
Guy spotted wandering London Tube skimming contactless cards with POS device - butler14
https://www.facebook.com/photo.php?fbid=10154000160962146&set=a.10150122896072146.326593.564277145&type=3&theater
======
domas
Looks like this FB post is just a hoax.

Linked FB post is not an original. There is an older story here in Russian:
[https://tjournal.ru/22625-staling-money-with-
terminal](https://tjournal.ru/22625-staling-money-with-terminal)

------
tomcart
Maybe someone else can confirm, but that doesn't look like any TFL carriage i
know. In fact, it looks a lot more like moscow:
[http://thumbs.dreamstime.com/z/inside-modern-subway-
car-1214...](http://thumbs.dreamstime.com/z/inside-modern-subway-
car-1214290.jpg)

and was posted on EnglishRussia a week ago:
[https://twitter.com/EnglishRussia1/status/697017291494596608](https://twitter.com/EnglishRussia1/status/697017291494596608)

It may have existed before this...

~~~
anton_gogolev
It is indeed a carriage from one of the Russian underground systems. I vaguely
recall having seen this story sometime ago, and back then it was reported that
this guy was spotted in Moscow underground, but these kinds of carriages can
be seen in Moscow, St. Petersburg, Kiev and possibly other cities.

------
oavdeev
Exact same photo was making rounds in Russian Facebook few weeks ago, judging
by the door and the handle I bet it is indeed Moscow, not London.

As in this case, no one saw the guy actually skimming cards. Also if he was
doing really that, why not hide POS in a bag or his pocket?

~~~
at-fates-hands
This was my reaction.

If you're skimming cards, you probably want to make sure your target is
unaware of what you're doing less someone sees you and notifies transit cops
or some other authorities and you get arrested.

------
awjr
I don't get this. Credit Card fraud is used to acquire goods from unsuspecting
traders. This requires a trader to have a POS and money is not usually
credited for 1-4 weeks, by which time his/her account will be frozen and the
police on the way.

~~~
forgetsusername
No kidding. If you're collecting payments through a credit card processor,
this sort of scam would be shut down and reversed almost immediately, since
the credit card company is directly in the middle of the transaction.

~~~
cissou
While you're mostly correct, it doesn't prevent people from "trying" this sort
of scam. IIRC Square had to fight many battles like this, where fake
"merchants" would open a Square account, swipe stolen cards, move the money
away from Square and close their account. It's many small time crooks, not one
big operation (it doesn't take a genius to figure this out), so it's actually
really hard to fight.

------
snake_plissken
Why would anyone ever pull a scam like this? To get a POS terminal, don't you
have to submit a lot of personal information? And then, how would you
anonymously get the money from the bank? It's not like you could do this over
a long time lime where you slowly accumulate < $30 charges and then one day
withdrawal all of the money. You would surely get flagged?

------
shawabawa3
I doubt he's actually skimming cards.

The risk-reward is pretty terrible. It's hard to subtly press it up against
someone's pocket, and the range is pretty bad, and the first time anyone
notices your account is frozen and you'll be prosecuted

------
butler14
For those inclined, you can get neat little leather sleeves that have two
pockets, one protected, one not, here [https://www.faradaystore.com/rfid-
blocking/wallets/](https://www.faradaystore.com/rfid-blocking/wallets/).

Helps me keep my debit/credit card safe(?), but if nothing else, stops it
clashing with my Oyster, which can otherwise be a pain.

~~~
gboudrias
At this price it might be cheaper to ship it from ThinkGeek (although they
seem only only have the S.H.I.E.L.D. model nowadays...):
[https://www.thinkgeek.com/product/1d95/](https://www.thinkgeek.com/product/1d95/)

~~~
bryan11
One can make an RFID shield for a folding wallet fairly easily. Take a manila
folder or something similar and cut it to tightly fit in the outside pocket.
Cover that with aluminum foil, then cover that with packing tape.

Place this in the outside pocket of the wallet, fold it so the RFID shield
covers the contents, and cards inside are protected.

------
mjs
If you connect your card to Apple Pay you get an immediate notification every
time your card is charged (might depend on the bank), which is useful for
detecting this sort of thing.

Actually I'm not sure why Apple Pay should be necessary--if you have the
bank's app installed that should generate notifications on "purchase" as well.

~~~
samwillis
I only seem to get the notification on the phone if it was a transaction
initiated with Apply Pay. I don't get them when just using the contactless
card.

(I think 'modern banking with apps and notifications' is what new UK banks
like Mondo[1] and Atom[2] are aiming to do)

1: [https://getmondo.co.uk/](https://getmondo.co.uk/) 2:
[https://www.atombank.co.uk/](https://www.atombank.co.uk/)

~~~
underyx
>(I think 'modern banking with apps and notifications' is what new UK banks
like Mondo[1] and Atom[2] are aiming to do)

Yep, I'm a customer of [https://number26.eu](https://number26.eu) and I often
get a push notification about online payments even before I'm redirected back
to the merchant's site.

