Can money be taken from the bank card in your pocket? Myth, real threat, or misunderstood risk?

Contactless payment has become one of the most convenient habits of modern life. Across Western Europe, the United Kingdom and the United States, millions of people now pay for groceries, coffee, public transport, parking, fuel, takeaway food and everyday services by simply tapping a bank card, phone or smartwatch near a terminal.

The technology feels almost invisible. There is no need to insert the card, swipe a magnetic stripe, sign a receipt or enter a PIN for every small purchase. The transaction is completed in seconds. That speed is exactly why contactless payment became so popular.

But the same convenience has also created a persistent fear: can someone take money from a contactless bank card while it is still in your pocket?

The image is easy to imagine. A fraudster walks through a crowded train, airport, festival or shopping mall with a hidden card terminal or smartphone. They move close to people, scan cards through jackets or bags, and silently collect money without anyone noticing.

It sounds frightening. It also sounds technically possible — at least at first glance.

The real answer is more nuanced. Contactless cards do communicate wirelessly over a very short distance. A payment terminal can interact with a card without the card being inserted into a reader. Low-value transactions may sometimes be completed without PIN entry, signature or additional cardholder verification.

However, the popular “money stolen from your pocket” scenario is much harder in practice than viral warnings suggest. NFC range is extremely short, card orientation matters, wallets and other cards interfere with the signal, payment terminals are traceable, banks apply risk controls, and transaction limits or authentication rules can interrupt suspicious activity.

That does not mean the risk is zero. It means the threat is often misunderstood.

The most realistic danger is not a mysterious hacker emptying your account from across the room. The more realistic risks are lost cards, stolen wallets, online card fraud, phishing, fake payment pages, compromised merchants and social engineering. Still, understanding contactless card security is useful, especially if you travel often, use crowded public transport or carry cards in easily accessible pockets or bags.

How contactless bank cards work

A contactless bank card contains a chip and a small antenna. When the card is placed close to a payment terminal, the terminal generates an electromagnetic field. This field powers the card’s chip for a very short time and allows the card and terminal to exchange payment data.

This technology is based on NFC, or Near Field Communication. The phrase “near field” is important. NFC is not designed for long-range communication. It normally works only within a few centimeters. In many real-world payment situations, the card has to be almost touching the payment terminal.

A contactless transaction is not simply a card “broadcasting money.” It is a structured payment process. The terminal identifies the card application, the card responds with payment data, cryptographic checks are performed, and the transaction is processed through the merchant’s acquiring bank, card network and issuing bank.

This distinction matters. Reading that a card is nearby is not the same as successfully taking money from it.

A random NFC reader may be able to detect a contactless card. In some cases, limited card-related information may be readable depending on the card, issuer and security implementation. But making a real payment requires a valid transaction path. The payment has to be accepted by a terminal, routed through a payment system and settled to a merchant or payment account.

That creates a major practical barrier for criminals.

Why this fear became so widespread

The fear of contactless card skimming became popular because it is built on a half-truth.

The true part is that contactless cards can be read at very short range. The misleading part is the assumption that reading a card automatically means stealing money.

The myth became more believable as smartphones started to support payment acceptance. In many countries, small businesses can now accept card payments with a phone using SoftPOS, Tap to Pay or similar technologies. This makes people imagine that any criminal with a phone can walk through a crowd and charge random cards.

In reality, payment acceptance is not anonymous. A person or business accepting card payments normally needs to be registered with a payment provider or acquiring bank. Transactions are linked to merchant accounts, bank accounts, device identifiers and risk monitoring systems.

A criminal trying to collect money this way would leave a financial trail. That does not make the fraud impossible, but it makes it unattractive compared with other types of card fraud.

Online card theft, phishing, fake delivery messages, fake banking login pages, malicious QR codes and stolen physical cards are usually easier and more scalable.

What a fraudster would actually need

To take money from a contactless card, a fraudster would need more than a simple NFC scanner.

They would need a real payment acceptance method, such as a POS terminal, mobile payment terminal or approved phone-based payment acceptance system. They would also need a merchant account or access to one, because the money must be routed somewhere.

They would need to get the reader extremely close to the card. Not near the person. Not near the bag in general. Very close to the exact place where the card is located.

