Manually Disabling Thai Bank Debit Card "Tap To Pay" Function "Security Flaw" or "Convenience"? Up To You...

[NotReallyHere]

I normally never pay for goods and services with my Thai bank debit card.  I only use the card at the ATM.  Recently, I wanted to purchase something but had forgotten to get sufficient cash first.  I told the cashier I wanted to use the debit card, expecting her to slide it into the reader and that I would then enter the card's PIN.  Instead she took my card, tapped it against the reader and handed it back to me.  The PIN entry was bypassed.  To me, this is a security flaw.  I don't need (and didn't ask for) the "convenience" of a "tap to pay" function on the card.  If your debit card has four curved "WiFi" symbol bars near the VISA logo, your card most likely has this function too.

 

I see the "tap to pay" function as a security flaw.  If I am incapacitated, say in a motorbike accident, whoever ends up with my wallet can "tap and pay" with my card to their heart's content.  Sure, I might be able to dispute the charges, but that could be a time consuming hassle that prevents access to my money at a time when I need it most.

 

My next step was to go to the bank to ask them to disable the "tap to pay" function.  They just smiled at me and told me it wasn't possible.  I then asked for a different debit card that didn't have the "tap to pay" function.  They stated all their cards have the "tap to pay" function built in.  I later confirmed this at the bank's web page.  The bank employee told me that if I wanted to turn off the "tap to pay" function, I would have to disable the entire point of sale payment system of the card, which was possible.  I could then only use the card at the ATM to withdraw cash.  The bank employee also informed me that my card had a default "tap and pay" payment limit of 500,000 THB!  That's quite some "limit"!  Again, I didn't ask for this "convenience"!

 

A little online research provided a very satisfactory solution.  Manually disabling the "tap to pay" function.  I'm not a tech guy, so please excuse the non-technical nature of this explanation.

 

The "tap to pay" function is made possible by an antenna that resides in the card.  It is connected to the chip at two points, creating a completed circuit.  In the past, the antenna was relatively small.  Disabling the antenna required severing the antenna fairly close to the chip.  Some old tutorials online (YouTube) showed people drilling little holes in their card.  Others melted the plastic and the antenna with a soldering iron.  I was able to disable my antenna with a small cut using regular household scissors.

 

The trick is finding the location of the antenna within the card.  Using my cellphone's flashlight function and lying my card flat on the phone against the light, I was able to see the shadow of the antenna through the card.  The antenna, which used to be a small loop near the chip, is now a large loop that runs near the outer edge of the entire card (at least that is the case with my card).  I made a small cut (approximately 1/8 inch) with regular household scissors into the short edge of the card farthest from the chip (the edge that disappears last when inserted into an ATM).  I confirmed with my phone's flashlight that I had cut deep enough to sever the antenna.

 

Later I tested the card at the local convenience store.  The "tap to pay" function, which I had used at the same store as a test 20 minutes prior, did not function anymore.  I was still able to make the purchase with the card using the "old fashioned" insert the debit card and enter the PIN method.  I also verified that the card still works at the ATM.

 

Problem solved...  I hope someone finds this useful.  Please only attempt if you are currently in a position to get a replacement card quickly, should you inadvertently disable the entire card.  In my case, I knew getting a new card was just a matter of going to the nearby local branch and paying a 200 or 400 THB card replacement fee.  Same day service.

[NanLaew]

A lot easier just to read the terms and conditions you agreed to when you accepted and started using your contactless payment card.

[phetphet]

Isn't there a small daily limit on "Tap to Pay"?

[NotReallyHere]

2 minutes ago, NanLaew said:

A lot easier just to read the terms and conditions you agreed to when you accepted and started using your contactless payment card.

Wrong.

 

The problem would still exist whether I read the agreement or not.  As I stated in my original post, there are no debit card options other than those that also have the "tap and pay" function.

[NotReallyHere]

10 minutes ago, phetphet said:

Isn't there a small daily limit on "Tap to Pay"?

I just double checked.  I remembered the limit incorrectly for my original post.  My bank has a 100,000 THB daily limit, not 500,000 THB.  Still too high in my opinion.

[Liverpool Lou]

57 minutes ago, NotReallyHere said:

I wanted to use the debit card, expecting her to slide it into the reader and that I would then enter the card's PIN.  Instead she took my card, tapped it against the reader and handed it back to me.  The PIN entry was bypassed.  To me, this is a security flaw. 

From Visa...

"No signature [PIN?] is required for most transactions under THB 1,500, for added convenience".

