Contactless cards: how scams work and how to avoid them

Over the years digital payments have recorded exponential growth , also thanks to the pandemic that , at least initially, it brought with it a renewed mistrust towards cash, and also the State Cashback.

Al the center of this transition are the payment cards , according to a Mastercard research already used last year by 8 Italians on 10, followed by contactless ones , now part of the consolidated habits for the 78% Italians. Contactless also reigns as regards payments with smartphones, which are on the rise followed by payments with dedicated apps and those made through banking apps.

However, contactless has reached the headlines also due to a scam to which it lends itself due to its nature: according to some, it would be enough to bring a portable POS to the pocket of some unsuspecting user to subtract amounts below a certain threshold, the one for which it is not necessary to enter the PIN. Here’s how it works, what’s true and how to defend yourself.


First, some context: contactless payment, as the name suggests, allows you to pay without contact , or without having to insert the card into a payment terminal but simply bringing it closer to the reader to complete a transaction, thus speeding up the operations for both the buyer and the seller.

This payment system uses RFID: the acronym stands for Radio Frequency IDentification , i.e. radio frequency identification, which can be integrated into credit cards, debit cards and prepaid cards (for discover the difference, here is a dedicated article). To understand if a card is enabled for contactless payments, just check if it has the special symbol similar to that of the WiFi network.

RFID technology has existed for several decades, developed as a derivation for civilian purposes of the radio frequency military system of Identification friend or foe ; but the spread on a large scale has taken place since the ’90 , passing from industrial applications to then enter daily, business and domestic use. For example, RFID is the one used in work access badges, but also in anti-shoplifting tags.

From this derives the NFC standard that is now increasingly found on smartphones : the Near Field Communication , which literally means proximity communication, is a technology that provides short-range two-way wireless connectivity, up to a maximum of 10 cm, with a transmission speed of approx. 424 kbps.

So that’s why it’s It is also possible to make contactless transactions through smartphones: to be able to pay in this way, just register your card on your phone and, at the time of payment, bring it close just like you would with a card. Note: this type of payment should not be confused with mobile payments, which instead use the internet – either cellular network and WiFi – to connect and authorize the transaction on the seller’s account.

Returning to us, in practice the contactless payment is simple : the merchant types the transaction amount on the payment terminal or POS (Point of Sale) , to which the consumer then approaches the card to allow reading and confirmation of payment.

With this technology it is possible to carry out transactions of any amount, but for expenses above a certain threshold it is necessary enter a PIN; until recently it was 25 euro, but recently some card issuers have raised it to 50 EUR. Therefore, below this figure the transactions are really agile, and do not require any form of further verification.


And right here lurks the possibility of contactless-based scams . The important thing is that the amount is below the threshold beyond which the PIN is required.

An event that could occur in particularly crowded places , as shown by several videos published over the last few years. Some might argue that these situations are almost always a memory, given the distancing rules that have changed our outings in society.

However, crowd or non-crowd, what is presented like a very easy theft to perpetrate , however, it has some reservations, starting from the distance needed to carry it out – you have to be really a couple of centimeters from the card pocket, to the point that perhaps a pickpocket would be easier – up to the traceability of the operation.

Each payment made with electronic tools leaves an indelible mark , because the money transfer is registered on the bank circuits with a charge to be paid by the holder of the card and a simultaneous credit to whoever manages the POS (to better understand the commissions, here we had explained how they work); which would make it easy for the police to trace the person responsible for the scam.

In view of this fact, it is also true that the debit on the account does not appear immediately and as these are small amounts they could go unnoticed, leaving the manager free for a long time; moreover, perhaps not many people would be willing to bear the legal costs necessary to get justice for such small amounts.


Contactless scams can also occur without POS but simply through the use of a smartphone with NFC with the right apps. An example is the Credit card reader app: freely downloadable from the stores, it allows you to read public data on payment cards compatible with NFC and EMV standards.

Just bring the card close to the back of the smartphone to view the related data , from the circuit to which the issuing institution belongs, without forget the history of movements with the relative amounts, the type of transaction and the country.

In this case you can be relatively calm because the app does not access the internet and does not show the card number unless you enter a few digits showing that you have it in your hands, but it is not difficult to imagine there may be other similar but less privacy-friendly versions , to put it mildly.

It dates back to several years ago, for example, the alarm launched by a security expert who had developed a software for “co copy the data of a card via NFC and then re-propose them to a payment terminal with your smartphone. The scoop was picked up by Forbes , and it’s always an interesting read; can be found among the sources of this article.


Don’t panic though: to protect yourself from this type of scam there are various remedies, in addition to the evergreen advice to pay attention to where you put your card and who handles it. And just about the first point, a solution to prevent the reading of the cards is to line your card holders with aluminum foil which prevent data transmission.

If you are not inclined to artisanal solutions, It is possible to find on the market a wide range of wallets equipped with RFID blocking capable of shielding any attempt to make the contactless cards stored inside work.

Otherwise, another way could be to block contactless payments on a specific card directly from the app , as now many banking and fintech institutions allow you to do. Or, in extremis, you could also decide to leave the card at home and import it to Google Pay, Apple Pay and the like which, if supported, avoid any risk related to contactless because to enable NFC payment you need to unlock your smartphone or smartwatch with a pin or a biometric sensor.

In any case, the multiplication of contactless cards in our wallets must correspond to an awareness of their functioning and the possible consequent risks, in order to defend yourself better: we must not forget that RFID technology is at the basis of the functioning of other documents that contain sensitive information , from electronic identity card to biometric passport.

Content in collaboration with Skrill

Back to top button