The truth behind criminals using “tap and go” to steal from your bank card

signates

Expert Member
Joined
Dec 8, 2009
Messages
4,316
#22
Are you using the FNB app? On my FNB app (android), I have to go to Payments->..........-> Tap n Pay, Select the account I want to use etc. Then only does a screen pop-up with a countdown timer allowing me to Tap
Yes.

Change your security mode in the app under fnb pay Screenshot_20180914-114052_FNB.jpeg
 

LCBXX

Honorary Master
Joined
Apr 11, 2006
Messages
10,006
#23
What the article doesn't go into is that
a) People are already cloning cards or stealing details for 'card-not-present' transactions. What are they getting from the magnetic strip that they aren't from a tap-and-go approach?
b) They don't need to collude with a vendor, they simply need an NFC reader (included with some smartphones) to get your card details.

The CVV is there in plain sight, so while tapping someone's butt with the POS machine may not be a viable way to steal, simply tapping your phone with the card may be a quick way to steal the details. A quick visual inspection is all you need to get the CVV. It's no different than photographing the card or reading the magnetic strip.

I'd hazard a guess that this kind of fraud happens via shop or restaurant employees mostly.

I'm guessing either that wasn't worded correctly or they're ignorant. Most new cards are tap-and-go these days - are they suggesting card fraud has suddenly stopped? How can they tell that the tap-and-go approach hasn't been used to commit fraud through card cloning or card not present transactions?
By stating this you already went beyond the risk associated with tap-and-go into actual fraudulent card use.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
35,421
#24
By stating this you already went beyond the risk associated with tap-and-go into actual fraudulent card use.
Not following. The risk associated with tap-and-go is that it's way easier to read covertly than a magnetic strip. You don't need a POS terminal for one and you can do it on your mobile phone for another?
 

FaSMaN

Expert Member
Joined
Mar 24, 2010
Messages
1,426
#26
Buy some copper tape and take a piece of cardboard/paper roughly the size of the back of your wallet (where you store your notes) cover the cardboard/paper with the a thin single layer of copper tape and place it in the back of your wallet.

This is effective enough to stop RFID/NFC communication and will protect your NFC cards.
 

LCBXX

Honorary Master
Joined
Apr 11, 2006
Messages
10,006
#29
Not following. The risk associated with tap-and-go is that it's way easier to read covertly than a magnetic strip. You don't need a POS terminal for one and you can do it on your mobile phone for another?
Do you have a example of proof of concept of what can be read from a tap-and-go card using a device other than a PED?
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
63,782
#30
The problem with "tap and go" payments is:
3. For small transactions, you will not receive a notification.

Given the amount of fraud in our banking system, I can't understand how the banks have rolled this out to all new cards without giving customers the option to opt-out.
Get a real bank

 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
2,274
#35
“Even if a criminal tapped a victim’s contactless card, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed.”
Errr maybe not in this market but there are plenty of countries in this world which still do swipe and you're done which this kind of information would be very valuable to.
 

rietrot

Honorary Master
Joined
Aug 26, 2016
Messages
11,341
#36
It is all electronic so what if the criminal gets all your details. Why can't the useless bank and police not just trace the transaction and lock the guy drawing the money from the ATM up. Money might be created out of thin air, but it doesn't disappear quite as easily.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
35,421
#37
Do you have a example of proof of concept of what can be read from a tap-and-go card using a device other than a PED?
I'm only going by this:

“Even if a criminal tapped a victim’s contactless card, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed.”
I'm hoping that you would need an authorized PED machine to even do that, I'll test it later... maybe even a network connected device.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
18,264
#39
I am still confused as to the true contextualised risk of tap-and-go. The whole charade seems like sensationalism.
The issue is that the banks have only assessed the risk of doing transactions directly from the card. A CVV is only 1000 iterations away once you know a person's card number. That isn't good security.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
35,421
#40
There's also this method:


Uses two android phones - one at the victim / perp side and one at the terminal side. Basically it relays the card data to the terminal. Still not really feasable given that you need a registered dealer to work with.
 
Top