Authors
Kushel HM is a mechanical engineer-turned-journalist, who loves all things football, tennis and films. He was with the news desk at the Hindustan Times, Mumbai, before joining Newschecker.
Pankaj Menon is a fact-checker based out of Delhi who enjoys ‘digital sleuthing’ and calling out misinformation. He has completed his MA in International Relations from Madras University and has worked with organisations like NDTV, Times Now and Deccan Chronicle online in the past.
Vijay (name changed) had a rude and unusually early start to a weekday in his Pune home when he woke up to an SMS from HDFC bank around 4am, alerting him to a suspected fraudulent transaction on his credit card that was declined on account of an incorrect PIN.
A little shaken, but also relieved that a theft was averted, the 41-year-old supply chain consultant then went through his bank’s account statement to ensure nothing was amiss, but instead, he found that an international transaction of $422 (₹35K) had already gone through earlier in the day. A stunned Vijay immediately informed the bank and got his card blocked, while requesting for a refund.
“The first transaction went through without an OTP. It was done in the US for possibly a flight ticket booking. I didn’t even get an SMS for the transaction, which is quite strange. The second transaction was a similar one, but got declined for a wrong pin. This is when I was alerted by the bank’s anti-fraud system,” Vijay tells Newschecker, adding that the entire episode frustrated him because he always makes it a point to not physically use his card to pay, if possible, just to be on the safe side from cloning/skimming devices.
“I only use Samsung Pay which transmits a virtual card number to the POS machine, not the actual one,” he says, racking his brain to remember any slip-up from his part. Vijay recalls that although he did physically use his card in Azerbaijan a few times, the country’s local rules force the use of a PIN every time. He, however, does not rule out the possibility of his card being skimmed from any of the machines there.
“I still do not have an answer from the bank on why no SMS came through. Clearly, there is a loophole in their system. Also, usually for any international non-OTP online transaction, there is an auto call made to verify the transaction. No call was made, which is also strange. HDFC is still investigating, but have confirmed that the transaction will be reversed in my upcoming statement,” Vijay says, adding that an almost identical incident had happened before with HDFC, but the bank had immediately alerted him, cancelled the card, and sent him a new one. “That transaction did not go through as it was caught by the anti-fraud system,” he says.
Another HDFC customer shared a similar experience on Twitter, stating that his debit card got scammed out of around ₹12K through a gift card transaction from the USA. Again, no OTP was involved.
“The day before the incident, I was at a busy location on College Street buying a cigarette, when I noticed two guys casually standing nearby. I took out my wallet to give cash, but while I was putting it back inside my back pocket, I could see one of the guys telling the other about my action, while both were eyeing my wallet. One of them came close to me at the same time, so I turned around and eyeballed them for long enough that they left after a few seconds. But my mistake was that I thought they were pickpockets. Instead, they actually had a machine in their pockets that could clone card details if they were close enough to it and for a long enough duration. Good thing it was a non-OTP transaction, which allowed for a refund,” recounts the customer, cautioning fellow users about the new, super-stealthy form of pickpocketing — radio frequency identification (RFID) skimming. Customers of other banks, too, shared similar stories on X (earlier Twitter).
RFID skimming is increasingly being adopted by a new breed of digital pickpockets to steal details of credit and debit cards within a matter of seconds as the contactless feature of the technology makes RFID card thefts smoother than the usual modus operandi deployed by fraudsters when cloning magnetic stripe bank cards.
What is card cloning/skimming?
Credit/debit card cloning is the electronic theft of data from a card to enable unauthorised charges in the victim’s name. The thief plants a device known as a skimmer, which secretly reads and copies card information, in an ATM or in point-of-sale (POS) terminals — systems used for processing card payments at retail stores.
Most payment cards have a magnetic stripe that runs along the back, so when it is swiped through a device, the skimmer will steal and store every detail that is on the magnetic stripe and which is later retrieved by the criminals, and then used to create duplicate cards. These cards are used to run up charges on the person’s credit card or to drain the money from the bank account. This stripe stores information like the expiry date of your card, your full name, and the card number.
Considering the ease with which fraudsters can clone magstripe-only cards using just a basic skimming machine, the newest payment cards are equipped with RFID chips, which allows them to transmit transaction information to a card reader simply by being nearby, without physically inserting the card into a slot. However, this RFID technology, a vital component of modern contactless payments, is clearly still not foolproof.
What is RFID skimming?
While RFID chips or tags have been used by businesses for years to manage inventory and shipments, as well as in access badges for security systems, these chips are now being increasingly used more on credit and debit cards, allowing the card to be read without being swiped through a machine. The symbol typically looks like a Wi-Fi signal turned horizontally, or four curved lines, and indicates that the card is equipped with an RFID chip that enables you to hover or tap a card over a terminal as a means of conducting a transaction.
Armed with RFID card readers that uses radio waves to transmit signals that activate the tag, criminals can conceal them on their bodies while walking down the street, allowing them to surreptitiously steal information and consequently, swipe money off RFID-enabled cards just by being in close enough proximity to their owners. Alarmingly, there are also mobile apps designed to read information off RFID cards.
The places where RFID skimming are most likely to occur are —
- Retail stores
- Public transport
- Restaurants
- ATMs
- Petrol pumps
How to protect yourself from RFID skimming
One way to avoid such fraudulent payments is to disable the international transactions feature on your card immediately after you get it as fraudsters tend to take the international route (some high-profile e-commerce sites may not require a CVV to make a purchase).
You can also protect yourself against RFID skimming by covering your bank cards in foil or investing in RFID-blocking/jamming materials. The other way to keep your cards safe is to store multiple RFID cards close to each other in your wallet to make them harder to read, or carry them in your front pocket to discourage thieves.
For maximum security, only use RFID cards for online purchases at home. While it may not actually prevent thieves from stealing information from your card, monitoring your statements regularly will help you and the card company identify any unauthorised purchases and can limit your potential losses. Also, keep in mind to distance yourself from other customers when using your card. The threat of a long-range RFID credit card skimmer is vastly overstated as even the best RFID long-range readers would struggle to successfully copy data illegitimately if you account for real-world conditions like distance, weather, and the presence of hundreds of other radio signals.
Like what you read? Let us know! Drop a mail to checkthis@newschecker.in if you would like us to do a deep dive on any scam that you think needs attention. If you would like us to fact-check a claim, give feedback or lodge a complaint, WhatsApp us at 9999499044 or email us at checkthis@newschecker.in. You can also visit the Contact Us page and fill out the form.
Authors
Kushel HM is a mechanical engineer-turned-journalist, who loves all things football, tennis and films. He was with the news desk at the Hindustan Times, Mumbai, before joining Newschecker.
Pankaj Menon is a fact-checker based out of Delhi who enjoys ‘digital sleuthing’ and calling out misinformation. He has completed his MA in International Relations from Madras University and has worked with organisations like NDTV, Times Now and Deccan Chronicle online in the past.
