Train rider has his contactless card e-pickpocketed

Share this…

It could have been just another one of those jostlings that happen on the train: a man bumped into a writer for SC Magazine.

Except, as Roi Perez tells it, it all seemed a bit deliberate: the guy slowly bumped into him – and his pocket – for a bit too long.

He said that it took him a minute to realize what had happened.

But when it did dawn on him, he called his bank, only to find out that he’d been e-pickpocketed.

That slow bump had apparently enabled the presumptive thief to get close to Perez’s contactless card payment: there’d been an unauthorized £20 snorted from his card to make a transaction on the train.

His bank promptly reimbursed the charge, leaving him to ponder how, technologically speaking, this had happened.

Contactless bank payments usually rely on RFID or on Near Field Communication (NFC) – the same sort of electronics used in public transit cards such as London’s Oyster or Sydney’s Opal.

The cards enable fast, low-value payments, typically with no signature or PIN required, merely by holding a card near a reader – obviously appealing to harried shoppers with hectic lifestyles.

There are, however, some security concerns about contactless payments.

Research from a couple of years ago showed that card data could beintercepted from up to a meter away (about 3.25 feet).

In 2013, University of Surrey researcher Thomas P Diakos created an inexpensive receiver, small enough to fit into a backpack, using a shopping trolley and a small antenna.

This, in spite of the fact that one of the main security features of contactless cards is a requirement not to transfer payment data in excess of 10cm (about 4 inches) from a reader.

Then, about a year ago, researchers at Newcastle University in the UK figured out another way to attack contactless payments.

The tl;dr version: their attack is what Paul Ducklin described as a special sort of Man in the Middle (MitM) attack that could, at least in theory, be used to trick the owners of contactless payment cards into spending enormous sums of money without realizing it.

There were two problems that made it possible.

First problem: the “must enter PIN for more than £20” restriction at the time could be ignored by a card if the transaction was requested in a foreign currency.

Second problem: an additional safeguard prohibiting offline transactions for more than £100 could also be ignored.

How can you keep e-fingers out of your e-wallet?

There are plenty of people who believe in RFID-blocking sleeves, pouches, and wallets, including Altoid tins, metal cigarette cases, Aluma Wallets, Tyvek credit card sleeves, or a leaf of heavy-duty aluminum foil slipped into your wallet.

While they can help somewhat, don’t put too much faith in any of them. Some supposedly RFID-shielding wallets simply don’t work at all, regardless of marketing claims.

Ultimately, the most important thing you can do is to always keep an eye on your bank statements. If you notice anything that doesn’t look right, contact your bank immediately.