Robin Minto

Software development, security and miscellany

Disabling contactless payment cards, or preventing “card clash” with Oyster

I’ve been carrying an RFID-based Oyster card for years. It’s a fantastic way to use the transport network in London especially if you pay-as-you-go rather than using a seasonal travelcard. You just “touch in and out” and fares are deducted.

It’s no longer necessary to have to work out how many journeys you’re going to do to decide if you need a daily travelcard or not – the amount is automatically capped at the price of a daily travelcard, if you get to that point. “Auto top-up” means money is transferred from your bank to your card when you get below a certain threshold so you never have to visit a ticket office (especially given they’ve closed them all) or a machine. It’s amazing to think they’ve been around since 2003.

More recently it’s possible to pay for travel with a contactless payment card a.k.a. Visa PayWave or Mastercard Paypass. However, that leads to problems if, like most people, you carry more than one card in your wallet or purse – the Oyster system may not be able to read your Oyster card or worse, if your contactless payment card is compatible, it takes payment from the first card it can communicate with. If you have an Oyster seasonal travelcard, you don’t want to pay again for your journey by paying with credit card.

TFL have recently started promoting this phenomenon under the name “card clash”.

There’s even a pretty animation:

CardClashAnimation

I first noticed card clash in 2010 when I was issued a new credit card with contactless payment. It went straight in my wallet with my Oyster and other payment cards and the first time I tried to touch in by presenting my wallet (as I’ve always done with Oyster) – beeeep beeeep beeeep (computer says no).

It didn’t take me long to work out that the Oyster reader couldn’t distinguish between two RFID-enabled cards. I soon had a solution in the form of Barclaycard OnePulse – a combined Oyster and Visa card. Perfect!

OnePulseCard

I could now touch in and out without having to get my card out of my wallet again. But not for long…

I don’t know about you but I like to carry more than one credit card so if one is declined or faulty, I can still buy stuff. I had a card from Egg Banking for that purpose. To cut a long story, slightly shorter, Egg were bought by Barclaycard who then replaced my card with a new contactless payment enabled card. Oh dear, card clash again.

I wrote to Barclaycard to ask if they could issue a card without contactless functionality. Here’s the response I got:

All core Barclaycards now come with contactless functionality; this is part of ensuring our cardholders are ready for the cashless payment revolution. A small number of our credit cards do not have contactless yet but it is our intention these will have the functionality in due course. That means we are unable to issue you a non-contactless card.

Please be assured that contactless transactions are safe and acceptance is growing. It uses the same functionality as Chip and PIN making it safe, giving you the same level of security and as it doesn't leave your hand there is even less chance of fraud.

I trust the information is of assistance.

Should you have any further queries, do not hesitate to contact me again.

I was very frustrated by this – I was already ready for the “cashless payment revolution” with my OnePulse card! Now, I was back in the situation where I would have to take the right card out of my wallet – not the end of the world but certainly not the promised convenience either. Barclaycard’s answer is to carry two wallets – helpful!

I’m certainly not the only one who has issues with card clash. I’m not the only one to notice TFL’s campaign to warn travellers of the impending doom as contactless payment cards become more common.

CardClash

So what’s the solution? If your card company isn’t flexible about what type of cards they issue and you can’t change to one that is (I hear HSBC UK may still be issuing cards without contactless payment on request), another option is to disable the contactless payment functionality. Some people have taken to destroying the chip in the card by putting a nail through it, cutting it with a knife or zapping it. However, that also destroys the chip and PIN functionality which seems over the top. You can probably use the magnetic strip to pay with your card but presenting a card with holes in it to a shop assistant is likely to raise concerns.

RFID cards have an aerial which allows communication with the reader and supplies power to the chip via electromagnetic induction (the zapping technique above overloads the chip with a burst of energy by induction). This means we can disable RFID without disabling chip and PIN by breaking the aerial circuit, meaning no communication or induction.

The aerial layout varies. I dissected an old credit card to get an idea where the aerial was in my card (soaking in acetone causes the layers of the card to separate). Here you can see that the aerial runs across the top and centre of the card.

20140321_095853

There are some helpful x-rays on the interwebs now showing some alternate layouts.

CardXray

The aerial can be broken with a hole punch or soldering iron but I’ve found that making a small cut across the aerial is sufficient. It’s not necessary to cut all the way through the card – all that’s needed is to cut through to the layer containing the aerial. Start with a shallow cut and make it deeper if required. From the images above, a cut to the top of the card is likely to disable most cards.

20140307_095731

The central cut on this card wasn’t effective. The cut at the top was.

