A warning spreading on social media claims that criminals can make unauthorized payments by pressing a contactless POS terminal against the pockets of unwitting victims that contain a contactless bank card.
In countries like the UK, contactless debit cards have become extremely popular and allow customers to make payments just by tapping their card onto a payment terminal without having to enter a PIN. Contactless payments only work if the amount of the transaction is below a certain threshold (e.g. £30 in the UK.)
The warning claims that criminals only need to enter the desired amount into the contactless terminal and can simply press the terminal against the pockets of unaware victims until it detects a contactless bank card and authorises a payment.
An example of this rumour can be seen below –
So this guy was spotted wandering round with a Point of Sale (POS) device. All he has to do is key in a price less than £30 and then touch the device on the pocket that contains you wallet. Ching! You’ve just been charged automatically on your touch pay enabled credit/debit card…. We’ve just tried this in my local pub with their POS device and it worked… (I’ve actually shown people this using the NFC function on my mobile to read their card data through their wallet to freak them out but this is the first time I’ve seen someone doing it for real). Time to invest in a screened wallet I guess…
Is it possible?
Despite the warning, this type of crime would be extremely difficult to commit, making it extremely unlikely that any one person would become victim to it. The warning fails to mention many of the limitations such a crime would have.
Firstly, such contactless POS terminals only work in the immediate vicinity of their respective base unit (which would need to be plugged into a phone line.) The terminal communicates with the base unit through either WiFi or Bluetooth to authorise a payment. If the terminal strayed too far away from the base unit (more than a few tens of metres) then the terminal would not work since it would not be able to authorise a payment.
Secondly, to obtain and use a POS terminal capable of taking debit or credit payments, the person using the machine would need a “merchant ID” identification number. NatWest told us that any person who wishes to use a contactless terminal (or any type of device capable of taking payments from bank cards) needs to be a registered business in order to obtain the Merchant ID necessary to operate these devices. This would mean providing certain information about themselves to the payment company (e.g. VISA) including a credit check.
As such, these bank transfers inevitably provide a digital “paper” trail. Any suspicious payments could be tracked back to the account to which the money was sent to, and beyond. This means that any criminal committing this type of crime would need a method of transferring the money in a way that would make it essentially “disappear” to prevent the authorities tracing the money back to the criminal. This fact alone would mean that this type of crime would be far too sophisticated for the vast majority of opportunist thieves out there.
We have seen a small number of reports claiming that this type of crime has happened. One of those reports comes from SC Magazine who claims that one of their staff members was “apparently” the victim of this type of crime, having £20 stolen from his card after being “bumped into”. However it was not clear if the money stolen was through a contactless payment or if the criminal stole the card details wirelessly and made a payment at a later date.
The UK Cards Association have also claimed this type of crime has not been widely reported in the UK and we have not been able to find any country or area in which this has become a popular or trending method of robbing victims.
It is also worth noting that if it does happen to you, since this would be a fraudulent transaction and you would not be at fault, your bank would likely refund you the money stolen from you if this were to occur.
What about scanners that record the details of my card
This is a different question because studies have been conducted that claim scanning devices capable of penetrating the materials used in clothes and wallets could potentially read the encrypted information from the card and store it. To emphasize, these scanning devices do not take payments from the card. However the details it obtained from cards could potentially be used to make unauthorised payments if the criminals managed to decrypt the card information at a later date.
An investigation by Which? demonstrated that there are a number of scanning devices out there capable of reading the encrypted information from your contactless bank card chip when placed close enough to it.
Which? asserted that their investigation allowed them to make [what would have been] unauthorised payments from the contactless cards they “targeted”, despite claims from the payment companies like VISA and MasterCard that this should not be possible.
Despite the investigation by Which?, even these types of crimes are still very rare.
What can I do…
As we said, all of these crimes are extremely rare, but if you are concerned, most banks provide non-contactless bank cards, or you can buy any number of wallets or card holders online that claim to protect your card from being read in this manner.