A Facebook post has gone viral, after a man, Paul Jarvis, saw a thief scamming people out of their money in a tech-savvy manner.
He was putting through payments of less than £30 in a wireless card reader and touching it on wallets of unsuspecting people.
Mr. Jarvis took a picture and posted it on Facebook, writing: “So this guy was spotted wandering round with a Point of Sale (POS) device. All he has to do is key in a price less than £30 and then touch the device on the pocket that contains your wallet.
“Ching! You’ve just been charged automatically on your touch pay enabled credit/debit card…. We just tried this in my local pub with their POS device and it worked…
“(I’ve actually shown people this using the NFC function on my mobile to read their card data through their wallet to freak them out but this is the first time I’ve seen someone doing it for real). Time to invest in a screened wallet I guess…”
And it’s true – some card readers can scan through wallets.
Contactless cards are now wildly popular, and used in one in seven sales.
While much of this increase came from the introduction of contactless fares on the Transport for London network in late 2014, Visa Europe said the technology had already spread far beyond the capital’s buses and trains.
“Sixty percent of contactless transactions now take place outside the M25, confirming this isn’t just a London phenomenon. At this rate, cash will be seen as a peculiar way of paying for things in as little as five years’ time,” said Kevin Jenkins, UK and Ireland managing director.
In numbers contactless payments
Year Barclays introduced the first contactless cards
Contactless cards in circulation in the UK
Spending limit per transaction (it was raised from £20 in September 2015)
1 in 3
Proportion of card transactions made using contactless payment in London in 2014
Average amount spent in each contactless transaction by the end of 2014
Cashless payments overtook notes and coins last year, according to the Payments Council. While it took plastic cards 49 years from the first Barclaycard to become the dominant payment method, contactless technology has grown rapidly since the first UK transactions in 2007.
There have been security worries with contactless cards in the past.
The “tap and go” cards, which can be used for purchases under £30 without the need to enter a four-digit PIN or signature, do not require automatic authorisation from banks.
Purchases therefore may not appear on a customer’s account for some time after a card has been reported lost or stolen, leaving thieves free to keep using them at will.
The onus is then on the customer to check their statements and report any subsequent fraudulent activity to their bank in order to apply for a refund.
RBS and NatWest, admitted that “in theory a small number of contactless transactions could be made before the card is blocked.”
Barclaycard said: “When a customer reports a card lost or stolen, a block is applied to the card preventing all further activity. However, some contactless transactions are processed offline so may not appear on a customer’s account until after the block has been applied.”
“We offer a 100% fraud guarantee for anyone who is a victim of contactless fraud .”
The article below appeared on infoworld.com written by Roger A. Grimes — Columnist. RFID Cloaked don’t agree, we have seen examples of cloning and scanning attacks and have duplicated a hacked RFID scanner to prove the concept works.
RFID contactless cards can be scanned copied and cloned and unauthorised payments made. Check out some of our other posts. Comments on the original article also disagree and people have posted real life examples of contactless payment fraud.
You don’t need a tinfoil hat, either. Opportunists have exploited consumer fears to create an industry that doesn’t need to exist
Because I’m a computer security guy, I have friends who like to show off their new RFID-blocking wallets and purses. “Look what I got for Christmas!” they say. My lack of response should be telling, but they don’t seem to pick up on it.
They’ve seen the TV ads about malicious hackers who can “stand on any street corner” and wirelessly steal their credit card and other identity information. I’ve seen similar demonstrations at Black Hat and other computer security conferences for nearly a decade now. They never fail to wow the audience.
An entire, multi-billion-dollar RFID-blocking industry has emerged. You can get RFID blocking for almost any object you own. Some of my friends have so much faith in RFID-blocking products that they buy expensive, customized purses and wallets. These are the same people who drive extra miles to save a few cents on gas.
It goes to show that humans don’t evaluate risk very well.
The RFID fallacy
RFID technologies have been around for a long time, and they’re now included in more and more items. Yes, your RFID products can possibly be read from a distance. Yes, a hacker might be able to read your credit card information remotely as you pass by. But before you buy an RFID-blocking product, ask yourself if you’re worrying about the right things.
First and foremost, does your credit card actually have an RFID transmitter? The vast majority does not. Have you ever been told you can hold up your credit card to a wireless payment terminal, and without inserting your card, pay for something? For most of my friends, and the world in general, the answer is no.
Most RFID-enabled credit cards are heavily marketed as capable of being used wirelessly. They have names that imply wireless payment: PayPass, Blink, PayWave, Express Pay, and so on. Usually they bear a little RFID/contactless payment logo.
Hint: The new little golden metallic square on your new credit card does not indicate RFID. Also, many new contactless payment cards will have chip-and-PIN protection — or will use the chip to securely protect even RFID communications.
If you look at the number of credit cards with RFID, you can’t even represent it statistically. It’s not 0 percent, but it’s so far below 1 percent that it might as well be 0 percent. Part of the problem is that every major credit card vendor came out with its own version, so vendors and merchants had to physically support the same standards. Most people don’t want to have to figure out which vendors support which wireless cards and go get that specific card type.
