What happens if a criminal holds a card machine up to the ‘tap and go’ card in your pocket

 ·9 Aug 2018

The South African Banking Risk Information Centre (SABRIC) has released a statement aimed at allaying any fears that bank clients may have about contactless bank cards or ‘tap and go’.

This after a video trending on social media may have created the incorrect impression that contactless cards are easy to exploit by criminals, the association said.

“This is simply not true. Contactless payment cards are as secure as traditional cards, and SABRIC has not received any reported crime incidents where ‘tap and go’ cards have been exploited,” said Kalyani Pillay, CEO of SABRIC.

Contactless technology was introduced for the convenience of cardholders and while relatively new in South Africa, has been available in many countries for some time.

The convenience lies in the fact that these cards can merely be tapped on a near-field communication (NFC) Point of Sale (POS) device to make certain payments, which is quick and easy for the card holder.

Videos online suggest that criminals could exploit contactless technology and steal money or card data by simply tapping an NFC enabled POS device near enough to a victim’s bank card.

However, stealing money by tapping a NFC POS device near such cards is not likely, said Pillay.

She added that acquiring an NFC POS device involves a rigorous vetting process by the issuing bank which includes the mandatory submission of Know Your Customer (KYC) documentation.

“In addition, banks also monitor merchant transaction activity and conduct merchant site visits. Should any irregularities be identified, an investigation will be launched immediately,” she said.

“Collusion with a merchant could be a possible way to defraud people, however this is also unlikely as the proceeds of crime resulting from this specific modus operandi would go into a merchant’s bank account which, again, is closely monitored.

“Furthermore, this payment option is only available for a predetermined number of low value transactions on any specific day, after which a PIN would be required to complete the transaction, so the financial reward associated with these transactions is low, while the reputational and prosecution risk to the merchant remains high.”

Stealing card data

According to Pillay, stealing card data by criminals is also not a viable option, as merely holding an NFC enabled POS device close to a bank card will not provide enough information to enable fraudulent card-not-present transactions.

She noted that South African issued contactless cards are embedded with an RFID (Radio Frequency ID) tag, identifiable by the WiFi-type symbol, which is then read together with the cards EMV chip which is encrypted.

Even if a criminal tapped a victim’s contactless card using an NFC POS device near in their wallet or bag, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed, both of which the criminal would need to make fraudulent online purchases.

“It is unlikely that organised criminals will be targeting this capability to steal money or card data, as the reward will be insignificant compared to other modus operandi at their disposal.” said Pillay.

Nevertheless, SABRIC urged bank clients to take note of the following tips to protect themselves when using ‘tap and go’ technology in South Africa:

  • Ensure that you always tap the POS device yourself, and that your contactless bank card never leaves your hand.
  • Report lost and stolen cards immediately.
  • Register for SMS notifications to ensure that you are alerted to any transactions on your account.
  • Always inform your bank immediately if any suspicious or unauthorised transactions are conducted on your account.

Read: How South African banks are ‘disguising’ high fees: expert

Show comments
Subscribe to our daily newsletter