They would need the card to be positioned correctly. NFC communication can fail if the angle is wrong, if the card is surrounded by other cards, if the wallet is thick, if the card is near metal objects, or if the reader is not close enough.

They would also need the transaction to fall within the allowed contactless rules for that country, card, bank and payment network. In Europe, strong customer authentication rules can require PIN or another form of verification after certain thresholds. In the UK, contactless card limits are still often managed by banks and card providers. In the United States, there is no single nationwide PIN-free contactless rule; cardholder verification behavior varies by issuer, network, merchant category and terminal setup.

Finally, the transaction would need to avoid fraud monitoring. Repeated unusual payments, abnormal merchant behavior or suspicious transaction patterns can trigger bank-side controls.

This is why the pocket-scanning scenario is more difficult than it appears in short social media videos.

The real NFC range problem

NFC works over a very short range. In practice, contactless cards usually need to be within a few centimeters of the reader. The card and terminal also need to be aligned well enough for communication.

That short range is one of the most important security features of contactless payment.

A card in a thin front pocket may be more exposed than a card inside a wallet in a zipped bag. A card in a metal card holder may not respond at all. A card stored with several other cards may confuse the reader. A card behind coins, keys, a phone or other objects may be difficult or impossible to read.

Anyone who has tried to pay by tapping a whole wallet against a terminal has probably seen this problem. The terminal may reject the transaction and ask for only one card. This same limitation makes secret reading in public less reliable.

For a hidden attack, the fraudster would have to place the terminal very close to the exact card location and maintain that position long enough for the payment attempt. In a crowded environment, physical proximity may be possible, but reliable card positioning is not guaranteed.

This is one of the main reasons why the fear is technically plausible but practically limited.

Contactless limits in Europe, the UK and the United States

Contactless payment limits are not the same everywhere.

In much of the European Economic Area, low-value contactless card payments can be made without entering a PIN, but strong customer authentication rules apply after certain thresholds. This means a card may work for small purchases without PIN, but after repeated taps or a cumulative amount, the terminal can require PIN entry or another verification method.

In the United Kingdom, the contactless card limit has traditionally been a clear single-transaction amount. The UK market has recently moved toward giving banks and payment providers more flexibility, but many providers still keep familiar customer-facing limits or allow users to set their own limits.

In the United States, the situation is different. There is no single federal contactless payment limit that applies to every card in the same way. Verification requirements depend on the issuer, card network, merchant, terminal configuration and risk rules. Some contactless transactions may require no PIN or signature, while others may request verification depending on amount and context.

Digital wallet payments are also treated differently in many situations. When a phone or smartwatch payment is authenticated by Face ID, fingerprint, passcode or another secure method, the transaction may be considered cardholder-verified even if no PIN is entered at the terminal.

For an international audience, the safest wording is this: small contactless card payments may often work without PIN, but limits and verification rules vary by country, bank, card network and merchant.

Why mobile wallets can be safer than physical cards

Apple Pay, Google Pay, Samsung Wallet and similar mobile wallet systems are often safer than tapping a physical contactless card.

The reason is tokenization.

When you add a card to a mobile wallet, the real card number is not normally used directly for every transaction. Instead, the wallet uses a payment token. This token represents the card in the payment system but does not expose the original card number in the same way.

Mobile wallets also require device authentication. Depending on the device, this may be Face ID, fingerprint, passcode or another local security method. A thief cannot usually make a payment with your locked phone simply by holding it near a terminal.

With a physical contactless card, some low-value payments may be possible without PIN. With a properly secured phone or smartwatch, the user usually has to unlock or authorize the payment first.

This does not make mobile wallets perfect. A weak phone passcode, stolen unlocked phone, compromised account or social engineering attack can still cause problems. But for everyday in-store payments, mobile wallets generally add a useful security layer.

What can actually be read from a contactless card?

A common misunderstanding is that if someone can read anything from a card, they can automatically clone it or steal money from it.

That is not how modern payment cards normally work.

A basic NFC reader may detect a contactless card and read limited data from it, depending on the card type and issuer. Older cards sometimes exposed more readable information than newer cards. Modern EMV contactless cards are designed with stronger controls and dynamic transaction data.

