Banking22.01.2025

Truth about tap payment danger in South Africa

Although contactless card payments can also be susceptible to fraud and skimming, they are still considered far more secure than swipe or chip payments in South Africa.

South African banks and cybersecurity experts have encouraged people to adopt contactless, tap-to-pay, or tap-and-go payments.

The near-field communications (NFC) technology that enables these payments has existed since the 1980s and was adopted in the payments ecosystem in the 1990s.

However, moving away from older swipe and chip payment methods required merchants to get machines that support NFC payments, which became more common in the last decade.

Supporters of contactless payments have often cited improved security as one of the key features of the technology.

Among the biggest mistakes people made with swipe and chip payments was handing over their cards to a till worker or merchant with malicious intent.

They would then insert or swipe the card in a skimming or cloning device to capture its details for use at a later stage.

Many ATMs were also fitted with such devices, leading to warnings from banks to watch out for signs of tampering on card slots.

Stealing the PIN is also possible with keypad overlays on point-of-sale (POS) devices or ATMs that were well disguised.

With a tap payment, the card never has to leave the customer’s hand during the transaction. The communication is also encrypted, making it more difficult to skim card details.

However, in the past year, there have been several warnings about criminals increasingly targeting tap payments — without any concrete data to back up the claim.

Among those raising red flags was a South African cyber security firm which argued that “all” a criminal needed to steal money in a tap payment was a card machine and good timing.

“Imagine you’re paying for petrol and someone is standing near you,” he said. “As you tap, that person taps your card and the money comes off twice — once for the petrol, once for the fraudster.”

The firm went so far as to recommend people completely disable their card’s contactless capability and only use physical cards as a backup.

They falsely claimed that FNB was “ending” tap-and-go functionality in 2024, implying it was because of this issue.

FNB only discontinued its dedicated in-app tap feature, as support for third-party wallets had become available to almost all NFC-enabled devices.

In fact, several major banks — including FNB and Discovery Bank — don’t permit customers to turn off contactless payments at all.

FNB card digitisation head Jason Viljoen stressed that contactless payment methods were safe to use, and they were aligned to Europay, Mastercard and Visa’s global best-practice. 

Contrary to the cybersecurity firm’s claim, FNB cards still support contactless payments.

Strict controls

Aside from the misleading claim about FNB tap-to-pay, the company’s argument that it was easy for a criminal to acquire a POS device for accepting card payments was inaccurate.

The South African Banking Risk Information Centre (SABRIC) has explained that buying a POS device involves a rigorous vetting process by the issuing bank, which includes the mandatory submission of Know Your Customer documentation.

“In addition, banks also monitor merchant transaction activity and conduct merchant site visits,” Sabric said. “Should any irregularities be identified, an investigation will be launched immediately.”

Although a criminal could steal a payment device, it would be useless without being linked to a merchant’s bank account.

Viljoen said that a “bad actor” would be identified very quickly and shut down, with fraudulent transactions refunded according to the card purchase dispute guidelines.

Discovery Bank also agreed that the described scenario was highly unlikely.

” To have a tap card terminal or a phone, a malicious actor would have to be within the banking system and been subjected to other acquiring and banking risk processes,” the bank said.

“It is also unlikely that a person would be able to get to close enough proximity to a card for the NFC reader to activate.”

The cybersecurity firm also called the payment device a “skimming” device, which was not accurate.

Card skimming or cloning devices are not linked to a bank account and do not process transactions directly, which is the main concern the firm highlighted.

Skimming devices capture the card’s details, which the criminals can then use to create a physical cloned card for in-person payments or online transactions at a later stage.

Although skimming a card’s details during a contactless transaction is not impossible, it requires more technically complex tools due to the encryption in NFC communication.

Another factor to consider is that a customer who has the necessary notification settings enabled will receive a SMS or in-app messages of all payments.

If the customer queried a rogue payment with the bank, the fact that it went off simultaneously or within milliseconds of a legitimate transaction would likely help the customer’s claim of fraud.

Furthermore, if the amount exceeded the user’s daily limit for tap payments, they would have to enter their PIN and the payment would not go off the rogue device.

It would be far easier and less risky for a criminal to just steal a card and use it as long as possible before it is reported stolen and blocked.

Digital wallets provide more security

All these factors considered, the cybersecurity firm did get one thing right — digital wallets like Apple Wallet, Google Wallet, or Samsung Wallet — which support tap payments with linked cards, are more secure than regular card tapping.

If your phone is locked in your pocket or your smartwatch is just hanging by your side, a criminal who taps a rogue payment device won’t be getting any money from your account.

That is because initiating NFC communication between a digital wallet and POS device requires that the user authenticate themselves with a PIN or biometrics.

With some wallets, this may be required twice — first when unlocking the phone and again after opening the digital wallet.

Digital wallets also use card tokenisation, which replaces your actual card details with a stand-in number, which makes conventional card skimming virtually impossible.

However, Viljoen has warned South Africans to watch out for fraudsters who try to trick people into sharing their card credentials and approving the activation of a digital wallet registration in their banking apps.

“In this way, it’s not the digital wallet payment being compromised, but rather the customer compromising their credentials and approving the registration of the compromised card,” Viljoen explained.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter