Thursday, July 12, 2007

I've been turned Blue by American Express

I have the Blue by American Express credit card. If you look at the image, you can see the small RFID chip, that allows you to shop at certain places (7-11, gas stations) with a "wave of a hand".

RFID, or Radio Frequency IDentifier is a technology that allows you to store data on a chip and read it remotely (up to 30 feet and more, with some self-powered chips) using a cheap RFID reader. The chips usually have a small antenna to boost the range of reception (see those metal curly lines?).
Originally they were designed for digital warehouse management (allowing you to keep score of your entire inventory, and locate items with a wave of a reader).The US government is already adding those to American passports for authentication purposes.

And therein lies the problem: everyone can buy this reader and read your chip from afar. Due to it's small size, encryption, if it even exists, is limited.
Meaning someone can sit at a parking lot, read all my details off my card, replicate the chip and start celebrating on my account. Bad :(

Well, after reading several cautionary articles and posts (read some more about credit card vulnerabilities also this and this make good points), I called American Express yesterday and asked for a chip-less card.

I spent 30-40 minutes on the phone explaining myself. After about 20 minutes, and several "put you on hold, talk to my supervisor" phrases, they "disconnected the service" - as if that helps. I spent the next 10 minutes trying to explain that the activity or inactivity of the service doesn't matter - my private info is on this chip and any kid can read it (as indeed some kids have already demonstrated - see the DefCon link below).
No go - they wouldn't replace my card. They only told me I can get a different card, with a different plan yadda yadda.
I'll definitely do something about this - either call them again (when I have more patience) or just scratch the chip off the card.

Recommendation: make sure your card doesn't have such a chip and demand a replacement if it has. If you have an RFID chip that you don't want being read,
keep it in a metal case (aluminum is great) as it breaks the reception.

Read some more RFID fun news here:

Update 3/19/08
Some people call me paranoid (others call me a Space Cowboy, but that's a whole different post smile) but now I feel justified in my paranoia. While this post was written in July 07, this video, out today from BoingBoing, is clearly showing how you can get all the information you want off a Blue Amex, using an $8 reader bought on eBay.
That's right - your privacy is worth $8 to Amex.

If you can't see the flash, download the movie here.

Update 5/17/08
I've gone ahead and done it! It took 30 seconds, a screwdriver and a hammer. My card looks like this right now (pertinent data removed, of course):

Let's zoom in on the kill shot:

I am now blissfully RFID-less!


Anonymous said...

Try to expose the card to an atomic explosion which will destroy the chip. Good places for this is mohaby desert or iran (coordinate with olmert)

Antiplutocrat said...

Just use a hammer:

Traveling Tech Guy said...

Thanks for the link!
Truth to tell, I haven't done a thing yet. But between a hammer and a nuclear explosion (see first comment), I'm sure I'll find something. How about a nail file?

Anonymous said...

Did anybody look into this in any detail before panicking? The number from the chip is different to the number printed on the card. Can you use the chip's number on a website? I bet you can't. AMEX aren't stupid, maybe we should look elsewhere...

Traveling Tech Guy said...

The RFID contains not only that number you've mentioned, but some of your personal info.
I, for one, would not like my details to fall into the hands of a guy with an antenna :)