An Arduino to read my Credit card

I figured I could use my credit card (which has an RFID chip, I can read it with my phone) to identify me in a project.

I've got an RC522 module (like this one) and I'm using the MFRC522 library.

It works with both included tags.

It partially works with Mifare Ultralight stickers I had previously.

It's completely muted against my credit card.

Is there a tool that could help me figure out what hardware (using another frequency?) and software I could use to read my card?

Lot of potential for abuse with this one. Don’t know if you’ll get much help on that. If you want to use a regular RFID and not a credit card I’d be willing to help. But as long as we’re talking credit cards I’m going to stay far away from it. Even if you are being legitimate here, those answers could lead some newbie to how to steal your card info and that’s not something I want to be involved in.

I can read some of my credit card info with an app on my phone. In fact, anybody can read my card's info with their phone.

But I don't see it as an issue today (might have been in the past) since the RFID chip doesn't know your PIN, nor your name, nor the three digits at the back of your card. I really don't think you could do any evil with the information but I might be disproven.

Bianco: I can read some of my credit card info with an app on my phone. In fact, anybody can read my card's info with their phone.

But I don't see it as an issue today (might have been in the past) since the RFID chip doesn't know your PIN, nor your name, nor the three digits at the back of your card. I really don't think you could do any evil with the information but I might be disproven.

Don't care. Not getting involved with anything involving hobby electronics and credit cards due to potential for abuse.

Maybe you could call your credit card company and explain to them what you want to do and ask them what sort of RFID it is. My guess is that they will not tell you for exactly the same reason.

Bianco: I really don't think you could do any evil with the information but I might be disproven.

Well for sure the info must identify the card owner in some way, so depending on distance it could be used for identifying and tracking people without their consent.

Yeah, I want to be clear here. I'm not in any way insinuating that the OP is up to anything nefarious. I just think it would be way to easy for anyone to come along and put that same information to a nefarious use. I'm not so naive as to think that this info isn't already out there all over the web. I'm just thinking we shouldn't make it any easier to find. The last thing we need is some 13 year old script kiddie hacking credit cards.

Delta_G:
Don’t care. Not getting involved with anything involving hobby electronics and credit cards due to potential for abuse.

Please stop to step in on the thread then. You’ve shared your point of view, there is no need to repeat it several times.

srnet:
Well for sure the info must identify the card owner in some way, so depending on distance it could be used for identifying and tracking people without their consent.

That’s a legitimate concern. The way I understand it, banks chose RFID frequencies which only allow very near field communication (as opposed to what you could use at a toll booth, for instance).

Whether it is with my phone or a shop, I have to press the card against the reader while my other RFID tags (with the Arduino or my phone) work a couple of centimeters away.

The way I understand it, banks chose RFID frequencies which only allow very near field communication (as opposed to what you could use at a toll booth, for instance).

You understand this wrong. No they do not change the frequency.

Bianco: I figured I could use my credit card (which has an RFID chip, I can read it with my phone) to identify me in a project.

What sort of information are you able to read? Human name? Credit card number?

The number (without the CVV). The holder used to be embedded in the information but hasn't been for years (remember a defcon or something from years ago where it already wasn't the case anymore). The carrier (Visa or Mastercard). Nothing else that I recall atm (card is back in my wallet downstairs).

I wanted to read the number or part of the number and compare it to mine. If equal, grant access. It doesn't need to be crazy secure (if someone emulates my card with a blank chip, that's not a big deal).

Grumpy_Mike: You understand this wrong. No they do not change the frequency.

You read this wrong. I didn't say change but chose (you know, the preterit form of choose).

RFID ranges from 125 kHz to 2,45 GHz.

Depending on the application (e.g. toll booth or badge identification) and constraints, you choose to operate in a certain frequency with a certain antenna.

I didn't say change but chose

Still no.

RFID ranges from 125 kHz to 2,45 GHz.

No it doesn't range anywhere in this range. Their are three bands 125 to 135 KHz 13.5MHz 2.45 GHz If the frequency is in any one of these bands a reader can actually read them, the exact frequency does not matter. The band is related to the type of card.

Depending on the application (e.g. toll booth or badge identification) and constraints, you choose to operate in a certain frequency with a certain antenna.

It is only the antenna that changes with the band. The rest of that sentence is rubbish. I used to design RFID readers for a living.

Bianco: ...I can read it with my phone...

Using what application? Something provided by your bank?

A generic app from the play store.

Grumpy_Mike> "Grumpy" doesn't cut it. Try being objective. I said credit card RFID chips are short distance. They are. How do they achieve that? (partly?) by using the right frequency for the application.

I am only grumpy when some one askes a question and then argues that the answer is not correct. You know little about RFID cards and most of what you do think you know is wrong. Last time frequency is irrelevant, it is the design of the reader and the tags that is important and controls the things like distances.

You can design a toll booth system at any frequency you like.

Bianco: A generic app from the play store.

What's the name of the app that you downloaded from the playstore?

Unfort, I wouldn't be able to test it with my credit card, as I drilled through whatever antenna wires I could find on my card - as I don't like the idea of remote features 'enabled' by default (without choice).

This one: https://play.google.com/store/apps/details?id=com.github.devnied.emvnfccard

But there are others.

My bank (as all the French ones I believe) gives you the choice of having an RFID enabled card or not. Alternatively (to drilling), you could zap the chip: there are many available tutorials on youtube.

Some of the source code... https://github.com/devnied/EMV-NFC-Paycard-Enrollment

Saw that. A bit too much for my liking (really not a coder) but since he gave his contact info, I discovered he lives in my area (how unlikely!) and sent him an email yesterday.

Still, something which I thought to be easy prove pretty difficult.

Bianco: Still, something which I thought to be easy prove pretty difficult.

The more you learn the more you realise the stuff you might want to be easy is not.

Those with experience often provide the best advice.

Hello,

The NFC tag built into your card follows the ISO 14444 standard. (Wikipedia: ISO/IEC 14443 - Wikipedia)

I do not have great knowledge on how these payments work exactly, but as far as I do know, credit or debit cards do not store the CVV in the NFC chip in them and hence, it cannot be read. I used a few apps I found Playstore to see what I could read from my debit card and I found that the card stores the number of transaction it has made using NFC, the card number, the date that the card will expire on, and the card type i.e., Debit/Credit/Prepaid. I could not find the issuing bank in the data I managed to read and I believe that the merchants POS system will find that using the BIN.

Speaking about the potential for abuse, I dont think you can copy these cards and replay the data to make a payment as the data stored on the card is slightly changed after every payment and communicates with the issuing bank for every payment along with the time it was last used and some type of key.

I recommend watching this video by great scott on NFC payments:

Additionally, I don’t think you can do much even if you collect the raw data on the card for the reasons I mentioned above. Apps like Samsung pay which allow you to make NFC payments with your phone probably have an agreement with your bank which is why not every card can be used with the app.

Again, I am not an expert and I may be wrong, so please do not consider what I said to be accurate.