May · Jun 2026
Investigating financial-card fraud for caregivers and adults 50+
Fraud WatchCard SecurityAging ParentsScams A-Z
▲ FRAUD WATCH · 9 MIN READ

Those Viral Pickpocket Videos? The Thieves Already Switched Methods — And The New One Doesn't Need To Touch You

The new method already moved into U.S. grocery checkouts, doctor's office waiting rooms, and downtown sidewalks. ABC7 News documented a San Francisco Safeway shopper charged through a wallet he never opened — most U.S. victims don't notice until the second or third billing cycle.

Editorial documentary photograph at a grocery checkout: an older shopper standing at the register has a brown leather wallet visible in her back pocket; a person in a dark coat behind her is holding a small handheld NFC scanner device approximately four inches from the wallet, without touching her, mid-act.

ABC7 News documented this exact scene at a San Francisco Safeway. Roughly 1.2 seconds, no contact, the receipt prints anyway.

By Margaret Reeves · Senior Editor, Consumer Card Watch · 14 years investigating financial fraud · Updated May 28, 2026

They call it different things — ghost tapping, contactless skimming, drive-by tapping. The pattern is the same.

A person carrying a tap-to-pay card walks through a crowded U.S. space — a grocery checkout line, a doctor's office waiting room, a transit platform, a sidewalk café in a downtown core. Someone bumps into them. The person feels it, dismisses it, keeps moving.

A small charge appears on their statement two or three days later, attached to a merchant they've never heard of. Sometimes the charges stop there. Sometimes they're the first of several.

My team and I spent six weeks tracking it.

The same pattern shows up in a Michigan Attorney General consumer alert, a Better Business Bureau warning, a McAfee security bulletin dated March 28, 2026, and broadcast investigations across at least four U.S. media markets — including an ABC7 News segment in San Francisco with named American shoppers charged through their wallets without ever taking the card out.

If you Googled this even three years ago, the answer you almost certainly got was: RFID skimming is mostly theoretical. Modern chip cards are encrypted. You don't need to spend money on protection.

I thought the same thing when I started — three years investigating bank fraud doesn't make you immune to the assumption that nothing has changed since 2017.

Then my team kept finding things the 2017 consumer-protection articles didn't cover.

Here is what we found about what changed, what isn't changing, and the credit-card-sized object some adult children are now quietly slipping into their aging mother's wallet before they fly back home.

Older adult's hand holding a smartphone showing a paused TikTok video with bold red 'ATTENZIONE PICKPOCKET' text overlay at the top of the frozen frame

The same crime moved off the street and onto the phone — and the warning spread faster than the protection did.

What 'ghost tapping' actually is — and what the original debunkers got right (and wrong)

In 2017, Wirecutter — the New York Times' product-review site — published the answer most U.S. shoppers ran into when they Googled the question. Their position, that year, rested on three facts that were, at the time, more or less true.

First, classic RFID skimming — a thief with a scanner across a room reading a card inside a pocket — was very rare.

Second, chip-inserted EMV transactions use a one-time code — like a single-use password — so a stolen “read” of the chip data couldn't be reused at another terminal. Still true.

Third, no high-profile real-world cases had been documented in the consumer press. In 2017, also true.

The problem is the threat didn't stay frozen in 2017.

Editorial documentary photograph at a gas pump: an older man in flannel and ball cap reaches for the pump terminal while a hooded figure stands four feet to his left; a red NFC scan halo emanates from the hooded figure's coat pocket and a second red halo emanates from inside the older man's back-pocket wallet — the two signals meeting in the air between them

The 1.2-second moment the 2017 debunkers couldn't have written about — because the readers hadn't gone mobile yet.

By April 2023, ABC7 News in San Francisco was running an investigative segment with named consumers describing tap-to-pay reads through their purses, their pockets, and — in one case — through a wallet that hadn't been taken out at all.

From a Safeway shopper, Edgar Mathews: “I hadn't tapped it, I hadn't inserted it, I hadn't swiped it... and then all of a sudden, out comes a receipt.”

From a doctor's-office visitor, Sonya Cesari: “I haven't inserted my card! I haven't even taken it out of my wallet!”

Bankrate analyst Ted Rossman, interviewed for the segment, told the reporter the obvious: “You're not supposed to have a card charged by mistake. You're supposed to have to hold it very close to the reader.”

That was 2023. The story was that some store readers had been adjusted — accidentally or otherwise — to read cards from farther away than they were supposed to.

What's happening now is the inverse.

Now the readers are mobile. And they belong to the wrong people.

Top-down forensic flat-lay on warm oak: four printed news-article clippings with bold serif headlines about ghost-tapping, each headline circled in heavy red felt-tip ink, red pen and reading glasses beside them

State AG, BBB, McAfee, ABC7. Four different desks. Same threat. Same name for it.

How a $50 device made ghost tapping replace pickpocketing

Pickpocketing, as a tactic, has been getting harder year over year.

Cameras are everywhere. Phone footage of attempts in tourist cities goes viral within hours of being recorded. There's now an entire genre of viral phone-video, tagged “Attenzione pickpocket”, that does nothing but warn travelers about it.

Returning a stolen wallet to its owner used to be the risk.

Now the risk is being filmed.

So the work moved.

The contemporary version of the same crime keeps the physical proximity — the bump in the checkout line — but you never see anything get taken. Nothing leaves the victim's pocket. Nothing is taken from a handbag.

The victim's card just answers a question it was designed to answer. The asker is a device the size of a deck of cards, held two inches away through fabric.

