Consumers advised to protect contactless cards from digital theft
With rising concerns about accidental or unauthorised charges using contactless payment cards, consumers are urged to take precautions such as using RFID blockers. These blockers shield cards from being scanned by thieves using wireless devices to steal card information without contact. Technology experts also recommend removing the intended card from wallets before using it at point-of-sale terminals to avoid unintended charges.
Card clash
Misfiring tap-to-pay systems leaving customers with unexpected card charges
Users could be vulnerable, expert warns
Jamaica Gleaner/22 Sep 2024/Livern Barrett Senior Staff Reporter
ANDREA BAILEY* stood in stunned disbelief, trying to make sense of the “disturbing” incident that unfolded before her eyes.
The educator was at a popular St Andrew restaurant where she and a small group of pals went to have dinner in late July.
Reaching into her handbag to pay for her meal, Bailey took a contactless debit card from a small case with other bank cards and handed it to her server standing “inches” away with a point-of-sale machine when he stopped her.
“The waiter was about to take the card from my hand then he said the transaction has already gone through,” she recounted.
Puzzled, she immediately enquired how the transaction was completed since her card was never tapped or placed above the pointof-sale terminal. The response was “alarming”.
“He said it was not this card,” referring to the one she was handing him.
Instead, the transaction was completed using a credit card that was still in her purse, Bailey told
The Sunday Gleaner, recounting the server’s explanation.
“When he said the end of the [card] number, I realised that it was my credit card that was still in the case that’s now on the table,” she said. “This was so alarming to me. And what’s funny is that the card that I intended to use was over the machine.”
American consumers like Edgar Matthews and Sonia Cisares reported similar experiences at restaurants, stores and doctor’s offices in the United States.
Cisares disclosed in an ABC 7 news report last year that the tap-to-pay system at a boutique store charged three credit cards tucked inside her purse.
UNCOMFORTABLE AND FRIGHTENED
“I would say I was about two feet away at that time. It makes you very uncomfortable and frightened,” she said, acknowledging that all the transactions were reversed.
In the same news report, Matthews said the card reader machine at a department store ignored the bank card in his hand and instead charged his purchases to a credit card that was in a wallet in his back pocket.
“That’s a pretty big reach. How did it decide what to grab?” he questioned.
Jamaican financial institutions, like their counterparts internationally, are increasingly moving away from cards with magnetic strips to contactless cards because of the multi-layered protections they provide consumers.
These cards, which typically have an embedded chip, rely on near-field communication (NFC) wireless technology to complete no-touch or tap-to-pay transactions, according to local and international experts.
NFC, a subset of radio frequency identification (RFID), has a maximum range of between 20 and 25 metres.
Deposit-taking institutions in Jamaica processed 20.1 million transactions valued at $284.6 million through point-of-sale machines during the first quarter of this year, according to data published by the Bank of Jamaica (BOJ).
Approximately 66.5 million point-of-sales transactions, valued at $1 billion, were processed last year.
There were 3.56 million debit cards and 419,153 credit cards in circulation at the end of March this year, the BOJ disclosed.
Mastercard and Visa, the two main providers of digital payment services in Jamaica and globally, say the range for their contactless payment technology is between 2.5 and five centimetres.
However, Mastercard acknowledged, through its communications manager for the Caribbean, Sabrina Alvaraz, that if multiple cards are in proximity to a point-of-sale terminal – “such as in a wallet or purse” – the device “may inadvertently read a different card than intended”.
“We advise customers to remove the card they intend to use from their wallet or purse and hold it against the contactless reader,” Alvarez said in an email response to questions submitted by The Sunday Gleaner.
Alvarez added that industry standards “require” a point-ofsale terminal to provide an alert and discontinue processing “if two or more cards are detected simultaneously, reducing the likelihood of a card clash”.
Further, she said should a card clash occur, customers should speak initially with the merchant for resolution or contact their respective banks if they are not satisfied.
ZERO LIABILITY PROTECTION POLICY
“Mastercard’s zero liability protection policy ensures that cardholders are not held responsible for unauthorised transactions,” she pointed out.
Visa has still not responded to questions submitted last Tuesday.
Though a legitimate concern, point-of-sale machines charging the wrong card may not be the biggest danger facing unsuspecting consumers, according to Trevor Forrest, a local technology expert.
Forrest, who is the chief executive officer of 876 Technology Solutions Limited, warned that the transfer of data between the contactless card and a point-of-sale device can be compromised by bad actors with “the right tools”.
“And these tools are easily available. The point is this, if I have a device that can communicate with the card then I can pull information off the card,” he said during a Sunday Gleaner interview.
Forrest noted that the contactless card technology effectively nullified skimming devices that were used by fraudsters to capture the personal identification numbers (PIN) assigned to cards with magnetic strips.
He argued, however, that contactless technology is “not a safer option” for consumers, noting that magnetic strip cards cannot be used without the unique PIN known only by the cardholder.
“Now, anybody who has the card can use it; they don’t need a PIN. So now what the thieves do now is they get a wireless scanning device, they get close to you or your card and pull information off of it. How is that more secure than a card that requires the input of a PIN?” Forrest questioned.
Forrest suggested that consumers consider getting RFID blockers for their wallets or purse to shield their contactless cards. He suggested, too, that consumers discontinue the practices of carrying cards in their back pockets.
“Somebody could scan your card and get information off of the card without you ever knowing,” he warned.
*Name changed.
“We advise customers to remove the card they intend to use from their wallet or purse and hold it against the contactless reader.”
For feedback: contact the Editorial Department at onlinefeedback@gleanerjm.com.