On top of that, most of the world is going to wireless payments using your mobile device. Apple Pay had more users and adopters in its first day in the market than all active users of RFID credit card products combined. Apple Pay works with every credit card you have, as long as your vendor supports Apple Pay. Did I mention that Apple Pay is far more secure in almost every way?
RFID cards are coming with chip-and-PIN protections, and the lessons learned from Apple Pay (and other mobile phone wireless payment solutions) are migrating to credit cards. The days when a bad guy can sit on a corner and sniff your credit card information out of thin air are numbered.
Entertainment for the paranoid
But did that bad guy ever sit on the corner in the first place? Sure, I’ve seen the demos, but I’ve yet to hear of one criminal who was caught using an RFID sniffer or who admitted to stealing credit card info wirelessly. We know about all sorts of cyber crime. Why not the theft of RFID credit card information if the risk is so high?
Here’s why: It would be a lousy use of a criminal mastermind’s time. Today’s smart criminals break into websites and steal hundreds of thousands to tens of millions of credit cards at a time. Why would a criminal go to the effort and expense of stealing credit card info one card at a time when you can steal a million in one shot?
If a criminal wants a credit card or even your specific credit card, he or she can buy it for a few bucks from several places on the Internet. In fact, it’s significantly cheaper than buying all the necessary RFID attack equipment and sitting in a public square (which is likely to have one or more security cameras trained on it these days).
Still worried? If you actually have an RFID-enabled credit card, it turns out aluminum foil does the same job, if not better, than an expensive RFID-blocking sleeve. I know I’m going to get email from RFID-blocking vendors saying their products protect better than aluminum foil. No doubt that’s true in some cases.
But if you’re worried about that, you should also be wrapping your car keys in aluminum foil. Now we’re in the paranoid zone. I’ve heard from readers who have — I’m not making this up — removed every electronic product in their house due to hacking fears. They’ve sold their new cars with embedded computers and gone back to older models without any. I can’t tell if I’m dealing with regular paranoid people or true paranoid schizophrenics.
If you have a credit card, there’s a huge risk it will be hacked, but not by a guy sitting on a corner sniffing for your card as you walk by. The former is a fact of life. In the latter case, you might have a better chance of winning the lottery.
I think the author is clueless. My husband and I had all of our debit card numbers stolen while shopping together. He rarely carries his wallet as I always have my purse so it was easy to figure out exactly what location we were at when we got “scanned.” All our debit cards except one credit card (already had smart chip technology) were stolen. Of course now all of our debit cards have smart chips so this is “supposedly” a moot point. But 4 years ago I was first in line for a protective wallet after getting tired of tinfoil. Never had another issue but was super careful about even taking a card out to slide and pay. I don’t see it taking that long before they figure out how to get around the chip. Nothing is foolproof.
Sooner or later all cards will be contactless with RFID feature. In Europe this kind of cards is more and more popular. Sometimes people like it and sometimes hate.Our answer to this article is “Better safe than sorry”.John Smith
Nice how the author has zero response to any of these comments!! Someone is wrong here and he wont even debate or defend this article.
American Express notified me that someone tried to charge a $404.00 meal in Las Vegas. They denied it and cancelled my card. I had been to a shopping mall but had not used my card. Only used my card at CostCo.
Your card was probably cloned. Happens all the time. You probably inserted your card into a reader with a skimmer. If that isnt the case then someone randomly got your cards 16 digits by chance. They recycle the numbers because they have all been used by now.
Lots and lots of cards in Canada are RFID enabled. Once my wife’s card was read from more than a foot away by a more powerful than usual card reader at a cashier’s counter. My inexpensive wallet, purchased at Costco, is RFID proof. After seeing my wife’s card read from some distance, I’m pleased to have my RFID proof wallet. And do we use the RFID feature? All the time!
Use a faraday bag for your phone when traveling, or in risky areas. Use them when you’re on the move if you feel like you’re being tracked. These used to be “paranoid” concerns but not so much these days. They offer a level of assurance that provides peace of mind. Yes, you can’t receive calls when the phone is inside the bag, but you’re only using the bag when you feel you may be at risk. Attending a large conference? Good time to use a faraday bag. Think about it people, all the data you possess is on that little device just begging to be taken. Make sure you don’t buy a tin foil piece of crap anti-static bag though, I’ve tried those and they don’t work. They’re marketed as “faraday bags” but they most certainly are not. Buy a dual paired seam forensic faraday bag and you will be safe.
Wow, you’re terribly misinformed. Your article is practically a joke. In Canada yes, most major credit cards DO in fact transmit. It’s never been more important to secure your cards in an RFID transmission blocking case than these days. Do some research before laying down a couple grand worth of useless words.
Just because i am paranoid, that does not mean that they are not after me!