The key point is that a valid payment is not just a static card number. Real EMV transactions use cryptographic processes that make simple copying or replay attacks much harder than with old magnetic stripe cards.

This means there are three very different concepts:

Detecting a card is one thing.

Reading limited card data is another thing.

Successfully making unauthorized payments is a much more complex thing.

The public often mixes these together, which is why contactless card myths spread so easily.

The most realistic contactless fraud scenario

The most realistic contactless fraud scenario is not someone scanning your pocket. It is someone using your lost or stolen card.

If a thief physically has the card, they can try to make several low-value contactless purchases before the card is blocked or before the bank requires verification. This is simple, fast and much more realistic than hidden terminal attacks in a crowd.

This is why immediate card blocking matters.

If you lose your wallet, do not wait. Freeze the card in your banking app or call the bank. Many banks now offer instant card freeze options, temporary locks, spending controls and separate online/offline payment settings.

A stolen physical card remains a more practical risk than a remote NFC attack.

Online fraud is usually the bigger threat

For most consumers, the bigger threat is not NFC. It is online fraud.

Criminals often prefer attacks that do not require physical proximity. These include fake bank messages, phishing emails, fraudulent parcel delivery SMS messages, fake online shops, compromised checkout pages, malicious ads, fake investment platforms and social engineering calls.

In these cases, the victim may voluntarily enter card data, approve a payment, share a one-time code or install a malicious app. The criminal does not need to stand near the victim or rely on short-range radio communication.

This is why contactless card protection should be part of a broader payment security strategy. An RFID-blocking wallet can help against one narrow physical threat, but it will not protect against fake websites or phishing.

Are RFID-blocking wallets worth buying?

RFID-blocking wallets, sleeves and card holders use conductive materials to reduce or block radio communication between the card and an NFC reader. They work like a small shield around the card.

They can be useful, especially for people who often travel, commute in crowded cities, attend festivals, use airports frequently, or carry cards in outer pockets or open bags.

They are also inexpensive. A simple blocking sleeve is usually enough if the goal is to prevent accidental or unauthorized NFC reading.

However, RFID protection should not be oversold. It does not protect against online card fraud. It does not stop phishing. It does not help if you hand your card to a dishonest person. It does not protect card details already saved in a hacked online account.

RFID blocking is a practical extra layer, not a complete security solution.

Better everyday protection methods

The best protection is a combination of habits and banking controls.

Enable instant payment notifications

Push notifications are one of the strongest practical defenses. Every card payment should trigger an alert on your phone. If you see a transaction you did not make, you can react quickly.

Fast reaction limits damage and helps the bank investigate.

Use sensible spending limits

Most modern banking apps allow you to set limits. You may be able to control daily card spending, ATM withdrawals, online payments, foreign transactions and contactless usage.

Do not keep unnecessarily high limits on a card used for everyday purchases. A lower everyday limit reduces the potential damage from theft or fraud.

Use a separate card for online purchases

A virtual card or secondary card can reduce risk. Many banks and fintech services allow users to create digital cards for online shopping. Some allow disposable or merchant-specific cards.

This is useful because online fraud is often more common than physical contactless fraud.

Prefer mobile wallet payments

Where available, Apple Pay, Google Pay and similar wallets can be safer than using the physical card. They use tokenized payment data and normally require device authentication.

For everyday purchases in stores, a secured phone or smartwatch can be a very good payment method.

Keep cards inside a proper wallet

Do not carry a contactless card loose in an outer pocket if avoidable. A wallet, card holder or zipped compartment adds distance and physical shielding.

If you often travel or commute in dense crowds, consider an RFID-blocking sleeve.

Do not carry unnecessary cards

If you rarely use a card, do not carry it every day. The fewer cards you carry, the less damage a lost wallet can cause.

This is especially important while travelling.

Freeze lost cards immediately

If your card is lost, freeze it immediately in the app or call the bank. Do not wait to see whether it appears later.

Temporary freezing is often reversible. Fraudulent spending is not always easy to unwind quickly.

What to do after a suspicious transaction

If you receive a notification for a card payment you did not make, act immediately.

