A Facebook post has gone viral in the last 48 hours after a user posted a picture of a man stealing money from unsuspecting commuters, apparently in Russia, using a Point of Sale device to charge contactless credit cards through their wallets.
The post (now removed but currently available via Google Cache and included as image below) was made by Paul Jarvis last Saturday, and depicts an unidentified figure on public transport with a POS device in his hand:
“So this guy was spotted wandering round with a Point of Sale (POS) device. All he has to do is key in a price less than £30 and then touch the device on the pocket that contains your wallet. Ching! You’ve just been charged automatically on your touch pay enabled credit/debit card…. We just tried this in my local pub with their POS device and it worked… (I’ve actually shown people this using the NFC function on my mobile to read their card data through their wallet to freak them out but this is the first time I’ve seen someone doing it for real). Time to invest in a screened wallet I guess…”
According to The Mail, ‘authorities’ (which are not specified) believe that the photo was taken in Russia. The Jarvis post was shared more than 10,000 times before being made unavailable sometime in the last 24 hours.
Contactless cards do not require physical contact between the card and the reader device that charges the card, nor do they require a user to enter a PIN number. Instead, they use radio frequency identification (RFID) or near-field communication (NFC) technology to communicate between the card and the reader. They are increasing in usage worldwide, in part due to the convenience of faster transactions for consumers and companies alike. In London alone, an estimated one in three card transactions are completed with contactless cards. More than one billion European transactions were contactless in 2015, up 150% from 2014, per MasterCard.
Part of the fraud protection available on most contactless cards is a limit on individual purchases, or a limit on how often the card can be used before a user is asked for a PIN. But this new scam circumvents both of these attempts at fraud protection.
Although The development of the kind of contactless pickpocketing Jarvis has brought to light has created a new trade in RFID-blocking wallets and purses, it is worth noting that large sums of money cannot be gathered even by an industrious POS fraudster, since there is a varying contactless accrued payment transfer limit of around £400 before the device must reconnect to the bank over a landline, as well as a per-transaction limit of £30; additionally the thief would need a genuine business account to complete the transactions, which could hardly be easier to trace.
However, giving credence to the photo, there seems to be a will and a way, and the evolution of street-level ‘tap-robbing’ may depend on new criminal methods to temporarily hijack legitimate accounts or by other means funnel the stolen money out of a legitimate system.
Awareness of the vulnerability of contactless cards is of primary importance in protecting your finances from scammers. Contactless cards are covered by the same fraud protection services as traditional cards, so keeping an eye on the charges attributed to your account and notifying your bank of any strange charges is a good first step. Investment in an RFID blocking (so-called hack-proof) wallet or card sleeve could lessen your chances of fraud as well.