14 DAY TRIAL // In the past week, there was a security-related picture that went viral, starting with Facebook, then LinkedIn, making its way into various security blogs, and even reaching Reddit's front page at one point.
The picture, taken somewhere in Russia, shows a man holding a portable PoS device in a mass transportation service (unknown if tram, bus, or subway).
Some people claimed that this was a new way of stealing money from contactless credit cards. In their eyes, the whole attack scenario relied on the man keying in a price of less than $30 and bringing the device close to someone's wallet or pocket and automatically charging the sum on the victim's card.
The attack is theoretically possible but very impractical
In theory, this is possible. There are PoS devices that work via GPRS connections, enabling merchants to take payments almost everywhere.
On the other hand, in practice, this might rank as one of the dumbest and fastest ways to get arrested. The problem with all PoS devices is that besides the constant Internet connection they need to validate transactions with the bank, they also need a special merchant account ID.
Banks only create merchant accounts after businesses or single individuals who provide a large amount of paper documents, which most fraudsters would have a hard time doing. If they do, then most of their fraudulent transactions would be reversed anyway, since it only takes two-three people to notice something wrong before a bank shuts down the shady merchant account, reverses all fraudulent transactions, and informs authorities.
In this particular picture, it's just a guy holding a PoS for no special reason. That, or he's the dumbest criminal in the world, holding the object of his crime in his hand, out in the open, in a crowded place where everyone can notice. If true, that's one of the quickest and easiest ways to get lynched.
If you have a contactless credit or debit card, the best way to stay safe is to invest in an RFI-blocking shielded wallet.