This week a tweet of mine about contactless card fraud went a little bit viral. The goal was to create discussion, which it most certainly did!
I was contacted by half a dozen journalists asking to interview me about the matter. Despite having a great face for radio, I declined on the basis that I work in information security so suggested some folk in the industry who I knew would be much better than me at informing the public about this stuff.
However, I’ve had lots of messages from people (about 50% tin-foil-hat brigade and 50% calling me a conspiracy theorist or a liar), so here’s my personal views expanded from 140 characters. (Not those of my employer blah blah.)First up, for the record, the picture in that tweet is not one I took, as many people seem to think. I saw it in a Russian news story that was doing the rounds at work. I can’t find it published prior to that, so presume that’s where the photo credit is due. Also, to the best of my knowledge, this was taken in Russia and not, as some newspapers are saying, on the London Underground.
The picture appears to show a person carrying a contactless EDC (Electronic Data Capture) or POS (Point Of Sale) card machine – the sort of thing you’d find in most shops. It lacks context and there is no proof that this person is committing any crime, but it is possible that the person could use this device fraudulently.
The method of the fraud would be to input a sale below the contactless limit (in the UK that’s currently £30) and then touch the device to the wallet-bulge in someone’s pocket, or to their handbag. The machine, if within range of a contactless card, could then complete the transaction without any further input. These transactions don’t need a pin number etc. to be entered or the card to be visible.
Once that has happened, the ‘electronic pickpocket’ could either complete the transaction or (if much more sophisticated) harvest the card details to potentially use in other, potentially larger transactions.
Most contactless card readers still require connection to a phone line, but some are now available with wifi or GPRS connections. With one of these, the fraud could happen almost anywhere.
So should you be worried?
No, not really. Relax. For a few good reasons.
The circumstances above have been created in test conditions. However, anecdotally, there have been very few reported cases of this fraud actually happening. I cannot find firm evidence of a single event that definitely had this modus operandi. In each case I’ve been able to find to look at, it seems just as likely that the card was skimmed or cloned during a legitimate transaction.
The card issuers are also really hot on spotting fraud. These companies are very tech savvy and have been investing heavily for a long time in transactional analysis which spots fraud very quickly and also has the useful byproduct of giving banks a massive volume of useful analytical data on their customers’ behaviour. All those clever maths whizzes have to do something since it’s now considered passé to go straight from Oxbridge to investment banking.
Importantly, you’re really well covered by your card issuer. The way their rules are set up are heavily in favour of the customer. They’ll refund you almost immediately and then put the onus on the vendor to prove that the transaction is valid. In the UK at least, you’re really well insured.
The globally regulated payment card industry (PCI) is also incredibly good at creating controls (including the Data Security Standard (PCI-DSS)) to screen card acquirers and processors in the payment chain. They’re vetted, then audited, with strenuous recertification requirements. It would be hard (but not impossible) for someone to set up an acquiring account with the specific goal of fraud. It is possible that someone could steal a machine linked to a legitimate account, but then laundering the funds from the fraud would have an extra step – getting the cash out from that supposedly innocent business. The data trail for any such transaction would be very strong, with info such as machine location etc. available to the police who could then link that up to CCTV records when investigating the crime. The fraudster might get away with it once or twice; but to make a living out of it would be onerous and high risk.
On top of all this, though, using this seemingly easy method would actually be tough to make work.
First up, those POS devices are pretty bulky, need to be held near the card for a solid couple of seconds and normally make a fairly recognisable ‘beep’ when the transaction completes. All the GPRS/Wifi ones I can see also have built in printers that would make a noise and give the game away. All of these factors mean that if you’re in a crowd of people who are at least partially aware of their surroundings, this is likely to get called out.
Secondly, if you’ve got more than one contactless card within range, the transaction will fail due to ‘card clash’, as TFL like to call it.
But if you’re still worried, what can you do to reduce your risk?
The single best thing that you can do is check your transactions regularly. You probably have a mobile banking app; use it to check when you’ve a moment spare. If you spot anything suspicious, contact your card issuer. They’re on your side.
You could invest in a shielded wallet or card sleeve. However, tests have demonstrated that they’re not always that effective. You could also wrap all your cards in tin foil for the same effect. And while you’re at it, make yourself a lovely hat with the rest of the roll.
If you’re truly paranoid and absolutely must disable the contactless feature of your card, it’s also pretty easy to do. The RFID ‘antennae’ runs in a loop around the edge of the card a couple of millimetres in. If you cut a small notch in the edge of your card, about 5mm square, or trim the corner of your card off, that should break the circuit and stop it working. But that’s very extreme.Apple Pay and similar mobile-device payment systems are not affected by this fraud, as they require approval for each transaction e.g. with your fingerprint or PIN.
In summary, this picture is interesting as a discussion point but not good evidence of anything you need to be worried about. Contactless payment is a cool technology and the convenience is nice. Enjoy it. Relax. But check your transactions regularly.