Fun with Paywave

I received a new debit card from my bank recently. It had this little WiFi symbol turned on its side. I read through the included letter. It didn't mention anything about what this symbol represented, but I assumed it was something wireless or RFID. Turns out, it's Visa Paywave. Having a remotely readable RFID card in my pocket isn't what I wanted, but the bank assured me everything was ok with it. I'm sure they haven't paid attention to the thousands of long-range RFID hacks available. RFIDIOt is one such place to get components to explore our RFID-laden world. Rather than simply panic and ask for a card without Paywave, I decided to see how often I run into problems in the real world.

It turns out, I ran into RFID transactions frequently. At one station, while paying for gas, as soon as I hit the "Pay outside" button, I'm prompted for my PIN code. But I haven't even taken the card out of my wallet yet, it's still in my back pocket. At the Dr's office, my card was denied for too many failed PIN attempts (which then caused the bank to require I get a new PIN mailed to me in 10 business days). I never took my card out of the wallet in my back pocket, nor was I even at the point where I was asked to enter my PIN. Once at the doctor's office, it went through just fine, no PIN, no nothing, just showed up as a credit transaction in my bank statement.

I then had a second episode where I tried to use my card in a cash machine to withdraw some money, but the machine ate the card for failed PIN attempts. I put my PIN in once, and it was wrong because the key stuck. But the bank insists I have past failed PIN attempts so the cumulative effect is the bank cash machine eats the card to avoid fraud. This time, the bank manager took pity on me and let me reset my PIN right there on a terminal, rather than make me wait 10 days for their automated mailing. Fun times.

In the end, after a month with the card, two PIN resets, and automatic payment from my back pocket, I asked the bank for a card without Paywave. They sent it overnight. I microwaved the old card with Paywave and cut it up. Zero Liability Policies don't help if you can't use the card, plus read the fine print very carefully to see what it actually covers. I fired an RFID reader at the new card and nothing returned, so it seems I'm Paywave-free for now.

Also blogged at wiki.lewman.is.