If you have an NFC-enabled smartphone, it’s possible to test the card to check that contactless is disabled. I’m using NFC TagInfo on a Samsung Galaxy Nexus. Here’s the card above before:

Screenshot_2014-03-07-09-32-26

and after the aerial is cut (the chip no longer registers):

Screenshot_2014-03-07-09-33-54

Job done! The card continues to work with chip and PIN but doesn’t interfere with Oyster.

Barclaycard have thrown another spanner in the works for me – OnePulse is being withdrawn. The solution seems to be to switch to contactless payments instead of Oyster. Here’s hoping that TFL can finish implementing contactless payments (promised “later in 2014”) before my OnePulse is withdrawn.

Disclaimer: if you’re using sharp knives, have a responsible adult present. If you damage yourself or your cards, don’t blame me!

Accurate time synchronisation using ntpd for Windows

Computers can be finickity about time but they’re often not very good at keeping it. My desktop computer, for instance, seems to lose time at a ridiculous rate. Computer hardware has included a variety of devices for measuring the passage of time from Programmable Interval Timers to High Precision Event Timers. Operating systems differ in the way that they use that hardware, perhaps counting ticks with the CPU or by delegating completely to a hardware device. This VMware PDF has some interesting detail.

However it’s done, it doesn’t always work. The hardware is affected by temperature and other environmental factors so we generally synchronise with a more reliable external time source, using NTP. Windows has NTP support built in, the W32Time service, but it only uses a single time server and isn’t intended for accurate time. From this post on high accuracy on the Microsoft Directory Services Team blog,

“W32time was created to assist computers to be equal to or less than five minutes (which is configurable) of each other for authentication purposes based off the Kerberos requirements”

They quote this knowledgebase article:

“We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:

  • Make the Kerberos version 5 authentication protocol work.
  • Provide loose sync time for client computers.”

So, plus or minus five minutes is good enough for Kerberos authentication within a Windows domain but it’s not good enough for me.

NTPD

I’ve been experimenting with the NTPD implementation of the NTP protocol for more accurate time. NTPD synchronises with multiple NTP servers but only synchronises when a majority agree. I’m using the Windows binaries from Meinberg. Meinberg also have a monitoring and configuration application, called NTP Time Server monitor, which is very useful.

The implementation is straightforward, so I won’t go into it in detail. Install the service. Install Monitor. Add some local time servers from pool.ntp.org to your config and away you go.

I do, however, want to describe an issue that we had with synchronisation on our servers. Wanting more accurate time for our application, we installed NTPD and immediately started getting clock drift. Without NTPD running, the clocks were quite stable but with it running, they would drift out by a number of seconds within a few minutes.

A quick Google led me to this FixUnix post and I read this quote from David:

“Do you have the Multi-Media timer option set? It was critical to getting
good stability with my systems”

The link was broken but I eventually found this page which describes the introduction of the –M flag to NTPD for Windows. This runs the MultiMedia timer continuously, instead of allowing it to be enabled occasionally by applications like Flash.

Cutting a long story slightly shorter, it turns out that the –M flag was causing the clock drift on our Windows servers. Removing that option from the command line means that our servers are now happily synchronising with an offset of less than 300ms from the time source.

Tardis

As I mentioned, my desktop computer is very inaccurate. NTPD can’t keep it in check so I’m trying a different approach – Tardis 2000. So far, so good. I’m not sure about the animated GIFs on the website though.

How many hops? Internet from far, far away.

IMG_20110917_123232

I was lucky enough to spend a week in the Seychelles this month. If your geography is anything like mine you won’t know that the Seychelles is “an island country spanning an archipelago of 115 islands in the Indian Ocean, some 1,500 kilometres (932 mi) east of mainland Africa, northeast of the island of Madagascar” – thank you Wikipedia.

In our connected world, the Internet even reaches into the Indian Ocean so I wasn’t deprived of email, BBC News, Facebook etc. but I did begin to wonder how such a small and remote island nation is wired up. It turns out that I was online via Cable and Wireless and a local ISP that they own called Atlas.

Being a geek I thought I’d run some tests, starting with SpeedTest. The result was download and upload speeds around 0.6Mbps and a latency of around 700ms. In the UK, the average broadband speed at the end of 2010 was 6.2Mbps and I would expect latency to be less than 50ms. Of course, I went to the Seychelles for the sunshine and not the Internet but I was interested in how things were working.

So, I ran a “trace route” to see how my packets would traverse the globe back to the BBC in Blighty. I thought the Beeb was an appropriate destination.

