How to protect your cards from ‘ghost tapping'

“The technology is safer, the encryption is better, the cryptographic nature of the product is stronger, but it’s easier."

Tapping to pay is quick, but cybersecurity experts warn there’s a way someone can virtually pickpocket you. Read on for how to keep your money safe.

‘MODERN VERSION OF PICKPOCKETING’

The tech that makes it easy to pay could make it easy to steal.

“It's basically the modern version of pickpocketing,” said Matt Barnett, co-founder of cybersecurity firm SEVN-X.

Barnett told our NBC Responds team in Philadelphia about a scam called “ghost tapping”. Here’s how it works. A thief gets close to you in a crowded place with a concealed card reader. Then charges your contactless card or the digital wallet on your phone or watch without your authorization.

“The technology is safer, the encryption is better, the cryptographic nature of the product is stronger, but it’s easier. We’ve traded this kind of convenience factor for some of the security we get from it,” said Barnett.

“Being able to just tap and go makes your life very easy and, in theory, it’s very strong. But that reader is also able to be duplicated or cloned or just registered by an attacker,” added Barnett.

Barnett said it could happen if your phone is unlocked. Or, you’re using settings that lets you pay without unlocking your device.

“You kind of have to look at it and do the face ID, or you have to put your passcode in before it will unlock the readability of those cards, so you do have some protections on your phones and your smart devices,” said Barnett.

You can disable express mode if you’re not using it. On an iPhone, go to settings, wallet and Apple Pay, and check your express transit card settings.

For Android devices with Google Wallet, Dong Min Kim, Director of Product Management for Google Wallet said in an email to NBC 5, “Since Google Wallet requires you to unlock your device to pay, simply keeping your phone locked when you aren’t using it is an effective way to prevent unauthorized charges.”

“We also work behind the scenes to protect your financial info by using virtual cards instead of real card numbers and partnering with banks to prevent fraud,” Kim added.

According to Google, it creates a device-specific token so your actual credit or debit card number isn’t stored on your device or shared with merchants. There is an express transit mode to pay for trains or buses without unlocking the phone. It’s a feature users would opt into. Google said if the device hasn’t been unlocked in the last 24 hours, users are prompted to unlock before using the transit pass.

When it comes to credit cards, Barnett said you can use an RFID-blocking sleeve to prevent wireless skimming.

“A sleeve that has some metal sheeting in it or some other technology that won't allow it to be read unless you remove it,” Barnett said.

TIPS FOR CONSUMERS

Enable transaction alerts from your bank and credit cards. If you see a charge you don’t recognize, you can quickly dispute it.

The Better Business Bureau warns scammers may also approach consumers, claiming they’re selling something or requesting a small donation with the goal of charging you a much larger amount.

The BBB said don’t rush the payment process. Check the business name and transaction amount. Scammers may count on you tapping your card without confirming or asking for a receipt.

NBC 5 Responds is committed to researching your concerns and recovering your money. Our goal is to get you answers and, if possible, solutions and a resolution. Call us at 844-5RESPND (844-573-7763) or fill out our customer complaint form.

Get top local stories in DFW delivered to you every morning. Sign up for NBC DFW's News Headlines newsletter.