Is remote scanning of contactless credit cards and debit cards a viable attack for fraudsters? https://qr.ae/pGL9jh

Is remote card scanning (contactless payments) a viable attack for fraudsters? Has it been done?*

Well before contactless payment cards were a thing, I got a firsthand experience with the risk of remote scanning of contactless cards.

This happened with a contactless library card 10 years ago. As I highlighted in The Clear & Present Danger With Contactless & NFC Payments:

With RFID reader kiosks reading RFID tags embedded inside every book, issue and return of books has become a frictionless, self-service process across the chain.

During this trip, I selected a book and placed it on the kiosk. When I tapped the ‘Issue’ button, the kiosk read the RFID tag in the book and displayed its title on the touchscreen. But, alongside the book I wanted to borrow, I noticed another book in the list. When I pointed out the spurious entry to the store manager, she’d a quick look at the screen and told me to ignore it. It turned out that the false alarm was raised by a book being read by one of the library’s staff sitting beside the kiosk. In other words, the kiosk wrongly scanned a book that wasn’t placed on its tray but happened to be situated a couple of feet away.

As I was filing out of the library, I overheard the store manager grumbling to her colleagues about the kiosk’s temparamental behavior: On some days, it failed to identify books placed on its tray, whereas on other days like that one, it overzealously scanned books located several feet away.

I generally don’t get scared off a new payment technology just because someone somewhere claims to have hacked it and proved it to be unsafe – greater convenience tends to win me over. But, on this one, I think the aforementioned technophobes and security pundits have got a point.

So, yes, it is technically viable to skim credit card info off of contactless credit card. And I’m guessing it has been done from time to time but the data breaches that make it to the 6 o’clock News happen on the server side where the attacker can steal millions of credit card details at one go.

However, for reasons very well explained by Nigel Tolley in his answer Nigel Tolley’s answer to Is remote card scanning (contactless payments) a viable attack for fraudsters? Has it been done?, I seriously doubt if this form of theft is commercially viable.

Nonetheless, as I concluded in PINless Card Payments – Innovative Or Harebrained? soon after payment cards were launched:

Overall, I think PINless regime is innovative for credit card but harebrained for debit card.

I only use credit cards for shopping. As highlighted here, that’s because they offer several benefits like float from deferred payment, rewards, greater fraud protection, better redressal against fraud, and credit history, etc.

Accordingly, I restrict the use of debit cards to withdrawing cash from ATMs.

But, just like my credit cards, I’ve always been keeping my debit cards inside my wallet.

But not any more. Stolen contactless debit cards could cause a huge havoc under the PINless regime.

As a result, I’ve removed all debit cards from my wallet and now take them out of home only when I’m going to visit an ATM.

*: This is the original question I answered. I’m repeating it to help me make sense of my answer in case it’s moved to / merged with some other question that I didn’t answer.