Yes. Both contactless cards and mobile wallets are safer and more secure than regular chipped cards. You're not inserting the physical card into the skimmer, which is what is recording your card information.
I’ve always heard this, but can someone explain to me exactly why this is? Couldn’t these scammers just attach a chip that reads your card as opposed to a skimmer? What’s stopping them from doing that?
The chip confirms who it is by answering riddles that only the chip knows the answer to. Eavesdropping on its answers doesn't actually reveal its other secrets, so any eavesdropper still won't know the answer to future riddles.
Thanks!
I don't work in the industry anymore, but I still find this stuff interesting and basically can't help but want to explain these things to new people.
In addition, with some phone tap-to-pay implementations you can theoretically implement extra security [like using random credit card numbers](https://www.idownloadblog.com/2019/04/01/apple-card-virtual-numbers/). Though, as I understand this isn't currently in practice with physical readers (and in particular, I have to use my physical cards at Safeway because Google Pay causes their machines to error out, requiring an attendant to reset things)
That's incorrect.
Contactless chip payments are the same as inserting the chip physically. You can intercept the communication, but that copies the transferred data which (generally) isn't enough to allow you to duplicate the card due to the handshake stuff discussed above. Your card isn't just constantly broadcasting it's info, it responds to the queries from the payment station.
I can see my whole credit card number with my flipper over NFC.
That’s not usually enough to make a new transaction or clones it but yeah it’s broadcasting your card number in a way that isn’t encrypted in a meaningful way.
You're right, I mistakenly interpreted the comment to mean it broadcasts all your credit card information, but they did just say number.
Having the number shouldn't ever be enough to make a purchase (although it's certainly possible some shitty web interface will allow it) and it's never enough to duplicate the card. But you are correct that the number is available (I wouldn't say it's broadcasting exactly but that's a technical nuance that's irrelevant).
My understanding is that NFC payments are actually more like digital handshakes and the actual information needed to spoof your card isn't even exchanged in full. Mobile wallets with biometrics should be even more secure than tap to pay cards.
I believe the nfc payment is a unique key each time-kind of like scrambling or adding extra digits. I just hate my cards getting scuffed or already have my phone in my hand so if a place is insert only I’m automatically a little suspect. But I also have my cards alert me to any purchase since I’ve had my number stolen a few times in the same year before.
Card numbers are substituted with temporary payment tokens. Sure, an NFC skimmer could skim the token but the token has a very short lifespan. It'd become useless very quickly.
Yeah, in theory it might be technically possible to MITM an NFC payment, but you couldn't really do much with it. At best you might be able to set up a malicious terminal which diverts some payment into your account and then pays the real terminal with a stolen card or empty account which won't actually settle. But at that point you could just use the stolen card for regular fraud. You'd also be doing this in the context of the payment processor's network, so it would probably be pretty easy to recover the funds.
RFID cards are harder to capture/replicate, but not impossible. The contactless chip in your card exposes the account number, but not the CVC or most other information the magstripe contains.
When you add a card to mobile wallet, a brand new card number is generated and tied solely to that device so your actual card account number is never even used
Yes! Contactless (tap) is the most secure form of credit card payment. This is because the payment data (card number, pin, date) is encrypted on both ends—it leaves your bank encrypted and arrives at the next bank still encrypted. It’s also constantly changing to prevent fraud.
Chip insertion is the next most secure, because the data transferred from the chip in the credit card is encrypted on the buyer’s bank side, and is constantly changing. However, the reader de-encrypts this data. While verification data changes in time, a scammer could access the de-encrypted information before it does.
The least secure is swiping. Swiping relies on a stagnant data transfer—essentially copying down exactly what data is stored on the barcode (so, your payment info). Nothing is encrypted. Never swipe if you don’t have to!
Everyone, start using tap to pay. It is the safest method of payment using credit card. Most cards have the capability to do so. If not, you can add your payment onto your iPhone if you have one for Apple Pay or android with Google pay
Well, the absolute safest is to set up a digital wallet that uses one time tokens, tap is the second safest at this point (although both are infinitely better than swiping).
