American Express Blue

Update: Embedded the BoingBoing TV segment on reading AmEx blue cards.


American Express decided to “automatically upgrade” my plebeian green card to an American Express Blue card.

Beyond giving me the “privilege” of paying AmEx a monthly exorbitant interest rate if I don’t pay the full balance, the card has an embedded RFID chip that is used to “wave and pay” at a bunch of locations.

Hell, AmEx is so proud of the RFID feature that the card is transparent such that the chip and antenna are clearly visible.

How incredibly stupid.

Why?

Because this is the exact same chip that can be read and decrypted with about $8 in hardware and a some freely available software.

Without touching the card.

From a distance, even.

Better yet, AmEx embeds a bunch of personal information in the card.

Now I have to call American Express and demand a replacement non-RFID card. Others have done this and been stymied. Or, alternatively, I think I’ll just take a drill to this one and apply some rotational entropy to the RFID chip.

Sadly, I’ll have to renew my passport in the next couple of years and US passports now also embed equally as insecure RFID accessible chunks of personal information.



20 Responses to “American Express Blue”

  1. Jacob Rus says:

    Speaking of cheap hardware for hacking RFIDs, Cory Doctorow’s new novel Little Brother is a fun read. An underground movement of teenagers have fun scrambling RFIDs to screw with an insanely overzealous Department of Homeland Security.

  2. Jim says:

    My bank has been putting RFID chips in the ATM/Debit cards for a couple of years now. It is annoying. I don’t think I’ve ever encountered a POS terminal that allowed just waving of the card either.

    They try to market this as a convenience for me, but it really isn’t. After I’ve taken my wallet out, and dug the card out, swiping vs. waving is not a significant difference.

  3. Amie says:

    You mean they do that to passports now? Ugh. I have to renew this year (plus grab new ones for the children and my husband) and that just kind of sucks.

  4. Steve Madsen says:

    You can whack it with a hammer and disable the chip.

  5. Ben Holt says:

    A second or so in a microwave oven should do nicely (I’d love to hear about the results of any experiments along those lines), or you could make an RFID-blocking wallet; definitely going to be making some passport cases like that…

  6. Clark Cox says:

    Passport, meet microwave. Microwave, meet passport.
    You two get to know each other 🙂

  7. John C. Randolph says:

    Close the AMEX account. It’s the only thing that they’ll pay attention to.

    -jcr

  8. Papa Joe says:

    …and if u do not pay the full amount on the card it will cost u about 30% in interest. and they say there r no more shylocks around!!

  9. Houman says:

    Do the rfid chips in your tires bother you as well? They became mandatory in 2004 as part of the Transportation Recall Enactment, Accountability and Documentation Act (TREAD).

  10. bbum says:

    Do the rfid chips in my tires contain my name, potentially my social security number, my address, and my credit card number?

    Didn’t think so. Vastly different risk. The AmEx Blue encodes enough information to be an identity theft risk.

  11. houman says:

    very true. Don’t disagree with you on that. My only concern would be that the chips in the tires can be used for
    even more sinister uses. I just don’t like RFID all together. And Amex should give the end user a choice as should every major bank that now throws the chips in all their ATM cards. RFID is evil.

  12. Jay Tuley says:

    This whole thing is actually a bit suspect, American Express has always claimed that your name is not on the RFID chip, and the number on the chip is an alternate number that is not on the card, and that number combined with a unique challege response per transaction allows it to be secure enough not to require a signature (which is supposed to be the time saver). So if you don’t want the RFID they just disable the alternate account number, but I don’t know if American Expresses marketing is BSing about the account information or this guy is, however the POS terminal used in the video has been identified, and is not found on ebay, and costs a couple hundred dollars, so we know this guy is sensationalizing at least on that point, not that being harder to get is anymore comforting if the full account info is actually on the chip.

    I think the hammer idea sounds like a good idea. In Missouri, I’ve had probably had 6 opportunities in the last 3 years to use the RFID express pay, and because it requires them to hit an extra button somewhere to actually work, 4 of those times the merchants just made me swipe because they couldn’t figure out how to get it to work, one other time the manager came up and said that it had worked and was done, even though there wasn’t a receipt (and later i was never charged) and one of those times the person actually knew how to handle it on the register and it worked as advertised. All of those place are ones that i would not spend more than $25 and so they wouldn’t require a signature anyway, so it’s never been a time saver for me.