Looks like your B100,000 limit isn't a problem as over B1,500 verification would be necessary.

 

"Is using Tap to Pay with Visa secure for my customers?
Yes. Tap to Pay with Visa utilizes multiple layers of security to protect transactions, including cryptography and secure network processing. Customers also benefit from Zero Liability for all unauthorized purchases made with their Tap to Pay with Visa card or mobile device.

 

Edited June 27, 2022 by Liverpool Lou

[JoseThailand]

That was literally manual!

[Liverpool Lou]

1 hour ago, NotReallyHere said:

The bank employee also informed me that my card had a default "tap and pay" payment limit of 500,000 THB!  That's quite some "limit"!  Again, I didn't ask for this "convenience"!

You can alter your card's payment limits!

[CharlieH]

You can set your daily limit yourself and change it whenever you choose. (Kasikorn)

 

Also in the Uk as an example contactless will only work upto I think its £30 after that it has to be PIN.

 

The idea was SMALL amounts were quicker and easier(like buying a coffee etc).

AFAIK.

[NotReallyHere]

43 minutes ago, Liverpool Lou said:

From Visa...

"No signature [PIN?] is required for most transactions under THB 1,500, for added convenience".

Looks like your B100,000 limit isn't a problem as over B1,500 verification would be necessary.

 

"Is using Tap to Pay with Visa secure for my customers?
Yes. Tap to Pay with Visa utilizes multiple layers of security to protect transactions, including cryptography and secure network processing. Customers also benefit from Zero Liability for all unauthorized purchases made with their Tap to Pay with Visa card or mobile device.

 

I appreciate the information from VISA.

 

Still...  The THB100,000 is the daily limit, not necessarily the transaction limit.  Granted, THB 100,000 would be difficult to achieve with multiple 1,500THB transactions.  But the possibility still exists if the thief is dedicated.  Online it could happen quickly.  Buying Bitcoin or Gift Cards, maybe?

 

I don't trust the "Zero Liability".  The card is connected to a bank account.  It's not a credit card.  Who knows how long it takes to convince the bank or VISA that the transactions were unauthorized.  And in the mean time, I won't have any cash in my bank account.  If VISA has a true "Zero Liability" policy, then fraud would be through the roof.  People making false claims against their own card transactions.  I think the $50 liability seen on most credit cards is to decrease (somewhat) people committing fraud on their own cards.

[NotReallyHere]

47 minutes ago, Liverpool Lou said:

You can alter your card's payment limits!

Yes, but what I didn't like was that the bank automatically set the default at the highest amount (which I incorrectly remembered as 500K, actually 100K - not as dramatic).  20,000THB is my bank's lowest limit.

 

Also, can't alter the card payment limit online or through their app.  You have to go to an ATM.  Doable, but awkward, I thought initially.  In retrospect, I suspect it is supposed to be a security feature.  You possess the card and are on camera changing the limit.

[JackGats]

Tap to pay is not a security flaw. As far as I know the PIN gets asked every so often and it gets asked when the amount is no longer small.

 

By swiping your card it could get cloned. Swiping is what you should be suspicious of!

[gargamon]

28 minutes ago, JackGats said:

By swiping your card it could get cloned. Swiping is what you should be suspicious of!

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

[NotReallyHere]

59 minutes ago, CharlieH said:

You can set your daily limit yourself and change it whenever you choose. (Kasikorn)

 

Also in the Uk as an example contactless will only work upto I think its £30 after that it has to be PIN.

 

The idea was SMALL amounts were quicker and easier(like buying a coffee etc).

AFAIK.

My bank has five payment limit levels (0/20K/30K/50K/100K).  Changing the payment limit can only be done at an ATM (not online or through the bank app).  If I'm at the ATM, I'll just pull the cash I need.

 

I would prefer "0" limit with the "tap and pay" and 30K with all PIN verified transactions.  Getting that mix is only possible by disabling the "tap and pay" function manually.

 

I agree that contactless is quicker and easier, but I think for those times that I'm not carrying enough cash, entering a PIN is quick and easy enough.

 

In general, I'm bothered that the banks don't give customers an option of turning off contactless payments.  Surely, it is technologically possible.  Primarily, I'm concerned about the security.  Opportunity makes a thief.  I've had petty amounts stolen from me here.  Stealing a card for a few contactless payment transactions wouldn't be unthinkable.  It wouldn't be a huge loss for me, but a pain in the ass I can easily avoid with a little cut in the card.

