Is it really that easy to steal money from a paywave card?

Visa Paywave Viral

Just recently a video has been circulating online that showed how easy it is to steal money from a paywave or paypass card. The man held a card terminal towards a person’s butt and it manages to get a card approval for a $0.05 transaction. But is this really true? Before you hit that share button for the video, here are the facts that you need to know.

Only registered merchants can accept Paywave/PayPass payments

Firstly, the video showed a card terminal and it isn’t some equipment that any Tom, Dick or Harry can buy off the shelves. You need to be a registered merchant and this means you must have a registered account with a bank or a financial provider. If a business owner wants to pull this off, he has to think twice because all transactions are recorded and the cardholder can always file a dispute for unauthorised transactions.

If you think about it, the last thing a criminal wants is to be tracked and it doesn’t make sense for anyone to use a merchant card terminal to “tap” on your card. Even if it’s intentional, they can’t go too far as a merchant with repeated fraud cases will be terminated.

It is not easy to scan a card that’s in a wallet

Another thing to consider is the ease of scanning the card. Visa Paywave or Mastercard PayPass uses NFC (Near Field Communication) which works only within a few centimetres. Normally, your paywave card is placed together with other cards such as your Touch ‘n Go card, IC (latest version has Touch ‘n Go embedded) and security cards in your wallet.

When they are placed together, it is impossible to scan as the other cards will confuse the reader. For this to work, it must be a clear contact without any interference in between. This fear mongering of contactless payments had started a new unnecessary trend of RFID blocking sleeves and wallet. In a nutshell, there’s nothing to worry about if your paywave card is in your wallet.

Of course, there’s also common sense. While the banks and credit card providers have their own safety layers in place, you would still need to keep your card safe just like cash. The difference with cash is that if you lose your wallet, you can still protect your balance by blocking the card and you can always dispute unauthorised transactions. The worst thing you can do is to keep a note of your PIN number in your wallet.

Think about it, banks will not adopt a technology that’s easily compromised. Banks hate fraud as much as consumers do and they will not introduce paywave or paypass if it is insecure. We have migrated from an easy to clone magnetic stripe card system to a chip-based EMV card that encrypts your card with random codes. There’s also the PIN requirement and for online transactions, you’ll need to verify the transaction with a generated code that’s sent to your mobile number.

Paywave uses the same technology and a pin number is required if the transaction is more than RM250. For anything less than that, it works just like Touch ‘n Go. Have you heard people complain how easy it is for people to steal your Touch ‘n Go credit? As mentioned earlier, the chances of someone tapping your card is extremely low, as the card reader will get confused with other cards in your wallet.

Even if you’re super paranoid, there’s also Samsung Pay which allows you to save your paywave or paypass card onto your phone. No matter what amount the transaction is, you’ll need to unlock your phone first and verify with your fingerprint or iris before you can use your smartphone to pay.

In case you missed it, Bank Negara Malaysia had issued a statement that electronic pick-pocketing claims are false and you can read more about it here.

Know someone who is unconvinced? Do share this post with them.

Alexander Wong