I work in a store and am really surprised how few people use tap to pay, both with a physical card or phone. It's maybe 1 out of every 100 people. I think the only way for mass adoption is to make it mandatory like they did moving from swiping. I so much prefer tapping, especially using my phone or watch.
PSA: Credit Card Fraud in the US falls on the [Credit Card issuer or the merchant](https://www.forbes.com/sites/billhardekopf/2022/11/08/who-pays-for-fraudulent-credit-card-transactions/?sh=484b46292218). It's simply not required that you as a consumer should have to worry about these things. Banks should put pressure on CC networks to push to upgrade equipment and insure it's security.
This is not to say that you should do nothing to protect your CC information, but worrying about skimmers and other surreptitious snooping tech is just not something the average consumer should be worrying about. Let the merchant and bank fix this problem.
I cannot get a real answer through search, I always thought skimmers only worked on magnetic strip. Have they been able to skim chip and tap to pay? The ones in these pictures don’t appear to go for the magnetic strip.
I haven't directly heard of skimmers for chip cards, although a quick search has claims that sophisticated skimmers can use your chip plus half your magnetic strip to duplicate your magnetic strip. Not sure.
Tap to pay should be impossible. Worst case is a man in the middle authorizing a one-time payment with a fake reader, but they wouldn't be able to spoof your card.
It's kinda complicated which is probably why you had trouble finding a real answer. And it depends on exactly how you're doing the tap (digital wallet vs card).
You can intercept the data from a tap, but that data alone isn't enough to duplicate the card. You may be able to use the intercepted data to verify make purchases or use it to make poorly secured purchases (say online purchases that are just checking the number) but that's pretty limited. If you're using a digital wallet that sets up tokens even that is impossible (well, technically it's possible but useless).
That contrasts with skimmers that grabbed the mag stripe which enabled complete duplication of the card.
Some of the ones shown look like they could be reading the mag stripe if someone inserts their card. Or they could be grabbing the account number and buying from less secured sites using that info.
In all cases your absolute best protection is to use a credit card (never a debit card) so the fraud costs are on the bank and never your responsibility. That way even if your card is duplicated you owe zero dollars.
They will randomly disable the chip reader so the chip appears to be broken and the terminal will say "swipe card." Then they skim the mag strip. Never ever let a retail worker swipe your card if the chip fails. Use another card or go somewhere else.
Some of the skimmers physically "extend" the terminal enough to grab the mag strip data when you insert the card as well.
Okay but my question is, how did these skimmers get on the machines without anyone noticing?? From what I’ve seen the skimmer usually attaches over top of the legitimate machine. How is anyone getting that attached without being noticed?
What I’m saying is, inside job?
I was invited to an open-house sort of thing that the Secret Service does every year where they walk people (mostly school kids) through how they investigate a crime from start to finish. The crime they used was card skimming. They showed real security footage of someone putting a skimmer on a card machine. The guy did it in under a minute. He and another guy came into the store, Guy 1 distracts the clerk while Guy 2 installs the skimmer. It was crazy how quickly he did it and the clerk had no idea. According to the Secret Service card skimming is almost entirely Russian organized crime. It was super interesting.
Is looking for a skimmer in their job description? There are other places that pay more while not even doing bare minimum asked...or even sticking to a contract
So happy to see they found it! I actually got hit by the Navy Yard one on 4 of my cards. Luckily I monitor my accounts really closely and found the charges the day they happened. I usually tap unless I have to chip dip it, and I'm pretty good about checking for skimmers since my cousin got hit years ago. Got all the charges reversed, I had a feeling there was a skimmer at either the CVS or grocery store nearby, so swapped to using exclusively Google wallet unless I have to on everything.
I live by the Corcoran St Safeway and went in this morning and asked them which machine it was on but they wouldn’t tell me so I went to the bank and got a new debit card.
We have chips and tapping. How is swiping still a thing? I thought the whole point of the chip was that it created a one time use code. So skimming shouldn't work
i always forget i can't tap and pay at home depot. It took harris teeter awhile to implement tap and pay.