Is this guy joking? Almost everyone in Canada has an RFID enabled card now… It’s the easiest way to way for our Tim Hortons after all. Are the RFID blockers the only way to protect your credit card? Of course not. Is it a terrible idea to have one built in anyways? Again, of course not. It is difficult for me to agree any additional protection is meaningless. I also understand that the USA is significantly behind in payment security, I work with payment security equipment everyday, but here in Canada, contactless pay has become very popular.
I work in a small country town bag shop and we sell RFID protection in most of our wallets/purses etc. In the last 3 days I have had 2 customers who’s money has been stolen in this way. One poor bloke had $2000 an the other nearly $300. I get customers all the time coming in BECAUSE their money has been stolen in this way. It is a small country town as well, not a city and it still happens all the time. Where is he getting his evidence from?
Haha is this guy for real? Security Adviser? If you hired this guy for your security, i’d be very worried.. 40 computer certifications and eight books and he’s giving this kind of advice?
That’s a pretty ignorant point of view, since 2008 it is possible to wirelessly do small payments without using a pin. so a mobile device with a amount less then 25 euro/dollar/pound entered and a busy public transport system is all it takes.
Totally disagree with this article and it sounds like a editorial piece for the industry pushing this payment method. Personally anything to do with security of users banking accounts (access etc) should be secured with a PIN. Then if the user wishes to Opt in to Paywave or paypass etc then that should be their choice alone. The two vendors and the banks should be focused on the security of our funds and not half arsed implementations when all the required functionality, trust and user understanding for PIN’s exists already. It’s articles like this that get me going. We can of course agree to disagree, but as I can see from the other comments this article doesn’t get much in real world support.
You need to check your statistics mate, “If you look at the number of credit cards with RFID, you can’t even represent it statistically. It’s not 0 percent, but it’s so far below 1 percent that it might as well be 0 percent ”
My debit card doesn’t have an RFID chip. It has the strip on the back. My card was read while out and $2000 was stolen out of my bank. The card was never out of my possession. It happened just hours after using it at Walmart.
Your card was likely cloned when you paid, not read by an rfid scanner…
The main reason that the secure chips on the credit cards were that the pay phones were being pried open by the immigrants in France to get any coins in the pay phones. These chips are so secure now the US Military ID’s have these chips on them. What does that say for security. My new Mastercard has that chip and 99% of the places i shop don’t use the chip feature. Walmart is the only company I know that has their cash registers chip readers enabled. this secure chip is the wave of the future Recently in Paris France the parking spots were chip credit cards only so finding a parking spot and paying for it is a lot more difficult with out the credit card with the chip
With such a low adoption level in the USA, it’s hardly surprising there won’t have been many reports of problems. That doesn’t mean that things can’t go wrong.
Here in the UK, it’s now very difficult to get a new bank card without contactless payment enabled. Many banks simply don’t do them and contactless readers are everywhere now. The UK Cards Association released statistics showing that in November 2015, there were 78.3 million contactless payment cards in circulation in the UK. That’s in a country with a population below 70 million. See http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/
With such widespread use, there have been a number of problems. Accidental payments are reported to have taken place more than once at one of the UK’s leading retailers, Marks & Spencer (http://www.telegraph.co.uk/finance/personalfinance/10066187/Marks-and-Spencer-customer-fears-over-contactless-payments.html).
All my credit cards are wireless payment enabled, as the wireless payment won’t require the user to key in PIN or any identification secret, I’m sure the bad guys are able to steal your money by using a device functionally similar to the wireless payment terminal when you don’t have some kind of signal blocking wallet.
In theory they could do that, but the RFID payment system is generally limited to small transactions, and each transaction is a one-time challenge-response exchange where the card has to be present (you can’t just store the info and use it again later). So our theoretical thief would have to sit there making small transactions as people walked by. He’d be better off getting a job as a waiter and just taking a picture of every card he was handed.
Also, consumers don’t have to pay for fraudulent charges — the bank or merchant has to eat the cost. They’re the ones who stand to lose the most from theft, so if they’re issuing these cards, it clearly isn’t a concern for them.
Maximum charge in the UK is £30, unskilled workers probably average £45 a day after tax so with just two swipes you’re up £15. Get 5-6 and you are close to not having to work for a week.
I don’t believe its going to be a really prevalent form of attack however I wouldn’t discount desperate people attempting it. I agree with you that the banks are pretty good at refunding fraudulent activity as I’ve had it happen myself (I suspect from a large database hack as I’m careful where I use it) and if it did become an epidemic of sorts they would soon do something about it.
I now really would like to know how far away one has to be in order to steal the card infos? Are we talking about meters or centimeters?
Here in Austria one could get away with 80Euros, when using the card 4times until we have to put in our PIN again.
You don’t want to tell me that it is enough to have a photo of a card with RFID in order for everyone using it for payments? This really would be scary!
Putting a Faraday cage around your smart phone would be far more effective. You could not make or receive phone calls until it was removed though. The RFID blocking products would probably not have gotten any kind of a foothold on the market if smart phone payment systems had been widely deployed first.