Contactless card payment
Thieves are claimed to have taken money from a contactless bank card on a busy trainiStock

Thieves are stealing money from the contactless bank cards of commuters on busy trains. One victim, who works for a computer security magazine, alleges that a man standing next to him stole £20 from his card through an unauthorised contactless payment.

Roi Perez, the south London-based community manager of SC Magazine, claims a man bumped into the pocket containing his wallet and took the money, which was later refunded by his bank. Such instances have prompted concerned card users to line their wallets with transaction-blocking tin foil.

Telling his story on the magazine's website, Perez said: "When a man slowly bumped into me and my pocket for a bit too long, it took me a second to realise what had just happened. I called my bank and found out that said individual had managed to steal £20 from my account via a contactless card payment; my bank promptly reimbursed me."

Contactless credit and debit cards are now issued as standard by UK banks. They can be used to make payments of up to £30 and are used by simply tapping them against a card reader; no PIN or signature is required. Although it has been previously reported that a person's details can be stolen from a contactless card and used to make payments online, this appears to be the first case of money being taken directly from the card, as it would be in a shop.

'An illegal transaction took place on the train'

Clarifying his story to a commenter, Perez said: "The card was not stolen, but an illegal transaction took place in which £20 was deducted from an account via an unauthorised contactless payment which happened on the train."

Even though it seems instances of money being stolen directly from contactless cards are rare, people have taken measures to physically protect themselves. A commenter posting on the blog of security expert Graham Cluley, who wrote about Perez's incident, said: "I shield my contactless cards with foil-lined paper wallets. I got a Transport for London inspector to check he couldn't read my Oyster card through one. I also bought a lined wallet for my passport."

A large number of wallets which claim to block RFID frequencies from reading your bank cards are available online. So-called 'bouncer cards' can also be bought and slipped into a wallet to prevent your cards from being read.

The incident led Perez to investigate how such a theft could be possible. "It got me wondering about what processes a hacker would have to go through to get hold of a 'merchant' account and start processing genuine payments. The card readers are readily available [online]...for £79."

The next step would be moving the stolen money on before the thief is caught. "Someone could be taking money from the account the stolen money goes into, converting it into bitcoins and the money is never to be seen again," said Perez.

IBTimes UK has contacted both Visa and Mastercard to ask if such a theft is possible and will update this story when we get a reply. Visa's press office says it is requesting a comment.

Personal data theft from contactless cards

It was reported by a Which? investigation back in July 2015 that contactless bank cards can be used to steal some of the owner's personal information - enough, in some cases, to make payments online with their card details. In one instance, a researcher with permission lifted the card holder's details from their card and used them to order a £3,000 television.

"By touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree," a Which? spokesman said. "With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless."

At the time, the UK Cards Association said: "The method shown by Which? is not a new discovery. Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless - far lower even than overall card fraud."

In this case, the cardholder's name and CCV code on the back of the card were not stolen, but Which? found a "large online shop" which allowed orders to be placed without asking for either.