------
ck2
How to disable contactless cards

[http://www.instructables.com/id/Disabling-Contacless-
Payment...](http://www.instructables.com/id/Disabling-Contacless-Payment-on-
Debit-Cards/step2/How-to-disable-it-on-your-card/)

------
danso
Naive person here: if this is a thing that works, how did it escape notice as
an attack vector in the stages in which this technology was debated and
standardized?

~~~
matthewmacleod
It didn't. This is a known attack vector; the decision has been taken that the
costs of cancelling fraudulent transactions are less than the benefits from
allowing easier payment.

------
happywolf
What this guy can take advantage will be victims don't check their bank
statements carefully and he can get away with the money, or else he will be in
pretty bad shape to handle all the charge-backs. I will say the chance of a
stolen POS is low as his goal is to get the money. If he borrows the POS from
his merchant friend for this purpose, then that is not cool at all.

To me this is not a serious security threat to ordinary people.

~~~
shiftpgdn
Charge a penny and then refund it to capture the details for a recurring
charge. 30 days from then you can hit the card with a $5 charge using some
ambiguous merchant name like "Card validation services".

90% of people don't inspect their bank statements close enough to notice
something like this. Get 1000 people and that's a healthy sum for a criminal
to live off of.

~~~
mseebach
> 90% of people don't inspect their bank statements close enough

But 10% of people is more than enough (by a substantial margin) to get the
operation shut down, the money (all of it) returned, and probably land the guy
in jail.

------
molecule
Other commenters have pointed out that this does not appear to be on the
London Tube. The post mentions nothing saying that the poster took the
photograph or that it was on the London Tube, the London-Tube association of
the HN headline seems to be mis-inferred from the poster's location,
Edinburgh, United Kingdom, although that's quite a ways from London...

------
notliketherest
Of course this is possible. Sign up for a Stripw account, feed it a PAN
(credit card number), and charge it. With anti fraud mechanisms however,
you're not going to get very far.

------
est
Tin foil wallets is already a thing these days.

~~~
Rafert
Or solid aluminium if you're looking for something more fancy:
[https://www.secrid.com/en/](https://www.secrid.com/en/)

------
belltyler
"And I would have gotten away with it, too, if it weren't for you meddling
kids!" \- Guy carrying POS device

------
YeGoblynQueenne
For the record device is Verifone VX 680.

This must be the dumbest thief ever. They practicality signed their theft.
With their real name.

------
yread
I'm definitely NOT buying an RFID-blocking wallet if they have to do marketing
with hoaxes like this

------
Aoyagi
This is Russia. I have no difficulties believing it's genuine.

------
rbobby
Yet another reason why we can't have nice stuff. Sigh.

~~~
herbst
Contact less payments without verification is certanly not "nice stuff" but
simply negligently and stupid.

~~~
lloydsparkes
Its nice because it makes payments significantly faster especially for small
transactions.

When your in a busy shop getting lunch, or a bar, it saves a significant
amount of time and effort.

~~~
Majestic121
It does save you some time, but is this time worth the security downgrade?

I guess it is up to each person to answer this question.

The main issue I have with this is that no one gave me a choice : I received
my card with this feature turned on and absolutely no way to have a card
without it (I asked at the bank).

~~~
herbst
I changed banks about things like this. My bank once thought that i have to
have Online Banking with my account, while all i wanted (and still do) is
absolutely no remote access except with the debit card. They also told me that
their eTan is much safer than the classic Tan system via post so they stopped
it.

I really think less is more when it goes about the safety of my money.

------
viggity
wait, so there is no pin that you have to enter?

~~~
yoz-y
For contactless payment, no. But the transactions are limited in amount
(according to the article in UK it is 30 GBP and here in France it is 20 EUR).
You can also pay only a certain amount before having to use "standard" method
with chip & pin.

~~~
Systemic33
I'm fairly certain you don't need to use chip, but you do need to use the PIN.

~~~
manarth
In the UK at least, PIN-challenges for contactless payment are random. I've
heard it's supposedly approx 1 in 10 payments require the PIN, but I've been
using contactless payment for just over 6 months, and it hasn't asked once
(I've also used it a few times in mainland Europe, again, no PIN needed).

------
kombucha2
this is stupid