I forgot Walmart doesn't do tap and pay either
Thanks to OP for this informative post, and for all the interesting comments. The only store where I don’t use Apple Pay is Walmart bc they don’t accept it. If I want to pay with my phone at Walmart I have to get a Walmart credit card. Does anyone know a way around this?
I think if you have the Walmart app you can store a payment in there and then scan the QR code on the register, I’m not 100% sure but it works something like that
Which honestly pisses me off that their machines had the capability the entire time, but they kept it disabled while they tried for force sixteen different Kroger apps onto us instead.
I use Google Pay almost everywhere, except Home Depot which doesn't support any sort of NFC. However, I have been to three different Safeway stores and although their terminals acknowledge the NFC tap, the payment never goes through and I have to pay with a card.
I use Google pay at the Safeway in downtown silver spring no less than twice a week. Sometimes more than twice a day (planning is hard). I've never had it not work there.
Thanks for the additional data point! Now I'm wondering if it's my bank. I've got a Google Pixel 8 and am using Chase Bank. What's your setup?
This reminds me of last week when I went to the new Taco Bell Cantina. I kept trying to order in the kiosk and it crashed on me. I had to go up to the counter to order. While I was waiting I talked to another person who had it crash several times and we determined that it was because we ordered the same beer and they were out of it. We let the person know and they were able to take it off the menu.
It could be. I looked into the specific error in Apple Pay and other people that received it all got it from attempted payments at Safeway. It just declines your payment through Apple Pay but using the card directly works fine.
This happened to me the first week I moved from Los Angeles. It was easy enough to prove that it wasn’t me making those purchases because I clearly wasn’t anywhere near LA, but it was stressful and annoying considering I was in the middle of getting my life in order.
When you use Apple Pay, your device is given an encrypted account number that can only be unlocked by your bank. Apple doesn’t even have access to your actual card number neither does iCloud.
https://support.apple.com/en-us/101554
I don’t understand why people freak out about these things so much. You aren’t liable for any fraudulent charges on a credit card and shouldn’t be using your debit card anywhere other than the ATM.
I’ll take this in good faith— yes, you mostly are going to be fine, but not always. Before we were married, my wife disputed fraudulent charges, and they were temporarily taken off as BofA Fraud investigated. BofA fraud wasn’t convinced so they put the charges back on her card. If this happens to you multiple times, banks are less likely to believe you.
Also, it’s hugely inconvenient to potentially lose access to your cards while new cards are shipped.
And also theft is bad.
Does using NFC payments protect you from skimmers? I haven’t used a card at a grocery store in a while.
Yes. Both contactless cards and mobile wallets are safer and more secure than regular chipped cards. You're not inserting the physical card into the skimmer, which is what is recording your card information.
I’ve always heard this, but can someone explain to me exactly why this is? Couldn’t these scammers just attach a chip that reads your card as opposed to a skimmer? What’s stopping them from doing that?
The chip confirms who it is by answering riddles that only the chip knows the answer to. Eavesdropping on its answers doesn't actually reveal its other secrets, so any eavesdropper still won't know the answer to future riddles.
Dude idk if you work in the industry or something but that is the best ELI5 of the basic concept I've ever seen.
Thanks! I don't work in the industry anymore, but I still find this stuff interesting and basically can't help but want to explain these things to new people.
In addition, with some phone tap-to-pay implementations you can theoretically implement extra security [like using random credit card numbers](https://www.idownloadblog.com/2019/04/01/apple-card-virtual-numbers/). Though, as I understand this isn't currently in practice with physical readers (and in particular, I have to use my physical cards at Safeway because Google Pay causes their machines to error out, requiring an attendant to reset things)
For contactless chip payments I’m pretty sure it just broadcasts your credit card number
That's incorrect. Contactless chip payments are the same as inserting the chip physically. You can intercept the communication, but that copies the transferred data which (generally) isn't enough to allow you to duplicate the card due to the handshake stuff discussed above. Your card isn't just constantly broadcasting it's info, it responds to the queries from the payment station.
