my neighbors lease their tanks from Ferrell, and recently got $100 “low usage” fees. Great way to promote energy conservation, don’t you think? Makes me glad I own my tank…
We really are in a heap o’ trouble.
bmc
August 7th, 2008 at 9:51 am
I dont understand why American Express is so proud of this feature either – a stupid chip and antenna? How hard is it just to swipe card… are Americans so lazy now they can’t even do that? I came across your post when I was researching something for my site. Wow sounds like a lot more people than I though are ticked off about these mandatory RFID chips the credit card companies are issuing us.
I saw another comment told how to deactivate with a hammer – good idea I’m going to do that on my own stupid Blue card.
August 31st, 2008 at 10:31 am
Amex is just trying to use the latest technology as a gimic… I’ve had the blue card for a long time, and my old one had a chip for a smart card reader! ha… That’s the direction I think RFID will ultimately go also… nowhere. It requires money (new machinery and training) to become operational, and it is attempting to make something that is already incredibly easy, easier.
November 18th, 2008 at 3:11 am
Hello,
Check out this new friendly website I came across. You can find it here:
http://www.merchanthotline.com
Thanks for reading.
June 8th, 2010 at 6:08 am
Hello!
i am a computer engineer, just want to add up the issue of RFID, before we graduated, we have to invent a machine, our own invention, one of my classmate they are using an RFID chip for their project. For the few months that they used it, it functions well, but months past that we have to submit already the complete machine or device. The RFID get lost, it did’nt work, and then we suddenly realized that everytime an RFID is always in used, it will damage..or shall we say the hardware or chip will be destroyed.