The truth behind criminals using “tap and go” to steal from your bank card

The_Librarian

Another MyBB
Super Moderator
Joined
Nov 20, 2015
Messages
21,429
What is wrong with the old-fashioned way of sticking your card into a slot or sliding your card? :rolleyes:

Oh I get it, it is too much of a hassle to stick or slide nevermind wear and tear on the POS devices.
 

signates

Expert Member
Joined
Dec 8, 2009
Messages
4,986
Are you using the FNB app? On my FNB app (android), I have to go to Payments->..........-> Tap n Pay, Select the account I want to use etc. Then only does a screen pop-up with a countdown timer allowing me to Tap
Yes.

Change your security mode in the app under fnb payScreenshot_20180914-114052_FNB.jpeg
 

LCBXX

Honorary Master
Joined
Apr 11, 2006
Messages
10,495
What the article doesn't go into is that
a) People are already cloning cards or stealing details for 'card-not-present' transactions. What are they getting from the magnetic strip that they aren't from a tap-and-go approach?
b) They don't need to collude with a vendor, they simply need an NFC reader (included with some smartphones) to get your card details.

The CVV is there in plain sight, so while tapping someone's butt with the POS machine may not be a viable way to steal, simply tapping your phone with the card may be a quick way to steal the details. A quick visual inspection is all you need to get the CVV. It's no different than photographing the card or reading the magnetic strip.

I'd hazard a guess that this kind of fraud happens via shop or restaurant employees mostly.

I'm guessing either that wasn't worded correctly or they're ignorant. Most new cards are tap-and-go these days - are they suggesting card fraud has suddenly stopped? How can they tell that the tap-and-go approach hasn't been used to commit fraud through card cloning or card not present transactions?
By stating this you already went beyond the risk associated with tap-and-go into actual fraudulent card use.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
38,473
By stating this you already went beyond the risk associated with tap-and-go into actual fraudulent card use.
Not following. The risk associated with tap-and-go is that it's way easier to read covertly than a magnetic strip. You don't need a POS terminal for one and you can do it on your mobile phone for another?
 

FaSMaN

Expert Member
Joined
Mar 24, 2010
Messages
1,500
Buy some copper tape and take a piece of cardboard/paper roughly the size of the back of your wallet (where you store your notes) cover the cardboard/paper with the a thin single layer of copper tape and place it in the back of your wallet.

This is effective enough to stop RFID/NFC communication and will protect your NFC cards.
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,307
Am I correct in assuming there is an added layer of security my iphone offers by requiring the phone to be unlocked when using it instead of my card?
Huh? iPhone doesn’t offer any payment system like this.
 

LCBXX

Honorary Master
Joined
Apr 11, 2006
Messages
10,495
Not following. The risk associated with tap-and-go is that it's way easier to read covertly than a magnetic strip. You don't need a POS terminal for one and you can do it on your mobile phone for another?
Do you have a example of proof of concept of what can be read from a tap-and-go card using a device other than a PED?
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
65,660
The problem with "tap and go" payments is:
3. For small transactions, you will not receive a notification.

Given the amount of fraud in our banking system, I can't understand how the banks have rolled this out to all new cards without giving customers the option to opt-out.
Get a real bank

 

Napalm2880

Expert Member
Joined
Mar 8, 2007
Messages
1,860
Surely the risk lies more with the Merchant who will be guilty of misusing the PED device? There is no way our Banks will tolerate PED abuse to commit NFC fraud.
The banks aren't the only guys issuing PEDs e.g. YOCO.
 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
2,872
“Even if a criminal tapped a victim’s contactless card, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed.”
Errr maybe not in this market but there are plenty of countries in this world which still do swipe and you're done which this kind of information would be very valuable to.
 

rietrot

Honorary Master
Joined
Aug 26, 2016
Messages
14,066
It is all electronic so what if the criminal gets all your details. Why can't the useless bank and police not just trace the transaction and lock the guy drawing the money from the ATM up. Money might be created out of thin air, but it doesn't disappear quite as easily.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
38,473
Do you have a example of proof of concept of what can be read from a tap-and-go card using a device other than a PED?
I'm only going by this:

“Even if a criminal tapped a victim’s contactless card, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed.”
I'm hoping that you would need an authorized PED machine to even do that, I'll test it later... maybe even a network connected device.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
20,722
I am still confused as to the true contextualised risk of tap-and-go. The whole charade seems like sensationalism.
The issue is that the banks have only assessed the risk of doing transactions directly from the card. A CVV is only 1000 iterations away once you know a person's card number. That isn't good security.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
38,473
There's also this method:


Uses two android phones - one at the victim / perp side and one at the terminal side. Basically it relays the card data to the terminal. Still not really feasable given that you need a registered dealer to work with.
 
Top