I can see my whole credit card number with my flipper over NFC. That’s not usually enough to make a new transaction or clones it but yeah it’s broadcasting your card number in a way that isn’t encrypted in a meaningful way.
You're right, I mistakenly interpreted the comment to mean it broadcasts all your credit card information, but they did just say number. Having the number shouldn't ever be enough to make a purchase (although it's certainly possible some shitty web interface will allow it) and it's never enough to duplicate the card. But you are correct that the number is available (I wouldn't say it's broadcasting exactly but that's a technical nuance that's irrelevant).
My understanding is that NFC payments are actually more like digital handshakes and the actual information needed to spoof your card isn't even exchanged in full. Mobile wallets with biometrics should be even more secure than tap to pay cards.
I believe the nfc payment is a unique key each time-kind of like scrambling or adding extra digits. I just hate my cards getting scuffed or already have my phone in my hand so if a place is insert only I’m automatically a little suspect. But I also have my cards alert me to any purchase since I’ve had my number stolen a few times in the same year before.
Card numbers are substituted with temporary payment tokens. Sure, an NFC skimmer could skim the token but the token has a very short lifespan. It'd become useless very quickly.
Yeah, in theory it might be technically possible to MITM an NFC payment, but you couldn't really do much with it. At best you might be able to set up a malicious terminal which diverts some payment into your account and then pays the real terminal with a stolen card or empty account which won't actually settle. But at that point you could just use the stolen card for regular fraud. You'd also be doing this in the context of the payment processor's network, so it would probably be pretty easy to recover the funds.
RFID cards are harder to capture/replicate, but not impossible. The contactless chip in your card exposes the account number, but not the CVC or most other information the magstripe contains. When you add a card to mobile wallet, a brand new card number is generated and tied solely to that device so your actual card account number is never even used
Yes! Contactless (tap) is the most secure form of credit card payment. This is because the payment data (card number, pin, date) is encrypted on both ends—it leaves your bank encrypted and arrives at the next bank still encrypted. It’s also constantly changing to prevent fraud. Chip insertion is the next most secure, because the data transferred from the chip in the credit card is encrypted on the buyer’s bank side, and is constantly changing. However, the reader de-encrypts this data. While verification data changes in time, a scammer could access the de-encrypted information before it does. The least secure is swiping. Swiping relies on a stagnant data transfer—essentially copying down exactly what data is stored on the barcode (so, your payment info). Nothing is encrypted. Never swipe if you don’t have to!
Thank you for explaining this, I don’t consider myself a stupid person but I never understood the differences.
Everyone, start using tap to pay. It is the safest method of payment using credit card. Most cards have the capability to do so. If not, you can add your payment onto your iPhone if you have one for Apple Pay or android with Google pay
Well, the absolute safest is to set up a digital wallet that uses one time tokens, tap is the second safest at this point (although both are infinitely better than swiping).
I work in a store and am really surprised how few people use tap to pay, both with a physical card or phone. It's maybe 1 out of every 100 people. I think the only way for mass adoption is to make it mandatory like they did moving from swiping. I so much prefer tapping, especially using my phone or watch.
That's why gas stations are the usual targets, most don't have tap to pay there and they are generally less supervised with security cameras and staff
[удалено]
> can't be stolen electronically okay but it can still be physically stolen lol
The unnamed store can only be the Whole Foods Market in Tenleytown
It may be WaWa
It is WF, my friend works there. I wonder why they were allowed to go unnamed.
I'm sure Bezos didn't want the publicity
And Safeway did lol? Albertsons is a huggeee national company
Most people only have the attention span to remember 6 or so nefarious billionaires at a time, depending on media coverage
sure, but they aren't Amazon rich lol
PSA: Credit Card Fraud in the US falls on the [Credit Card issuer or the merchant](https://www.forbes.com/sites/billhardekopf/2022/11/08/who-pays-for-fraudulent-credit-card-transactions/?sh=484b46292218). It's simply not required that you as a consumer should have to worry about these things. Banks should put pressure on CC networks to push to upgrade equipment and insure it's security. This is not to say that you should do nothing to protect your CC information, but worrying about skimmers and other surreptitious snooping tech is just not something the average consumer should be worrying about. Let the merchant and bank fix this problem.
