The truth behind criminals using “tap and go” to steal from your bank card

Earlier this year, a video was circulated between South Africans which demonstrated someone with an NFC-enabled POS terminal processing a payment off an unaware shopper.

In the video, the person with the terminal places it against the victim’s back pocket and successfully processes a payment using his NFC-enabled PayFast card.

The video trended on social media and led many South Africans to worry about the security of their bank cards which were NFC-enabled.

However, there are a number of reasons why this demonstration does not mean contactless cards are easily compromised.

The South African Banking Risk Information Centre (SABRIC) previously issued a statement stating that bank clients with contactless cards should not be worried by the video.

“A video trending on social media may have created the incorrect impression that contactless cards are easy to exploit by criminals. This is simply not true,” said SABRIC.

“Contactless payment cards are as secure as traditional cards, and SABRIC has not received any reported crime incidents where tap and go cards have been exploited.”

The video in question is embedded below.

NFC security

Contactless card technology is still relatively new in South Africa, but has been refined according to international standards and is protected by strict security protocols.

Many points of sale support NFC payments, or “tap-and-go”, and each of these terminals have to be registered with the issuing bank – which monitors merchant transactions occurring through the device.

“Stealing money by tapping an NFC-enabled POS device near enough to a bank client’s card is not likely,” SABRIC stated.

“Acquiring an NFC POS device involves a rigorous vetting process by the issuing bank, which includes the mandatory submission of Know Your Customer (KYC) documentation.”

Subsequently, any irregular purchases would be investigated, and criminals who collude with merchants to make use of their NFC-enabled POS device would have to move illegally-acquired funds into the merchant’s account – which is monitored.

There are also technical security challenges to overcome.

Tapping an NFC card on a terminal for high values prompts the user to enter a PIN.

Banks also randomly prompt buyers to enter their PIN as an additional safety measure at times.

Attempting to read an NFC card’s data using an NFC-enabled device is also incredibly difficult, due to the strong encryption on the card’s chip.

“Stealing card data by criminals is also not a viable option, as merely holding an NFC-enabled POS device close to a bank card will not provide enough information to enable fraudulent card-not-present transactions,” SABRIC stated.

“Even if a criminal tapped a victim’s contactless card, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed.”

Keeping safe

While contactless bank cards are safe, there are a few safety tips to keep in mind when using one.

The main consideration when paying by tapping your card on a payment terminal is to tap the card yourself.

If somebody else is tapping your card for you, they may be subtly tapping another device or cloning your card details via the magnetic stripe.

Registering for bank SMS notifications will also allow you to determine whether any fraudulent transactions have been made using your card.

Now read: The dangers of instant EFT services – South African banks explain

Latest news

Partner Content

Show comments


Share this article
The truth behind criminals using “tap and go” to steal from your bank card