01102011_004019

Then I added some geographic information using MaxMind's GeoIP service and ip2location.com.

The result was this:

HopIP AddressHost NameRegion NameCountry NameISPLatitudeLongitude
1 10.10.10.1            
2 41.194.0.82   Pretoria South Africa Intelsat GlobalConnex Solutions -25.7069 28.2294
3 41.223.219.21     Seychelles Atlas Seychelles -4.5833 55.6667
4 41.223.219.13     Seychelles Atlas Seychelles -4.5833 55.6667
5 41.223.219.5     Seychelles Atlas Seychelles -4.5833 55.6667
6 203.99.139.250     Malaysia Measat Satellite Systems Sdn Bhd, Cyberjaya, Malay 2.5 112.5
7 121.123.132.1   Selangor Malaysia Maxis Communications Bhd 3.35 101.25
8 4.71.134.25 so-4-0-0.edge2.losangeles1.level3.net   United States Level 3 Communications 38.9048 -77.0354
9 4.69.144.62 vlan60.csw1.losangeles1.level3.net   United States Level 3 Communications 38.9048 -77.0354
10 4.69.137.37 ae-73-73.ebr3.losangeles1.level3.net   United States Level 3 Communications 38.9048 -77.0354
11 4.69.132.9 ae-3-3.ebr1.sanjose1.level3.net   United States Level 3 Communications 38.9048 -77.0354
12 4.69.135.186 ae-2-2.ebr2.newyork1.level3.net   United States Level 3 Communications 38.9048 -77.0354
13 4.69.148.34 ae-62-62.csw1.newyork1.level3.net   United States Level 3 Communications 38.9048 -77.0354
14 4.69.134.65 ae-61-61.ebr1.newyork1.level3.net   United States Level 3 Communications 38.9048 -77.0354
15 4.69.137.73 ae-43-43.ebr2.london1.level3.net   United States Level 3 Communications 38.9048 -77.0354
16 4.69.153.138 ae-58-223.csw2.london1.level3.net   United States Level 3 Communications 38.9048 -77.0354
17 4.69.139.100 ae-24-52.car3.london1.level3.net   United States Level 3 Communications 38.9048 -77.0354
18 195.50.90.190   London United Kingdom Level 3 Communications 51.5002 -0.1262
19 212.58.238.169   Tadworth, Surrey United Kingdom BBC 51.2833 -0.2333
20 212.58.239.58   London United Kingdom BBC 51.5002 -0.1262
21 212.58.251.44   Tadworth, Surrey United Kingdom BBC 51.2833 -0.2333
22 212.58.244.69 www.bbc.co.uk Tadworth, Surrey United Kingdom BBC 51.2833 -0.2333

What does that tell me? Well, I ignored the first hop on the local network and the second looks wrong as we jump to South Africa and back again. The first stop on our journey is Malaysia, 3958 miles away.

MSP130619habd3ff28e320700000g53di634b58d5ec

We then travel to the west coast of America, Los Angeles. Another 8288 miles.

MSP209619habc360b3abg0g0000322e7i1185717864

We wander around California. The latitude/longitude information isn’t that accurate so I’m basing this on the host name but we hop around LA and then to San Jose followed by New York. Only 2462 miles.

MSP15619habg6g8548fc9b00002a9i7gaf324f582g

We rattle around New York and then around London, 3470 miles across the pond.

MSP16819habgbc842f7750000045e0cea0hga1a972

Our final destination is Tadworth in Surrey, just outside of London.

That’s just over eighteen thousand miles (and back) in less than a second – not bad, I say.

p.s. don’t worry, I spent most of the time by the pool and not in front of a computer.

I’ve moved! (hosts and blog software)

I’ve just finished switching my blog from WordPress on TsoHost to BlogEngine.Net on Arvixe. I got an account with Arvixe following a recommendation from a colleague, who also switched from TsoHost.

The reasons for switching? Well, Arvixe allows me to use .NET 4 and SQL Server databases (which I wanted for an Umbraco CMS site that I’m now running) plus I got a promotional rate from Arvixe. Splendid.

Getting BlogEngine.NET up and running was easy but I did go back and forth trying to get the correct application settings for the server. I had a few HTTP 500 errors with nothing else to go on but experience. The Arvixe control panel is a little bit slow, which was frustrating.

The migration was fairly straightforward – I only had a couple of posts to transfer so I did them manually and then tweaked a little. I’d like to add some pictures to the blog theme – it’s a bit too clean at the moment.

Of course, hosts and blog engines and themes are a means to an end – I’m going to try and get some posts up too!