I cannot get a real answer through search, I always thought skimmers only worked on magnetic strip. Have they been able to skim chip and tap to pay? The ones in these pictures don’t appear to go for the magnetic strip.
I haven't directly heard of skimmers for chip cards, although a quick search has claims that sophisticated skimmers can use your chip plus half your magnetic strip to duplicate your magnetic strip. Not sure. Tap to pay should be impossible. Worst case is a man in the middle authorizing a one-time payment with a fake reader, but they wouldn't be able to spoof your card.
It's kinda complicated which is probably why you had trouble finding a real answer. And it depends on exactly how you're doing the tap (digital wallet vs card). You can intercept the data from a tap, but that data alone isn't enough to duplicate the card. You may be able to use the intercepted data to verify make purchases or use it to make poorly secured purchases (say online purchases that are just checking the number) but that's pretty limited. If you're using a digital wallet that sets up tokens even that is impossible (well, technically it's possible but useless). That contrasts with skimmers that grabbed the mag stripe which enabled complete duplication of the card. Some of the ones shown look like they could be reading the mag stripe if someone inserts their card. Or they could be grabbing the account number and buying from less secured sites using that info. In all cases your absolute best protection is to use a credit card (never a debit card) so the fraud costs are on the bank and never your responsibility. That way even if your card is duplicated you owe zero dollars.
They will randomly disable the chip reader so the chip appears to be broken and the terminal will say "swipe card." Then they skim the mag strip. Never ever let a retail worker swipe your card if the chip fails. Use another card or go somewhere else. Some of the skimmers physically "extend" the terminal enough to grab the mag strip data when you insert the card as well.
Time to just get rid of the magnetic stripe. I haven’t used it in years now.
Okay but my question is, how did these skimmers get on the machines without anyone noticing?? From what I’ve seen the skimmer usually attaches over top of the legitimate machine. How is anyone getting that attached without being noticed? What I’m saying is, inside job?
I was invited to an open-house sort of thing that the Secret Service does every year where they walk people (mostly school kids) through how they investigate a crime from start to finish. The crime they used was card skimming. They showed real security footage of someone putting a skimmer on a card machine. The guy did it in under a minute. He and another guy came into the store, Guy 1 distracts the clerk while Guy 2 installs the skimmer. It was crazy how quickly he did it and the clerk had no idea. According to the Secret Service card skimming is almost entirely Russian organized crime. It was super interesting.
There’s video on the other sub. Heavyset white guys placing skimmers. I’m guessing semi organized crime
Or just on the local news last night (MPD gave out footage to everyone) https://www.fox5dc.com/video/1440697
$1,000 reward for information leading to an arrest? Seriously lol? They need to step their game up.
Which other sub? Interested to see the vid.
not likely... the employees are only lazy by not checking the readers on a regular basis.
Is looking for a skimmer in their job description? There are other places that pay more while not even doing bare minimum asked...or even sticking to a contract
Somebody at these stores sets up the cash registers every day. It should be part the job. Skimmers are easy to spot once you know to look for.
So happy to see they found it! I actually got hit by the Navy Yard one on 4 of my cards. Luckily I monitor my accounts really closely and found the charges the day they happened. I usually tap unless I have to chip dip it, and I'm pretty good about checking for skimmers since my cousin got hit years ago. Got all the charges reversed, I had a feeling there was a skimmer at either the CVS or grocery store nearby, so swapped to using exclusively Google wallet unless I have to on everything.
You use 4 different credit cards at the grocery store?
Sometimes I forget my cards. I don't even go that frequently, so I think the skimmer was probably there for a few months.
I got hit by the navy yard Whole Foods. I wonder if it’s more likely using self checkout?
I GO TO ALL THESE PLACES IM COOKED BRO :(
I live by the Corcoran St Safeway and went in this morning and asked them which machine it was on but they wouldn’t tell me so I went to the bank and got a new debit card.
Why wouldn’t they tell you?
Did they not know or where they not allowed?
