News

2020.06.28 10:00

LRT FACTS. Are contactless credit cards safe in your pocket?

Jurga Bakaitė, LRT.lt2020.06.28 10:00

Contactless payment has been available in Lithuania for several years now and paying with smart devices is becoming increasingly popular. Still, the new technology brings fears that fraudsters could charge a card in the owner's wallet without their knowledge.

LRT FACTS has asked banking specialists and a scientist whether there is any ground to fear being robbed electronically in a crowded place or on a bus.

Pickpockets with card readers

Recently, an image has been circulating on social media, showing a man in a metro train holding a card reader in his hand.

The image was recently used in the Russian TV show Ultro M24 where reporters investigated how easy it could be to read a contactless paycard through a pocket or a wallet.

People interviewed in the story claim they regularly see individuals carrying card readers on public transport.

Possible, but improbable

Can just anyone with a card reader steal your money? Tomas Karpavičius, the head of the Market Infrastructure Policy Department at the Bank of Lithuania, says there have not been any reports in Lithuania about similar crimes.

However, it is technically still possible to read someone's contactless card without their knowledge.

Benas Gabrielius Urbonavičius, a lecturer at Kaunas University of Technology, concurs. “The main forms of attack on contactless cards is reading them at a distance and ‘cloning’,” he says. “With special readers, you can read a card from a distance of several dozen centimetres,” he says.

However, pulling it off in practice would be very hard, they say.

First of all, getting hold of a card reader is not that easy for an individual who is not a business owner. “You can't just buy it [a card reader] anywhere, there are special firms licensed to sell readers and they need to meet security rules,” says Karpavičius.

Second, the would-be thief would also need a bank account linked to the card reader.

“If a private individual applied for one, it would be a red flag for any bank,” Karpavičius notes.

Valerija Kiguolienė, a spokeswoman for the Lithuanian Banks' Association, outlines the procedure of issuing a card reader with a bank account: “There is a thorough background check, activity check, we evaluate their reliability as a client, etc.”

The same rules are applied by all firms issuing MasterCard and Visa readers. “If a fraudster tried to use the reader for bad purposes, they would be immediately identified and the equipment would be blocked by the bank,” she adds.

According to Kiguolienė, the bank association is not aware of any cases where a contactless payment reader was used for theft.

When do you need to enter your PIN?

Moreover, banks' security systems monitor transactions and if something looks suspicious, the reader will ask to enter the PIN.

“If, for example, a person pays with a card in Vilnius and then is approached by a fraudster, the bank will be alerted if the fraudster is registered somewhere far from Vilnius. The system would see that it's impossible that the second transaction is happening so far away,” Karpavičius explains.

The fraud prevention systems also monitor the transaction values. If, say, a card is charged the maximum amount allowed for contactless payment – currently set at 50 euros – several times, the reader will ask to enter the PIN.

“The fraudster could not be sure they'd be able to take the [maximum] amount. They'd need to spend a lot of effort for relatively small sums of money,” says Karpavičius. “This is a rather difficult operating model.”

Recycled image

The image used on Russian TV first started circulating in 2016. It was attributed to Oleg Gorobets, an employee of the Russian cybersecurity firm Kaspersky Lab.

The photo then made it to Anglophone media. One week later, Britain's The Telegraph claimed the image was taken on the underground in the UK.

In both cases, there were discussions whether the man in the photo could be a courier with a legitimate reason to hold a card reader.

The image was once again pulled out by Ilya Rybalchenko, an employee of the All-Russia People's Front movement. It is a political organisation operating under the United Russia party led by President Vladimir Putin.

Rybalchenko said on Facebook that he was regularly seeing suspicious people on Russian public transport with card readers “moving slowly along passengers' pockets”.

Should you wrap your wallet in tin foil?

Social media posts about the risks of contactless payment often include advice on how to protect one's credit or debit cards. For instance, purchasing special holders or wallets that block RFID signals used by the contactless payment technology.

Urbonavičius, of Kaunas University of Technology, explains that any conductive layer – like a metal plate – can block the signal between a reader and a card.

“There are different protections available: wallets lined with metal, special protective plates that either block or significantly corrupt signals between a reader and a card, preventing any unauthorised transactions,” according to Urbonavičius.

Meanwhile, Karpavičius from the Bank of Lithuania, notes that even if fraudsters did manage to pull off such a crime, banks would compensate the losses. The card owner would need to notify their bank in time, he adds.

VERDICT

Bogus / fake news. The image circulating on Russian media is inauthentic and has been used on the internet before. Even though there is no proof that it depicts an attempt to steal money, the photo has repeatedly ignited discussions about the safety of contactless payment. Experts say that while it is theoretically possible to read a card without the owner's knowledge, in practice it would be a very difficult crime to pull off for relatively little gain. So far, there have not been no contactless payment fraud cases reported in Lithuania.