 

I'm not normally a conspiracy theorist, but I suspect this is all an attempt to get us to slowly get used to the idea of using our phone for contactless payments.  The point of that would be to track us better so that we can be profiled and marketed to more effectively.  I don't want to be tracked or profiled any more than I already am.  That is one of the reasons I use cash for 95% of my transactions.

[NotReallyHere]

37 minutes ago, JackGats said:

Tap to pay is not a security flaw. As far as I know the PIN gets asked every so often and it gets asked when the amount is no longer small.

 

By swiping your card it could get cloned. Swiping is what you should be suspicious of!

You make a good point, however, I rarely use the debit card.  I use cash.  If I forget cash (which rarely happens) I use the debit card (at reputable establishments only).  I make frequent small cash withdrawals from ATMs which are EVERYWHERE.  I'm not bothered by the "inconvenience".  For someone with my usage profile, I think contactless payments pose a bigger threat for fraud than cloning.  I'm much more likely to have my card stolen than cloned.  I've been pick-pocketed twice in 4 years in SE Asia.  I don't think cloning happens here as often as it does in the West.  I may be wrong...

[NotReallyHere]

32 minutes ago, gargamon said:

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

This was a consideration of mine also.  I did, however, read somewhere that the new cards require much more proximity to be read by the scanner.  Also, there is encryption between the VISA card and the VISA card reader that cheap scanners can't crack.  I think cloning by passing by someone on the subway has become more difficult.  Either way, not a concern of mine anymore now that I've cut the card's antenna.

[JackGats]

5 hours ago, gargamon said:

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

I thought if you had 2 cards against one another no remote reading was possible. 

[The Hammer2021]

5 hours ago, gargamon said:

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

Nah. Tap to pay is normal in most countries and has led tona reduction in fraud due to merchant  controls

[Everyman]

I’ve been trying to get my tap to pay card to work but it doesn’t. Which bank is this? Where did you use it?

 

Also i dont know if you are from the UK but you need tap to pay there to pay for things 

[NotReallyHere]

7 hours ago, The Hammer2021 said:

Nah. Tap to pay is normal in most countries and has led tona reduction in fraud due to merchant  controls

"Tap to Pay" is basically cash.  There are no "merchant controls".  That is the point.  The merchant doesn't check ID.  The merchant doesn't require a PIN.  You can set a daily payment limit, but unless you have taken the effort to do this, the default is probably your bank's highest limit.  In my case, 100,000 THB.

 

Let's do an experiment.  Meet me at the mall with your card.  We'll give your card to a mototaxi guy I know.  He'll be wearing a floppy hat, sunglasses and COVID mask.  Basically, unidentifiable.  We'll tell him he can use your card to make as many purchases as he wants as long as they are under 1,500 THB each and only one purchase per store.  He has to come back with the card when the "merchant controls" kick in.  You don't have to worry about any consequences of our little experiment because according to another poster, VISA assures "Zero Liability" for fraudulent purchases made with "Tap to Pay".

 

And let's not kid ourselves.  We are all paying for the "Zero Liability" policy of VISA through higher fees and higher interest rates.  They are offsetting their losses with their fee structure.

[NotReallyHere]

7 hours ago, Everyman said:

I’ve been trying to get my tap to pay card to work but it doesn’t. Which bank is this? Where did you use it?

 

Also i dont know if you are from the UK but you need tap to pay there to pay for things 

Are you using a debit card issued by a Thai bank?  Does it have the VISA "tap to pay" logo?  You should be good to go.  If not, take it to the bank.

 

I used my Thai debit card at 7Eleven to test my antenna modification and prior to that at a "Western standard" mall in town.

 

I don't use my Thai bank debit card outside of Thailand.  In Europe or the US, I just do without items that have purchase conditions that I disagree with.  There is often a work around, even if it is sometimes cumbersome.  I'm not a convenience junkie.

[snairb]

i thought i knew everything about debit cards and banks

 

[treetops]

20 hours ago, CharlieH said:

Also in the Uk as an example contactless will only work upto I think its £30 after that it has to be PIN.

£100

 

5 hours ago, NotReallyHere said:

And let's not kid ourselves.  We are all paying for the "Zero Liability" policy of VISA through higher fees and higher interest rates.  They are offsetting their losses with their fee structure.

It's saving us money with the reduced level of fraud which we all end up paying for.

[NotReallyHere]

6 hours ago, treetops said:

It's saving us money with the reduced level of fraud which we all end up paying for.

