Contactless payments offer a fast and easy way to pay for goods in-store, but is it really as safe as they claim, and how can you keep yourself safe when using contactless?
The big contactless payment fraud myth
Many banks and consumers assume that contactless fraud is where money is stolen from your contactless card directly. It’s a theory seemingly backed up on social media every few months with images (as below, from Tumblr) and warnings posted of supposed fraudsters carrying Chip & PIN machines, stealing from seemingly oblivious members of the public.While this sounds, in principle, like a valid concern, it would be incredibly difficult for criminals to operate such a machine without being noticed almost immediately.
Chip & PIN machines need to be registered with a payment vendor and linked to a bank account before they can be used to charge cards – like how you need to register your mobile phone’s SIM card with a network before you can make a call. Since every transaction is monitored for fraudulent activity, and applying for such a device is a lengthy process with many safeguards to stop fraudulent uses, it’d be incredibly risky for any criminal to do this without drawing an incredible amount of attention to themselves.
Contactless “skimming” is a fraud risk
While there may be no hard evidence of contactless based fraud, this doesn’t take into consideration if card details are stolen via contactless for later use – better known as “skimming”. Using widely available technology, or even a smartphone app, criminals can wirelessly read data from your contactless card without charging you a penny. In most cases, the data includes the full 16-digit card number, the card type (Visa, MasterCard, or similar), the issuing bank, the expiry date, the card owner’s name, and in some cases (worryingly) a mini-bank statement. With this data, it’s possible for criminals to create a cloned card with the original card details for use at older ATMs, shops, or even websites with poor security checks. Alternatively, they could simply collect thousands of card details with the intention of selling them on to the highest bidder. As there’s no financial transaction taking place, there’s no record of how many times it’s been read wirelessly, where it was read, by whom, and what their motive was.
Lost and stolen cards can still work months after cancelling
When contactless payments were first rolled out, concerns were raised about pickpockets and thieves being able to use a stolen card, without verification, to make high-value purchases. Reporting a card lost or stolen, and reporting any suspicious activity on your bank statement immediately should theoretically block that card from being used fraudulently. However, there have been mixed reports from members of the public that their cards continued to work long after being reported as lost or stolen. Banks have complex security limitations in place to detect fraudulent contactless transactions, but consumers should keep an eye on their bank statements and flag transactions they don’t recognise immediately – even if the card has been cancelled. You should also keep an eye on your credit report for suspicious transactions.
What about ApplePay and Google Wallet?
When contactless payments first made their debut on smartphones concerns were raised about the security of card details being stored on, and transmitted from, a smartphone. The initial fear was that instead of a malicious person reading card details wirelessly from a wallet – which tends to reside in a limited number of secluded places, such as a pocket or a bag – they could read them from a phone – an item we tend to carry more publicly. Fears surrounding this potential threat quickly subsided, however, as the technology was showcased to only work in the specific context of paying for goods. In the case of ApplePay, for example, card details are only transmitted when the phone detects a Chip & PIN machine that is requesting payment, it requires either a passcode, or thumbprint, to complete the transaction, and the 16-digit card number transmitted is semi-randomised per transaction. These features give contactless payments via a phone another level of security in cases where the phone is either stolen, or a receipt is dropped at the point-of-sale terminal displaying the full card number.
Keep yourself safe from contactless fraud
Contactless payments offer a convenient way for consumers to pay for goods but, like most technology, come with a handful of security concerns that everyone should be aware, but not scared, of. With that in mind, here are some top tips to help keep yourself safe from contactless-based fraud:
- RFID-blocking wallets, or a few sheets of thick tinfoil, will block any wireless signal from leaving your wallet without your knowledge;
- Some banks offer non-contactless cards to their customers, but you have to ask. Contactless is very much the standard issue these days;
- Using systems like ApplePay and Google Wallet give an extra level of security when paying and don’t transmit your card details without your consent;
- Report any cards that are lost or stolen immediately to your bank, and keep an eye on your bank statement for suspicious transactions.