Fun with Paywave

I received a new debit card from my bank recently. It had this little WiFi symbol turned on its side. I read through the included letter. It didn’t mention anything about what this symbol represented, but I assumed it was something wireless or RFID. Turns out, it’s Visa Paywave. Having a remotely readable RFID card in my pocket isn’t what I wanted, but the bank assured me everything was ok with it. I’m sure they haven’t paid attention to the thousands of long-range RFID hacks available. RFIDIOt is one such place to get components to explore our RFID-laden world. Rather than simply panic and ask for a card without Paywave, I decided to see how often I run into problems in the real world.

It turns out, I ran into RFID transactions frequently. At one station, while paying for gas, as soon as I hit the “Pay outside” button, I’m prompted for my PIN code. But I haven’t even taken the card out of my wallet yet, it’s still in my back pocket. At the Dr’s office, my card was denied for too many failed PIN attempts (which then caused the bank to require I get a new PIN mailed to me in 10 business days). I never took my card out of the wallet in my back pocket, nor was I even at the point where I was asked to enter my PIN. Once at the doctor’s office, it went through just fine, no PIN, no nothing, just showed up as a credit transaction in my bank statement.

I then had a second episode where I tried to use my card in a cash machine to withdraw some money, but the machine ate the card for failed PIN attempts. I put my PIN in once, and it was wrong because the key stuck. But the bank insists I have past failed PIN attempts so the cumulative effect is the bank cash machine eats the card to avoid fraud. This time, the bank manager took pity on me and let me reset my PIN right there on a terminal, rather than make me wait 10 days for their automated mailing. Fun times.

In the end, after a month with the card, two PIN resets, and automatic payment from my back pocket, I asked the bank for a card without Paywave. They sent it overnight. I microwaved the old card with Paywave and cut it up. Zero Liability Policies don’t help if you can’t use the card, plus read the fine print very carefully to see what it actually covers. I fired an RFID reader at the new card and nothing returned, so it seems I’m Paywave-free for now.

Also blogged at wiki.lewman.is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s