In a cafe close to a Royal park Nigel Swabey is telling me all about renovation work to his house over a pot of tea.
He interrupts the small talk and politely asks me to pass the milk jug. As I do, his hand darts briefly across the table at lightning speed.
Perhaps he was just reaching for a napkin. But then I notice Nigel’s phone is now perched on top of my purse. The 69-year-old chuckles, picks his mobile back up and shows me the screen — it is displaying the 16-digit card number and expiry date of my credit card.
I’ve come to Richmond in West London to meet the man who says ‘skimming’ strangers’ credit card details in less than five seconds is his party trick.
Money Mail reporter Sara meets Nigel Swabey who demonstrated how to use a easily available mobile phone app to seal a person’s bank card details
To do this, he uses a smartphone app that is completely legal and costs just £5. It’s called the Credit Card Reader NFC (EMV) and has been downloaded on to mobile phones more than one million times.
This enables the phone to pick up the information sent by a card’s chip during a contactless transaction — the card number and expiry date.
This was impossible until banks started issuing everyone with so-called contactless cards that you wave over payment terminals without having to enter a PIN.
The only things the app can’t pick up are the name of the cardholder and the three-digit security code on the back.
Nigel skims cards at dinner parties to show just how easy it is for criminals to steal payment details and use them to make fraudulent purchases online.
He says: ‘It’s a bit of a gimmick of mine. You hold up the phone to a guest’s pocket and say: ‘Ah, you have a Mastercard. Your expiry date is this, your number is this.’
‘It’s shocking for people who assume their details are protected — and seeing it happen in real time makes them realise how vulnerable they are to fraud.’
The app that is completely legal and costs just £5., is called the Credit Card Reader NFC
Nigel has a vested interest — he’s an entrepreneur and owns the European rights to Australian product, SkimGuard, which you put in your wallet to block fraudsters from stealing your details. That’s why Money Mail wanted to see for itself how easy card-skimming really is.
I lean across the table to get a good look at the phone but Nigel has one more trick up his sleeve.
He taps the screen, selects a ‘transactions’ option and shows me — to my horror — the last ten purchases I made using that card. All my recent spending is there, the Tube journeys to and from work, the groceries for a dinner party and flights I’d booked for an upcoming holiday.
It’s impossible to get this level of detail on debit or Amex cards, Nigel explains. But many credit cards are ripe for fraud.
This is because the chips inside cards issued by some banks hold previous transaction details. Not all cards are vulnerable, though.
Banks tell customers that spending on stolen contactless cards by crooks is kept in check because each transaction is limited to £30 at most.
They say your PIN is automatically demanded after a set number of suspicious-looking payments.
But experts say the real danger is not losing money in a contactless transaction after someone brushes past your handbag with a card reader, but the crook harvesting all the card details they need to commit fraud in your name.
Some sites do not require a three-digit CVV number to make a purchase. So fraudsters who’ve skimmed your card could theoretically spend online with the details they have
Nigel explains that the criminal’s phone needs only to be close to the card it’s trying to read for the app to work.
And, crucially, the radio waves do pass through fabric. That means on a crowded train, or at a busy concert, all scammers have to do is get their phones next to people’s pockets to go on a spending spree.
Worryingly, some sites, including Amazon and Booking.com, do not require the three-digit CVV number on the back of card to make a purchase. So fraudsters who’ve skimmed your card could theoretically spend online with the details they have.
But Amazon says it has a rigorous fraud detection system that means it doesn’t require CVV codes.
Official figures show the boom in contactless cards over the past two years has fuelled a 51 per cent rise in card fraud cases, which have now reached 565 a day .
The number of contactless transactions has gone from 1 billion in 2015 to 5.6 billion last year, with almost a third of card transactions last year contactless.
Banks have no way of working out how criminals have got hold of card details they are using illegally, so claim it doesn’t count as ‘contactless card fraud’.
A UK Finance spokesman says: ‘We successfully prevented more than £2 in every £3 of attempted fraud in 2017.
‘Contactless fraud is low with robust security features in place in every card, and no contactless fraud has been recorded on cards still in the possession of the original owner.
‘Customers are fully protected against any losses and will never be left out of pocket in the unlikely event they are the victim of this type of fraud, unlike if they lose cash.’