Using a tap-and-pay bank card is great – you place it on a payment terminal and can cover a bill without putting in a PIN or swiping it through.
This functionality is enabled using NFC – near-field communication – and is widely available across South Africa.
Concerned users have stated that tap-and-pay bank cards open a security hole, however, as money could be taken from them without a user’s consent.
This fear was stoked when a video started circulating in 2018 showing a South African having money “stolen” from their card using a card machine.
The South African Banking Risk Information Centre quickly stepped in to assure users that NFC-enabled bank cards are safe, and issued a statement on the matter.
“Contactless payment cards are as secure as traditional cards, and SABRIC has not received any reported crime incidents where tap-and-go cards have been exploited.”
SABRIC stated that stealing money by tapping a card machine near enough to a victim’s card is not likely – as the victim would notice it.
“Acquiring an NFC point-of-sale device involves a rigorous vetting process by the issuing bank, which includes the mandatory submission of Know Your Customer documentation,” added SABRIC.
This means that if you obtained a card machine and started stealing people’s money, you would be traced.
Tapping an NFC card on a terminal for high values also prompts the user to enter a PIN, while banks randomly prompt buyers to enter their PIN as an additional safety measure at times.
Furthermore, there is little chance that you could obtain an NFC card’s data to create a duplicate card, as it is encrypted on the card’s chip.
Going the extra mile
While tap-and-pay theft is non-existent according to SABRIC, there are those who would rather not take any chances with their finances.
To prevent their card being contacted at all, these individuals use an RFID-shielded holder.
An RFID-shield – radio-frequency identification shield – stops the wireless communication between your bank card and the payment terminal.
RFID-shielded card holders and wallets have been described as a waste of money and completely unnecessary however, due to the security of the tap-and-pay ecosystem.
For the purposes of this article, though, we purchased an RFID-shielded wallet and used our company’s card machine to see if we could “steal” money off an employee’s credit card.
The wallet we purchased – which costs R250 online – is shown below.
It contains a thick metal case in the middle which your cards slide into, and which prevents the NFC functionality of the card from working.
During the test, we quickly realised that stealing money off a bank card would be incredibly difficult.
Even if you managed to obtain a card machine and keep yourself from being tracked when executing transactions on it, you have to place it very close to the card for funds to be transferred.
When a bank card was placed in our test subject’s pants pocket, the card machine had to physically touch his leg – which could not be done covertly.
The card machine also issued a loud beep when the transaction went through, and this would have to be disabled to remain discrete.
It also takes a second or two for the transaction to process, which means the card machine must be held steadily in place – a hit-and-run tactic will not work here.
It was the same set of results when the bank card was placed in a smartphone case which had card slots – the card machine had to be pressed against the subject’s pants.
When the card was placed in the RFID-shielded wallet and this was put in the subject’s pocket, we could not access it using the tap-and-pay card machine.
Attempting to access the card by placing the wallet directly against the card machine also resulted in a failed transaction.
The test showed that an “unguarded” bank card is a difficult target for a potential thief who manages to obtain a card machine. The proximity and duration of the tap-and-pay transaction will be easy to spot by a potential victim.
It also showed that while an RFID-shielded wallet may be a waste of money, it does deliver on its promise of stopping your card being accessed.
A summary of the test is shown in the machine below.