Anyone in the know about this? Is it a real risk, and are RFID wallets worth buying?

Been a couple of reports of guys on the Tube this week carrying POS units with keyed amounts and actively putting the units next to people.
Anything up to £30 and you’ll never know.

Anything up to £30 and you’ll never know

I wouldn’t know while it was happening, but I would know about it pretty soon afterwards.

I’m one of those rare individuals who checks their bank balance/transactions regularly.

Call the bank, let them sort it out.

I’m wary. At a recent outdoors trade show, got a demo of just how easy it is to skim credit card details with a simple reader, been using an RFID wallet ever since.

Had paywave/rfid for about 3 years ago, been to lots of big cities on lots of public transport and had no issues.

This is a long long way down the list of things I care about right now

Fraud in the wild. Guy with POS device. Ring through sale <£30 & touch to wallet in your pocket. #contactless pic.twitter.com/Ffwm6oPeJ4

— European Bunny (@tweetyaca) February 16, 2016

It’s such an obvious security flaw, I can’t believe it wasn’t picked up when they were developing contactless.
What I don’t get is that the criminal s need bank accounts to accept payment so can’t thay easily be caught?

Yep stoner, seen the pic still not high on the list. If it’s lifting cash it needs to go somewhere, the bank covers for fraud and the chances are still low. Helped greatly by not going to London.

cheers_drive – Member

It’s such an obvious security flaw, I can’t believe it wasn’t picked up when they were developing contactless.

It was- it’s designed as a low security system at point of sale, all the customer protection is based on response and refund, and all the bank protection based on chasing after people using the inevitable paper trails and tearing them new arses. There’ll be losses but they’ve decided they’re worthwhile losses.

I tried to use a contactless card from inside a very thin non-RFID protecting wallet and it didn’t work. Not convinced it’s really an issue.

keep your card under your foil hat?

Surely a few layers of decent thickness aluminium foil or aluminium tape stuck inside your wallet would do the job of a new wallet? Or just ask your bank for a non RFID card.

I tried to use a contactless card from inside a very thin non-RFID protecting wallet and it didn’t work. Not convinced it’s really an issue.

Yeah, that’s what I’m not getting – are the scammers readers like super charged or something to pick up the cards from further away? I too have tried to just press my wallet against the pub machine and it didn’t work – I had to get the card out.

Surely if they were strong enough to just harvest people on the tube I wouldn’t need to get my card out my pocket?

Genuinely wondering, btw. I’m interesting the answers, or to read any articles on this, etc.

Mines stopped working after about 12 months anyway. Not very hard wearing cards. I shan’t be clamouring for a replacement of a device that saves me the effort of just five key presses.

I was in tescos trying to pay, wallet in one hand, card in the other and the machine said too many contactless cards in vicinity, so I’d have thought if you had more than one contactless card in your wallet it would fail.

Still, it gives me another reason never to visit London unless strictly necessary which is only a good thing 😆

Look up Adam Laurie’s (RFIDiot) research on it. He’s pretty good.

I do have to wonder about why they put the limit up to 30 quid though. Surely the point of an easier, non-PIN micro transaction is for, well, micro transactions. 30 quid is getting on for more than that.

I’d also heard that there was a flaw in how we’d implemented it and that greatly larger sums could be obtained from the card in the UK if the money was requested in a foreign currency. I’ll try and dig out a link for it.

Genuinely suspect the genuineness of that pic, too. If I was a real ne’er do well (not some tit who wants to spread paranoia and have a pic go viral) I’d at least try to disguise the obvious, LIT UP, POS card reader with I don’t know, a plastic bag or something…

I do have to wonder about why they put the limit up to 30 quid though. Surely the point of an easier, non-PIN micro transaction is for, well, micro transactions. 30 quid is getting on for more than that.

Is always been $100au here so about 50 quid, I just don’t here of mass fraud, skimming or any of that. Sometimes the risks are over blown and the reality of getting a POS machine linked to a bank account and getting the skims and cash out before fraud was spotted is slim.

