In our review of Bellroy cases, we had a short conversation with one of the readers. In it, we compared the security of a regular bank card with PayPass and a smartphone with the ability to pay for purchases. I would like to discuss this topic in a little more detail.
A small introduction: initially the correspondence began on a completely banal topic, the reader shared his thoughts on how inconvenient it is to pay with a card / cash, it is necessary to climb into a bag, take out a wallet, look for a card, insert it, etc. Whether it's a smartphone – pulled out, attached, paid. For large purchases, I entered a pin code, and that's it.
I noted that in fact, everything is not so simple, that the smartphone also needs to be unlocked, logged into the banking application, enter the pin code, and only then can you pay for purchases. As a final counterargument, the reader noticed that all transactions are protected and no one can steal money from you using a mobile terminal. Then there was a link to Izvestia and their news about the theft of more than two million in 2015. Below is a quote from the news:
According to Zecurion, fraudsters took 2 million rubles from the cards of Russians using their homemade terminals (RFID readers) in 2015. IT security companies surveyed noted that scammers have learned to steal from cards using smartphones equipped with NFC chips (NFC is a type of RFID).
These figures seem to me to be very overestimated for many reasons. Firstly, I have little idea that people will not notice how terminals are being applied to their pockets, even at rush hour. Secondly, the transaction amounts are limited to one thousand rubles. Third, transactions of less than 1,000 rubles made with PayPass are very easy to object to. Fourth, in addition to a modified terminal, you will need an account with a bank or an acquiring service, and if there are N numbers of complaints, such an account will simply be closed and the fraudster will be arrested. There are too many buts for such a scam.
On the other hand, it is possible that 1,000 rubles is not such a large amount for the client to start bothering about it (by the way, I would start, it's not about money, but the fact of theft itself), so there are still no thieves caught by the hand.
And one last observation: I have never seen or heard that money was stolen from one of my friends and acquaintances or acquaintances of my acquaintances in this way. If we are talking about such an impressive amount of theft, it is strange that no one has come across this in person.
As for direct payment from a smartphone, then everything is both complicated and simple at the same time. For this payment method to be convenient, it must become widespread. All terminals must support contactless payment, all (or most) banks must support such payment from a smartphone, and it must be convenient (put a smartphone, authorize purchases with Touch ID, and you're done).