First, freeze or block the card. Use your banking app if possible. If you cannot access the app, call the emergency card-blocking number.

Second, check whether the merchant name is recognizable. Some legitimate transactions appear under the name of a payment processor or parent company rather than the shop name. Parking apps, subscription services and online marketplaces can be especially confusing.

Third, contact your bank and report the transaction as unauthorized. Ask whether the card should be replaced and whether a fraud claim or chargeback process applies.

Fourth, review recent card usage. Check online subscriptions, saved payment methods and recent purchases.

Fifth, if the card was stolen, or if there are multiple unauthorized transactions, file a police report. This may help with the bank’s investigation and gives you a formal record of the incident.

Common myths about contactless card theft

Myth 1: a thief can empty your account by walking past you

This is not realistic. Contactless card payments are limited by technical range, payment rules, bank controls and merchant traceability. A thief cannot normally drain an account just by walking near someone.

Myth 2: NFC works from several meters away

It does not. NFC is a very short-range technology. In normal card payment use, the practical range is only a few centimeters.

Myth 3: any smartphone can steal money from a card

A phone with NFC may detect certain cards or read limited data, but taking money requires a valid payment transaction through a payment acceptance system. That system is not anonymous.

Myth 4: RFID-blocking wallets are pointless

They are not pointless. They can block short-range NFC communication. But they protect only against a narrow physical risk, not against online fraud or stolen card data.

Myth 5: mobile wallets are less safe because they are digital

A properly secured mobile wallet is often safer than a physical card because it uses tokenization and device authentication.

Myth 6: contactless cards constantly transmit data

They do not actively broadcast like a radio transmitter. A contactless card is passive. It responds only when powered by a nearby reader field.

Frequently asked questions

Can someone charge my card while it is in my pocket?

In theory, a very small unauthorized contactless transaction could be attempted if the reader is extremely close, the card is not shielded and the transaction does not require verification. In practice, this is difficult, unreliable and traceable.

Is this a common type of fraud?

No. The more common risks are lost or stolen cards, phishing, fake websites, online card data theft and social engineering.

Can a card be read through a wallet?

Sometimes, but not always. A thin wallet may allow NFC communication. A thick wallet, multiple cards, metal objects or RFID-blocking material can prevent it.

Does an RFID-blocking wallet help?

Yes, for short-range NFC protection. It is especially useful in crowded places, airports, public transport and travel situations. It should be treated as an extra layer, not a complete fraud solution.

Is Apple Pay or Google Pay safer than a physical card?

Usually yes. Mobile wallets use tokenized payment data and typically require biometric or passcode authentication.

Can a contactless card be cloned?

Modern EMV contactless cards are designed to resist simple cloning. Reading limited data is not the same as creating a working duplicate card.

Should I disable contactless payments?

Most users do not need to disable contactless payments. A better approach is to use alerts, spending limits, mobile wallets and fast card blocking.

The realistic risk for Western Europe and the United States

The idea that someone can silently take money from the bank card in your pocket is not completely fictional, but it is heavily exaggerated.

The technology allows very short-range contactless communication. Some low-value card payments may not require PIN entry or signature. Under ideal conditions, an unauthorized attempt is theoretically possible.

But the practical barriers are significant. NFC range is tiny. Wallets and other cards interfere with communication. Payment terminals are linked to merchants. Banks monitor transactions. Contactless limits and authentication rules vary by market, but they exist in some form. Suspicious patterns can be blocked.

For most people in Western Europe, the UK and the United States, the bigger risks are more ordinary: losing a card, having a wallet stolen, entering card details on a fake website, approving a fraudulent payment request, or ignoring bank alerts.

The sensible approach is not panic. Use contactless payments, but use them intelligently. Enable notifications. Keep your card in a wallet. Use a mobile wallet where possible. Set reasonable limits. Use virtual cards online. Freeze lost cards immediately. Add an RFID-blocking sleeve if you often spend time in crowded environments.

Contactless payment is convenient and generally safe, but like every payment method, it works best when combined with basic security habits.

---

Image(s) used in this article are either AI-generated or sourced from royalty-free platforms like Pixabay or Pexels.

This article may contain affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you.