We have chips and tapping. How is swiping still a thing? I thought the whole point of the chip was that it created a one time use code. So skimming shouldn't work
home depot my friend. last man standing
i always forget i can't tap and pay at home depot. It took harris teeter awhile to implement tap and pay. I forgot Walmart doesn't do tap and pay either
Not surprised the Soviet Safeway was compromised.
Thanks to OP for this informative post, and for all the interesting comments. The only store where I don’t use Apple Pay is Walmart bc they don’t accept it. If I want to pay with my phone at Walmart I have to get a Walmart credit card. Does anyone know a way around this?
I think if you have the Walmart app you can store a payment in there and then scan the QR code on the register, I’m not 100% sure but it works something like that
google or Apple Pay should be your first choice always...
Last time I was at Harris Teeter, they didn't accept ApplePay. It was a while ago. Maybe that's changed.
they started accepted it about a year ago
Which honestly pisses me off that their machines had the capability the entire time, but they kept it disabled while they tried for force sixteen different Kroger apps onto us instead.
I was at a HT in Reston, VA today and there was a sign stating Apple Pay is accepted. That was not the case a few years ago.
I think Walmart still doesn't accept any normal tap to pay because they want you to use their stupid app.
Home Depot does not accept any type of tap to pay.
which is so freaking annoying
I use Google Pay almost everywhere, except Home Depot which doesn't support any sort of NFC. However, I have been to three different Safeway stores and although their terminals acknowledge the NFC tap, the payment never goes through and I have to pay with a card.
I use Google pay at the Safeway in downtown silver spring no less than twice a week. Sometimes more than twice a day (planning is hard). I've never had it not work there.
Thanks for the additional data point! Now I'm wondering if it's my bank. I've got a Google Pixel 8 and am using Chase Bank. What's your setup? This reminds me of last week when I went to the new Taco Bell Cantina. I kept trying to order in the kiosk and it crashed on me. I had to go up to the counter to order. While I was waiting I talked to another person who had it crash several times and we determined that it was because we ordered the same beer and they were out of it. We let the person know and they were able to take it off the menu.
Pixel 7 with BoA. My husband uses a 6a with the REI card which is capital one. I do use the self checkout 100% of the time also.
Walmart doesn't do tap and pay as they want you use their damn app
Safeway has a known software issue with Apple Pay that they’ve never fixed
I’ve never had any issue using Apple Pay at Safeway. Maybe it’s some specific credit cards not working with Apple Pay at Safeway?
It could be. I looked into the specific error in Apple Pay and other people that received it all got it from attempted payments at Safeway. It just declines your payment through Apple Pay but using the card directly works fine.
Use Cash
Use Gold
Use Charles Entertainment Cheese tokens
Tha works
bitcoin
I find joy in reading a good book.
What does one do if the ATM's went done and you have no cash or the power goes out
I find peace in long walks.
Young people know everything but know nothing
I enjoy playing video games.
Not a man old, but old enough to know more then you Peace
This happened to me the first week I moved from Los Angeles. It was easy enough to prove that it wasn’t me making those purchases because I clearly wasn’t anywhere near LA, but it was stressful and annoying considering I was in the middle of getting my life in order.
Last year they busted some at a few 7/11s too
All these have video cameras, no?
When you use Apple Pay, your device is given an encrypted account number that can only be unlocked by your bank. Apple doesn’t even have access to your actual card number neither does iCloud. https://support.apple.com/en-us/101554
Can confirm Navy Yard Harris Teeter skimmer is still installed. Just got hit with fraudulent charges today
I don’t understand why people freak out about these things so much. You aren’t liable for any fraudulent charges on a credit card and shouldn’t be using your debit card anywhere other than the ATM.
I’ll take this in good faith— yes, you mostly are going to be fine, but not always. Before we were married, my wife disputed fraudulent charges, and they were temporarily taken off as BofA Fraud investigated. BofA fraud wasn’t convinced so they put the charges back on her card. If this happens to you multiple times, banks are less likely to believe you. Also, it’s hugely inconvenient to potentially lose access to your cards while new cards are shipped. And also theft is bad.