I've read otherwise.  There is a phenomena called "first-party fraud".  Supposedly, it significantly dwarfs reported fraud.  An honest form of "first-party fraud" is when a cardholder makes a quick contactless payment, doesn't remember making it and refuses to pay.  A dishonest type "first-party fraud" is when a cardholder knowingly makes a contactless transaction and then refuses to pay, claiming they didn't make the transaction (but that their card was not lost or compromised).  The cardholder blames "technology" or "system error".  These transactions are not reported as "fraud" by the cardholders and do not appear in the fraud statistics.  These types of disputes are increasing as countries like the UK increase the contactless limit from 30 to 100 pounds and they supposedly dwarf reported fraud claims.  Had the cardholders been forced to slow down and enter a PIN, it would be much more difficult to dispute these charges.

 

Again, costs for these unpaid transactions are passed on to all VISA consumers, whether they use contactless or not.

Edited June 28, 2022 by NotReallyHere
typo

[digbeth]

even if you swipe or use the chip, some bank terminal and cards also don't require PIN or signature on small amount under 1,500 too

[kwonitoy]

 Register your card on Google Pay and leave your card at home if your worried about it's security.

I had my Visa credit card compromised in Canada, Visa called me at 2:00AM to check on a charge. The charge wasn't mine so the rep said the card is now dead, effective immediately. The charges were also reversed.

The card was compromised by using it for Internet payments, not by tapping it.

However she told me if I had the card registered for use with Google Pay I could still use my phone to pay for things with the same credit card number.

She also said that Google Pay's security is multitudes better than Visa's.

 

 

[treetops]

17 hours ago, NotReallyHere said:

I've read otherwise.

I don't know what you've read, but do you seriously think the banks would persevere with a system that increased fraud no matter who incurs the costs?

[NotReallyHere]

On 6/29/2022 at 2:32 PM, treetops said:

I don't know what you've read, but do you seriously think the banks would persevere with a system that increased fraud no matter who incurs the costs?

Absolutely.  Of course they would.  Banking is a business.  The bottom line matters, first and foremost.  Banks are not ethical entities.  There are plenty of examples of banks creating lending programs that were not in the best interest of the customers assuming the loans.  The banks didn't care.  They structured the loans so that they were covered.

 

Fraud risk is like credit risk.  As long as the risk is covered with fees and interest rates, it doesn't matter to the bank if they are losing money because someone steals or someone dies with a large credit balance but no estate to pay off the debt.  Ultimately, the loss is recouped with fees and interest payments.  Banks are like insurance companies.  They manage risk such that they always come out ahead.  Have banks and insurance companies failed?  Of course they have.  But usually due to unusual, unforeseen circumstances.  The banks are well aware people will commit fraud.  Actuaries calculate the risk and set the price.  Fees/interest, for banks, premiums for insurance companies.  As the risk changes, fees, interest rates, premiums, etc are adjusted.

 

But this is getting way off track of the purpose of this thread.  You may or may not be a fan of contactless payments.  If you aren't, I hope I've provided an easy workaround for the problem of not being able to turn off the function with the assistance of your bank.

[NotReallyHere]

On 6/29/2022 at 2:24 AM, kwonitoy said:

Register your card on Google Pay and leave your card at home if your worried about it's security.

I had my Visa credit card compromised in Canada, Visa called me at 2:00AM to check on a charge. The charge wasn't mine so the rep said the card is now dead, effective immediately. The charges were also reversed.

The card was compromised by using it for Internet payments, not by tapping it.

However she told me if I had the card registered for use with Google Pay I could still use my phone to pay for things with the same credit card number.

She also said that Google Pay's security is multitudes better than Visa's.

I realize it doesn't matter to some people, but I am very much averse to being tracked by Google, Apple, etc.

 

I think the fact that a person could still use their phone to pay after the card number is compromised shows the degree of confidence Google has that they have tracked the person successfully.

[kwonitoy]

6 hours ago, NotReallyHere said:

I realize it doesn't matter to some people, but I am very much averse to being tracked by Google, Apple, etc.

 

I think the fact that a person could still use their phone to pay after the card number is compromised shows the degree of confidence Google has that they have tracked the person successfully.

I don't know how you make the connection between using Google pay with my phone to be tracked by Google.

I don't really like the tracking by Google either, it's why I've got it turned off, along with most other features.

If you have a phone law enforcement can always find your location these days

Google pay is simply an electronic form of your credit card.

You don't like these options along with the tap and pay. So be it.

In Thailand you can get by with cash and I did for many years.

Now that I live in Canada cash is almost an extinct thing and I've always got my phone with me.