I’ve just tried my life venture wallet on our contactless machine and I couldn’t take any money. So that works.
Edit…our machine needs the card about 3mm away before it works. Not sure if there are super powerful machines out there.

what I like about these card skimming fears is that it keeps sad ignorant rif-raff out of London because they are scared of getting skimmed…

I dont have contactless payment

The luddite fix is foolproof

*stiffs junkyard, old skool*

In my experience contactless machines vary. Some require the card to be held on the machine for 3-5 seconds, some pick it up and complete instantly and with the card 6-12 inches away. That’s all with the same card. I can imagine in a close packed public environment (thetube) having a reader at waist height in a thin bag would catch those people who just have their card in a pocket or bag.

Do yo think this is limited to London?

Very narrow view if you do.

grum – Member

I tried to use a contactless card from inside a very thin non-RFID protecting wallet and it didn’t work. Not convinced it’s really an issue.

Just tried mine using the NFC reader on my phone and it picked up one of the cards no problem. Can do it from in my jacket pocket as well if the wallet is in the right orientation.

Reckon that if a phone can do it, then one of those POS can too.

don’t the POS machines need to be connected to a network in order to process the payment? would that work on the Tube?

Full 4G network right through the Tube brakes

oh really? I didn’t know that – thought it was just Virgin WiFi.
hmmm. tin foil hat for my wallet then… 🙂

don’t the POS machines need to be connected to a network in order to process the payment? would that work on the Tube?

Isn’t the issue more skimming cards than lifting an instant payment? That was the impression I got, though I may, in classic STW style, be barking in the wrong forest.

This has been doing the rounds but the only “evidence” for it is a photo of a guy holding a card machine, and the assertion that it’s possible. No witnesses of the guy in the photo (or anyone else) going round doing this. No reports of fraudulent transactions done this way.

Given that you need a merchant account to process card transactions, and most make you wait 28+ days to get your money (in case people report fraudulent transactions), which itself has to be paid into a bank account, how likely do you think it is that someone could run around doing this and actually get their hands on any real money without getting caught?

I spent a fair few very nasty, dirty and smelly nights installing cabling and antenna infrastructure around that shit hole in times past.
Massive reradiating system to keep the punters happy 😯

I did think some time ago that a portable card reader is the perfect deterrent to people standing too close on public transport.

I never take my card out of my wallet to pay by contactless, so the range seems pretty good to me. Possibly some of the antenna wires are cracked in those suffering from poor range?

This has been doing the rounds but the only “evidence” for it is a photo of a guy holding a card machine, and the assertion that it’s possible. No witnesses of the guy in the photo (or anyone else) going round doing this. No reports of fraudulent transactions done this way.

But RFID skimming is a thing though isn’t it? Or is it?
Can’t find much on actual reported cases, but lots of tech/possible stuff and gadgets you can buy.

It’s such an obvious security flaw, I can’t believe it wasn’t picked up when they were developing contactless.

An additional flaw (in my eyes) is…. it used to be the case that when you received a new card from the bank you had to call and confirm (via a pin) that you’d received it and were the legitimate owner of if before you could use it. The last few cards I’ve had (all contactless) – just take them out the envelope and use them, no process of activating them – which means in transit, before you receive it, without even opening the envelope, they can be used to make transactions.

Do yo think this is limited to London?

Very narrow view if you do.

There was a day a while ago where 4.8 million used the London tube, which is more than the population of Greater Manchester and the West Midlands.

So London would definitely offer the greater potential, plus you probably have more people with enough money in their current account that they wouldn’t notice the smaller scale purchases being made with the skimmed details.

I guess the attraction of the tube is that it allows you to be in close proximity to people without raising suspicion. Not many other places where that is almost expected.

it used to be the case that when you received a new card from the bank you had to call and confirm (via a pin) that you’d received it and were the legitimate owner of if before you could use it

never, ever had to do that.

Not many other places where that is almost expected.

In London?

I’ve had to call to activate a card, have had to log in to activate a card — in the not too distant past – c. 10 years ago, anyway.

At this stage I think this is the bigger possibility of how you’ll get done:

Safeway Self Service Skimmers

or like this

Hacked standalone ATM network cables

I’ve been bothered by this for a while; partly because I’m bad at checking my account balance afterwards.

I’ve just called up my bank and ordered a non-contactless card as they say I’ll still be able to use the card details contactless via ApplePay anyway. That requires my thumbprint to make the transaction so much more secure. Also, if lost, I can just remote wipe the phone.

Rachel