The truth behind criminals using “tap and go” to steal from your bank card

Newsfeed

MyBroadband Newsfeed
Joined
Jun 28, 2017
Messages
5,967
#1
The truth behind criminals using “tap and go” to steal from your bank card

Earlier this year, a video was circulated between South Africans which demonstrated someone with an NFC-enabled POS terminal processing a payment off an unaware shopper.

In the video, the person with the terminal places it against the victim’s back pocket and successfully processes a payment using his NFC-enabled PayFast card.
 

Napalm2880

Expert Member
Joined
Mar 8, 2007
Messages
1,666
#5
The problem with "tap and go" payments is:
1. You don't always have to enter a PIN, making it an easy target for fraud.
2. It's well known that investigations into fraud are not effective - just look at the debit order system.
3. For small transactions, you will not receive a notification.

Given the amount of fraud in our banking system, I can't understand how the banks have rolled this out to all new cards without giving customers the option to opt-out.
 

LCBXX

Executive Member
Joined
Apr 11, 2006
Messages
9,706
#6
The problem with "tap and go" payments is:
1. You don't always have to enter a PIN, making it an easy target for fraud.
2. It's well known that investigations into fraud are not effective - just look at the debit order system.
3. For small transactions, you will not receive a notification.

Given the amount of fraud in our banking system, I can't understand how the banks have rolled this out to all new cards without giving customers the option to opt-out.
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.
 

Honey Badger

Honorary Master
Joined
Apr 30, 2010
Messages
16,081
#8
Was always afraid of this, will be checking to see how far away from the POS the card can work.
With my cards it has to be like less than a centimetre away. In fact I actually touch the terminal, to save time. And I use Tik & Trap at least once a day (lunch at work)
 

Kosmik

Honorary Master
Joined
Sep 21, 2007
Messages
17,594
#9
Was always afraid of this, will be checking to see how far away from the POS the card can work.
it has to be very close. NFC works off the RF emitted by the device, not anything on the card. The card "reacts" and that is what is read by the device.
 

bwana

MyBroadband
Super Moderator
Joined
Feb 23, 2005
Messages
70,153
#11
Am I correct in assuming there is an added layer of security my iphone offers by requiring the phone to be unlocked when using it instead of my card?
 

signates

Expert Member
Joined
Dec 8, 2009
Messages
3,973
#12
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.
That's assuming only south African issued PED devices used.

What's stopping criminals from using card machines issued outside of South Africa? Would foreign card machines even be able to work here? Does all local card machines have to be linked to a local merchant account?
 

phaktza

Executive Member
Joined
Jun 29, 2008
Messages
6,344
#13
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.
Exactly, if you get several reports on the same machine the banks know who to go after.
 

signates

Expert Member
Joined
Dec 8, 2009
Messages
3,973
#17
Exactly, if you get several reports on the same machine the banks know who to go after.
Can you answer some the questions in my previous post? Really not sure about it and while local banks have control over local merchant accounts and card machines, I'm not sure how it would work with machines and merchant accounts outside of SA being used in SA.
That's assuming only south African issued PED devices used.

What's stopping criminals from using card machines issued outside of South Africa? Would foreign card machines even be able to work here? Does all local card machines have to be linked to a local merchant account?
 

Sweevo

Honorary Master
Joined
Jul 18, 2008
Messages
33,490
#18
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.
Attempting to read an NFC card’s data using an NFC-enabled device is also incredibly difficult, due to the strong encryption on the card’s chip.
“Stealing card data by criminals is also not a viable option, as merely holding an NFC-enabled POS device close to a bank card will not provide enough information to enable fraudulent card-not-present transactions,” SABRIC stated.
“Even if a criminal tapped a victim’s contactless card, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed.”
What the article doesn't go into is that
a) People are already cloning cards or stealing details for 'card-not-present' transactions. What are they getting from the magnetic strip that they aren't from a tap-and-go approach?
b) They don't need to collude with a vendor, they simply need an NFC reader (included with some smartphones) to get your card details.

The CVV is there in plain sight, so while tapping someone's butt with the POS machine may not be a viable way to steal, simply tapping your phone with the card may be a quick way to steal the details. A quick visual inspection is all you need to get the CVV. It's no different than photographing the card or reading the magnetic strip.

I'd hazard a guess that this kind of fraud happens via shop or restaurant employees mostly.
“Contactless payment cards are as secure as traditional cards, and SABRIC has not received any reported crime incidents where tap and go cards have been exploited.”
I'm guessing either that wasn't worded correctly or they're ignorant. Most new cards are tap-and-go these days - are they suggesting card fraud has suddenly stopped? How can they tell that the tap-and-go approach hasn't been used to commit fraud through card cloning or card not present transactions?
 

The_MAC

Expert Member
Joined
Oct 11, 2012
Messages
3,857
#20
Not sure what you mean.

I unlock my phone using my fingerprint and tap it to the machine.

No further navigation needed.
Are you using the FNB app? On my FNB app (android), I have to go to Payments->..........-> Tap n Pay, Select the account I want to use etc. Then only does a screen pop-up with a countdown timer allowing me to Tap
 
Top