Mobile wallet pickpocketing risks low

Near-field communication-enabled mobile wallets susceptible to remote skimming but possibility of such threats minimal, say observers, with one adding users should adopt same precautions as physical ones.
Written by Liau Yun Qing, Contributor

There are demonstrations of mobile wallets enabled by near-field communication (NFC) being skimmed and the information stored on the device stolen, but these are not live examples and there appears to be little risk to users being pickpocketed remotely, industry watchers pointed out.

Paul Ducklin, head of technology for Asia-Pacific at Sophos, noted that in all the demonstrations of e-pickpocketing he had seen so far, the person attempting the theft had to "touch the near-field communication reader pretty much flat" against a user's mobile wallet but it is easier and "less suspicious than it sounds".

"Of course, reading the NFC data off a credit card doesn't give an attacker any more than they'd get with a traditional handheld credit card skimmer. It's just that the skimming can be done slightly more easily," he added in his e-mail.

David Maxwell, director of RFID Protect, added that as a crime, pickpocketing has been in existence for hundreds of years and just as with physical wallets, the act requires "considerable skill, dexterity and often the ability to misdirect the attention of others that might otherwise seek to alert the victim". As technology moves ahead, so will the tools used to commit such thefts. Today, criminals can rely on a RFID skimmer to remotely scan data from mobile wallets or contactless credit cards, he added.

For instance, in a video titled "Electronic Pickpocket", Walt Augustinowicz, owner of ID Stronghold, which sells radio frequency identification (RFID) shields for mobile wallets and credit cards, was shown using a RFID skimmer to access the victim's credit card details without making physical contact, said Maxwell.

Augustinowicz went on to claim that he was able to use the stolen credit card details to make a purchase and have goods delivered in the manner of a legitimate e-banking transaction, said the RFID Protect director.

Maxwell added that Augustinowicz claimed to be able to use the skimmed information from the RFID-enabled cards to make a purchase and have goods delivered just like a legitimate e-banking transaction. "Only time will tell whether there is any real substance to this video," said the director.

"If the claims made by [Augustinowicz] hold up, then there is compelling evidence to suggest that this is something for those of us carrying contactless devices to be genuinely concerned about," Maxwell said.

However, payments company MasterCard dismissed the possibility of e-pickpocketing. In a February blog post, Oliver Manahan, vice president of emerging payments at MasterCard, said users should "take comfort knowing there is very little truth to the reports of [e-pickpocketing] fraud".

"The truth is that even in the unlikely event someone was able to fraudulently access your [NFC-enabled] PayPass card details, they would only have a minimal amount of information, which is typically not enough to make a counterfeit card or conduct payment transactions, either in person, on the phone or online," he said then.

Elias Ghanem, managing director and general manager for Southeast Asia and India at PayPal, added that a digital wallet is "a lot safer" than a physical wallet. In his e-mail, he noted that with Paypal, users' credit card or bank numbers are never stored on the phone, nor are they shared with the merchant.

The payments provider announced earlier in November that its latest version of the Android PayPal app is now equipped with peer-to-peer NFC capabilities and users can transfer money to each other as long as they have NFC-enabled Android phones and the app running.

Protect your mobile wallet
Given that mobile wallets are gaining traction, with major vendors such as Google, MasterCard and PayPal promoting such services, and already being used in technologically advanced markets such as South Korea and Japan, Ducklin stressed that users need to be more mindful of how they safeguard their mobile devices.

He called on consumers to adopt the same precautions with their mobile wallets as they did previously with their physical wallets.

Maxwell concurred, saying that like a regular wallet, the content of a mobile wallet will remain secure as long as the owner can account for its whereabouts and be wary of it being taken away by force. He added that users can carry their NFC-enabled devices in a shielded holder to protect them from being skimmed.

Ghanem added that users should choose a mobile wallet service that does not store their sensitive financial information on the mobile device. This way, should their phone get lost or stolen, thieves won't be able to access the owner's personal information and accounts, he added.

One consumer ZDNet Asia spoke to on Twitter was undaunted by the possibility of mobile wallets being e-pickpocketed, though. Qooofy said: "I can't wait for [mobile wallets] to come so I can bring only my phone out with me."

Editorial standards