The truth behind criminals using “tap and go” to steal from your bank card

Newsfeed

MyBroadband Newsfeed
Staff member
Joined
Jun 28, 2017
Messages
6,795
The truth behind criminals using “tap and go” to steal from your bank card

Earlier this year, a video was circulated between South Africans which demonstrated someone with an NFC-enabled POS terminal processing a payment off an unaware shopper.

In the video, the person with the terminal places it against the victim’s back pocket and successfully processes a payment using his NFC-enabled PayFast card.
 

Napalm2880

Expert Member
Joined
Mar 8, 2007
Messages
2,680
The problem with "tap and go" payments is:
1. You don't always have to enter a PIN, making it an easy target for fraud.
2. It's well known that investigations into fraud are not effective - just look at the debit order system.
3. For small transactions, you will not receive a notification.

Given the amount of fraud in our banking system, I can't understand how the banks have rolled this out to all new cards without giving customers the option to opt-out.
 

LCBXX

Honorary Master
Joined
Apr 11, 2006
Messages
15,696
The problem with "tap and go" payments is:
1. You don't always have to enter a PIN, making it an easy target for fraud.
2. It's well known that investigations into fraud are not effective - just look at the debit order system.
3. For small transactions, you will not receive a notification.

Given the amount of fraud in our banking system, I can't understand how the banks have rolled this out to all new cards without giving customers the option to opt-out.
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.
 

ArmatageShanks

Honorary Master
Joined
Nov 3, 2013
Messages
14,057
Was always afraid of this, will be checking to see how far away from the POS the card can work.
 

The_Ogre

Honorary Master
Joined
Apr 30, 2010
Messages
25,869
Was always afraid of this, will be checking to see how far away from the POS the card can work.
With my cards it has to be like less than a centimetre away. In fact I actually touch the terminal, to save time. And I use Tik & Trap at least once a day (lunch at work)
 

Kosmik

Honorary Master
Joined
Sep 21, 2007
Messages
21,971
Was always afraid of this, will be checking to see how far away from the POS the card can work.

it has to be very close. NFC works off the RF emitted by the device, not anything on the card. The card "reacts" and that is what is read by the device.
 

bwana

MyBroadband
Super Moderator
Joined
Feb 23, 2005
Messages
83,173
Am I correct in assuming there is an added layer of security my iphone offers by requiring the phone to be unlocked when using it instead of my card?
 

AchmatK

Executive Member
Joined
Dec 8, 2009
Messages
8,116
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.
That's assuming only south African issued PED devices used.

What's stopping criminals from using card machines issued outside of South Africa? Would foreign card machines even be able to work here? Does all local card machines have to be linked to a local merchant account?
 

SmartKit

SmartKit Rep
Joined
Jun 29, 2008
Messages
8,219
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.

Exactly, if you get several reports on the same machine the banks know who to go after.
 

AchmatK

Executive Member
Joined
Dec 8, 2009
Messages
8,116
Am I correct in assuming there is an added layer of security my iphone offers by requiring the phone to be unlocked when using it instead of my card?
Yes. My fnb tap and go only works if the phone is unlocked.
 

AchmatK

Executive Member
Joined
Dec 8, 2009
Messages
8,116
Exactly, if you get several reports on the same machine the banks know who to go after.
Can you answer some the questions in my previous post? Really not sure about it and while local banks have control over local merchant accounts and card machines, I'm not sure how it would work with machines and merchant accounts outside of SA being used in SA.
That's assuming only south African issued PED devices used.

What's stopping criminals from using card machines issued outside of South Africa? Would foreign card machines even be able to work here? Does all local card machines have to be linked to a local merchant account?
 

das Toktokken

Honorary Master
Joined
Jul 18, 2008
Messages
53,990
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.

Attempting to read an NFC card’s data using an NFC-enabled device is also incredibly difficult, due to the strong encryption on the card’s chip.
“Stealing card data by criminals is also not a viable option, as merely holding an NFC-enabled POS device close to a bank card will not provide enough information to enable fraudulent card-not-present transactions,” SABRIC stated.
“Even if a criminal tapped a victim’s contactless card, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed.”
What the article doesn't go into is that
a) People are already cloning cards or stealing details for 'card-not-present' transactions. What are they getting from the magnetic strip that they aren't from a tap-and-go approach?
b) They don't need to collude with a vendor, they simply need an NFC reader (included with some smartphones) to get your card details.

The CVV is there in plain sight, so while tapping someone's butt with the POS machine may not be a viable way to steal, simply tapping your phone with the card may be a quick way to steal the details. A quick visual inspection is all you need to get the CVV. It's no different than photographing the card or reading the magnetic strip.

I'd hazard a guess that this kind of fraud happens via shop or restaurant employees mostly.
“Contactless payment cards are as secure as traditional cards, and SABRIC has not received any reported crime incidents where tap and go cards have been exploited.”
I'm guessing either that wasn't worded correctly or they're ignorant. Most new cards are tap-and-go these days - are they suggesting card fraud has suddenly stopped? How can they tell that the tap-and-go approach hasn't been used to commit fraud through card cloning or card not present transactions?
 

AchmatK

Executive Member
Joined
Dec 8, 2009
Messages
8,116
and feels like you have to navigate through 20 menu items to get to the final "pay" screen...
Not sure what you mean.

I unlock my phone using my fingerprint and tap it to the machine.

No further navigation needed.
 

The_MAC

Executive Member
Joined
Oct 11, 2012
Messages
6,505
Not sure what you mean.

I unlock my phone using my fingerprint and tap it to the machine.

No further navigation needed.

Are you using the FNB app? On my FNB app (android), I have to go to Payments->..........-> Tap n Pay, Select the account I want to use etc. Then only does a screen pop-up with a countdown timer allowing me to Tap
 
Top