    I would be careful about drilling though, make sure that it’s small and non obvious and possibly not drilled all the way through, if your card looks modified in some way some merchants may think there is some kind of fraud going on and thus not accept your card. They tend to be a little bit more discriminating on American Express cards, I think maybe Amex is more aggressive on issuing chargebacks to the merchants.

  13. bbum says:

    I shall add a link to the boing boing tv video as it implied name and # were on the RFID chip…

    Thank you for the feedback, btw. Very much appreciated.

  14. Jay Tuley says:

    Just to be clear, I was referring to the guy in the video and his hacking as being suspect, not that i can truly verify either way, it’s just not how the technology is supposed to work for American Express cards, but it’s not like there is anything more that marketing QA about how the Amex RFID works, but then again there isn’t anything but a BoingBoingTV video of this hack too.

  15. bbum says:

    Good point; someone should ask Xeni and/or Hacker Dude for some clarification.

  16. bmacpiper says:

    I’ve had the Blue Cash card for about 18 months now, and can agree that the chip is a waste of time. Ironically, the only place that it easily works is at McDonald’s, and I rarely eat there.

    We use the card to generate cash back, and at the time, it was the best deal going. After an initial amount of spending each year, they paid 4% on groceries, prescriptions, and gas; and 1.5% on everything else. We use the card for literally everything, except we can’t figure out a way to pay our mortgage with it yet (they pay no cash back on cash advances, and there is no grace period on them). We pay the card off in full each month. Last year they paid us something like $1,800. Revenge is sweet.

    Anyway, about a month ago, I got a letter from AMEX, also describing an automatic “upgrade” to my blue cash card. The upgrade offered some trivial additional features (track your points online, etc.), and the most excellent feature upgrade of lowering our cash back percentages across the board. I’d have to go back and look at the letter, but it was now something like 1.5% on the groceries/gas/prescriptions, and 0.5% on everything else. Come to think of it, they might have even eliminated gas from the higher category, given the cost of gas lately.

    Needless to say, we are shopping for a new card. There is always someone willing to extend crazy bonus terms because most people don’t use the card like we do, and the card company makes out. And some of them now charge a “no balance carried fee” if you pay it off for too many months in a row. Gotta love it. Do the usury laws of the 1800s no longer exist?

    As a side note, I live on an island with no natural gas, so we all have propane tanks. Ferrell Gas is the absolute king of bogus fees and fleecing their lease customers. Two of my neighbors lease their tanks from Ferrell, and recently got $100 “low usage” fees. Great way to promote energy conservation, don’t you think? Makes me glad I own my tank…

    We really are in a heap o’ trouble.

    bmc

  17. Mike at Credit Card Message Board says:

    I dont understand why American Express is so proud of this feature either – a stupid chip and antenna? How hard is it just to swipe card… are Americans so lazy now they can’t even do that? I came across your post when I was researching something for my site. Wow sounds like a lot more people than I though are ticked off about these mandatory RFID chips the credit card companies are issuing us.

    I saw another comment told how to deactivate with a hammer – good idea I’m going to do that on my own stupid Blue card.

  18. jojobeans says:

    Amex is just trying to use the latest technology as a gimic… I’ve had the blue card for a long time, and my old one had a chip for a smart card reader! ha… That’s the direction I think RFID will ultimately go also… nowhere. It requires money (new machinery and training) to become operational, and it is attempting to make something that is already incredibly easy, easier.

  19. Chris says:

    Hello,

    Check out this new friendly website I came across. You can find it here:

    http://www.merchanthotline.com

    Thanks for reading.

  20. Amie N. E. says:

    Hello!

    i am a computer engineer, just want to add up the issue of RFID, before we graduated, we have to invent a machine, our own invention, one of my classmate they are using an RFID chip for their project. For the few months that they used it, it functions well, but months past that we have to submit already the complete machine or device. The RFID get lost, it did’nt work, and then we suddenly realized that everytime an RFID is always in used, it will damage..or shall we say the hardware or chip will be destroyed.

Leave a Reply

Line and paragraph breaks automatic.
XHTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>