Are criminals wandering around with contactless POS sale terminals helping themselves to small amounts from people's RFID credit/debit cards?

Question

There is quite a lot of good coverage on Skeptics already of the security of RFID and contactless credit/debit cards, but it mainly focusses on card cloning and identity protection/privacy/tracking issues.

However another issue which you see a certain amount of public paranoia about is whether people with contactless POS sale terminals could be simply wandering the streets helping themselves to small amounts (below PIN verification threshold) from unprotected cards in people's back pockets, handbags or whatever. (This is sometimes described as "electronic pickpocketing", which is somewhat confusing as the term seems to also used for the identity-theft variety of information skimming too).

Examples:

http://metro.co.uk/2016/02/17/use-a-contactless-bank-card-watch-out-for-thieves-bumping-against-you-on-trains-5700472/ (that widely circulated picture debunked at http://www.snopes.com/fraud/identity/pickpocket.asp ).
https://www.lifehacker.com.au/2017/01/ask-lh-do-rfid-blockers-actually-do-anything includes "Could people just carry around an EFTPOS machine set to tap $99 straight out of your pocket?" (That's Australian dollars).

However, I note that the marketing around RFID-proof wallets generally seems to emphasise protection against identity theft rather than protection against this more direct sort of monetary theft.

My question is simply: has there ever been any documented instances of anyone actually doing this sort of electronic monetary pickpocketing for real criminal profit? (A link to a record of a successful prosecution would be pretty convincing).

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/78676/discussion-on-question-by-timday-are-criminals-wandering-around-with-contactless). — Oddthinking, Jun 09 '18 at 18:30

score 4 · Accepted Answer · edited Jun 17 '20 at 09:41

Roger Grimes is a computer security professional. In late 2017, he wrote an article for CSO describing his search for confirmed examples of people having the credit cards skimmed by an RFID reader:

I’ve frequently said that I can’t find a single documented case of RFID credit card crime.

[...]

I decided that I was going to hunt down that data, once and for all, and find out if RFID credit card crime was real. I contacted nearly a dozen organizations connected to RFID credit card security including VISA, Mastercard and the Secure Technology Alliance. I even contacted the creators of the UK report referenced above, which got me in touch with the UK Finance division.

I could not find any public evidence of a single RFID contactless real-world crime being committed, and the most knowledgeable officials I spoke with off the record did not think there would be any matching the fraud scenario I was seeking.

He gives some explanation of the technical reasons why he believes such crime - even if technically possible in some circumstances - would be not be profitable for criminals.

(This is one of [those answers](https://skeptics.meta.stackexchange.com/questions/3927/what-makes-a-good-the-answer-is-unknown-answer/3932#3932) where an appeal to authority is made that there is an absence of evidence, because it is as close as we can hope to get to show there is evidence of absence.) — Oddthinking, Jun 07 '18 at 14:40
Nice article; thanks. I agree it does indeed fit the "appeal to authority" thing mentioned in @Oddthinking's "those answers"... but for me this is good enough to accept. The author seems to have dug deep enough I find it hard to believe he wouldn't have turned up more concrete evidence if it was out there. — timday, Jun 09 '18 at 10:30

Are criminals wandering around with contactless POS sale terminals helping themselves to small amounts from people's RFID credit/debit cards?

1 Answers1