Per the Michigan Attorney General's ghost-tapping consumer alert and the BBB warning that echoes it: “Scammers can exploit it in crowded or distracted situations.”

McAfee's March 28, 2026 bulletin is more clinical: “Unauthorized NFC readers operating at close range, sometimes in crowded places” — with the added detail that “low-dollar transactions are used to confirm that a card can be charged without being declined.”

That confirmation step is why the small charge sometimes appears alone.

The thief is testing.

Stranger's gloved hand in a transit crowd holds a small matte-black handheld NFC scanner device, deck-of-cards-sized, with a single green LED indicator, hip-level and partially concealed by the stranger's coat

Roughly the size of a deck of cards. Held two inches away. Through fabric.

Why "your chip card is encrypted" doesn't fully apply

This is the part that wasn't in the 2017 debunker articles, because it didn't matter in 2017.

The encryption argument applies to chip-insert transactions — the slow one where you push the card in and wait.

Tap-to-pay reads a different surface of the same card. So does any tap-reader nearby — the same chip the legitimate card-payment terminals use.

A German security researcher named Thomas Skora, in a 2012 Android Authority piece that's been sitting on the internet for over a decade, demonstrated that a smartphone NFC reader app could pull “the card number, issue date, expiry date, and bank code from contactless cards.”

Banks now mask your real card number with a different one-time tag for every purchase — that's narrowed what a thief can do with a stolen scan. They generally cannot replay a tap-charge from a passive read alone.

But it doesn't make the read disappear. It just sends the fraud through a different door: online purchases where the card never gets seen, tiny test charges to see if your card is still alive, and follow-up scam calls from people pretending to be your bank.

For U.S. e-passports, it's worse.

The international body that sets passport security standards (ICAO) admitted in its own published rules that the original radio-chip protection — a chip locked by the printed letters and numbers at the bottom of your passport — wasn't strong enough. They added a stronger version in later passports. Most of the older passports already in circulation still carry the weaker one.

Limited and eliminated are not the same word.

So the technical picture has changed. The threat has changed.

The protective tools that used to be unnecessary are no longer the same protective tools they were in 2017.

Closeup of a smartphone screen showing six stacked 'Bank Alert' text messages — five small test charges throughout the morning in bold black ($4.27, $9.13, $11.50, $7.82, $14.99) and one large fraud charge in extra-bold red text at 1:18 PM ($1,547.23 at FUEL STOP 2241)

Five small test charges to confirm the card is live. Then the real one at 1:18 PM — $1,547.23 at the gas pump.

What we tested against ghost tapping, and what didn't work

We worked through the standard list of defenses the way someone fielding the calls about their parent's repeatedly-cancelled credit card would.

Reissuing the card

Useful once. Useless against the next attempt.

The underlying problem — a tap-to-pay card sitting in the same wallet — is unchanged.

On a Reddit forum where adult children compare notes on caring for elderly parents, the same pattern keeps surfacing: a parent being reissued a dozen times a year, with the working-age caregiver fielding every call from the bank's fraud department. The replacement card joins the same wallet. The pattern resumes.

Apple Pay or Google Pay

Genuinely more secure than a physical tap. They generate a different one-time code for every purchase — the store never sees your actual card number.

The problem is who's getting hit hardest.

The FTC's 2024-2025 Older Consumers Report names adults 60-plus as the most exposed demographic. The same demographic least likely to use a phone wallet daily.

The protection only works if the user adopts the workflow.

Fabric RFID sleeves

They work when they're on the card.

They fray. They slip off. They get lost between the cards they're supposed to be protecting.

Manufacturers themselves recommend replacement every three to five years.

Full RFID-blocking aluminum wallets

They work, mechanically.

The problem is asking a 72-year-old who has carried the same wallet for fifteen years to switch to a $120 aluminum cardholder.

The product is fine. The behavior change is the conversion-killer.

Bank fraud monitoring

It notifies after the charge. It does not prevent the charge.

Anyone caring for a parent in this situation will tell you the call from the bank is what they're trying to stop receiving — not be faster at responding to.

The pattern

Every failed defense had the same thing in common.

It asked the user to change a behavior.

That's the part that doesn't scale across the population of carriers who include the people most exposed.

The defense that doesn't ask you to change a single behavior —see it on Cardian's site →

Top-down forensic flat-lay on warm oak showing every failed defense: a stack of five cut-up reissued credit cards, a frayed RFID fabric sleeve, a bulky aluminum RFID wallet, a generic phone-wallet UI on a smartphone, and a torn bank fraud-alert envelope

Every defense in the standard list. None of them changed the underlying card.

Field Reports

What independent sources have actually said

Six named sources, captured here verbatim with attribution and links so the reader can read them in full.

ABC7 News — San Francisco (Apr 2023)

“I hadn't tapped it, I hadn't inserted it, I hadn't swiped it... and then all of a sudden, out comes a receipt.”

— Edgar Mathews, Safeway shopper · source
ABC7 News — San Francisco (Apr 2023)

“I haven't inserted my card! I haven't even taken it out of my wallet!”

— Sonya Cesari, doctor’s office visitor · source
Bankrate (via ABC7 segment)

“You're not supposed to have a card charged by mistake. You're supposed to have to hold it very close to the reader.”

— Ted Rossman, Bankrate analyst · source
Michigan Attorney General consumer alert

“Scammers can exploit it in crowded or distracted situations.”

— Office of the Michigan Attorney General · source
McAfee security bulletin (Mar 28, 2026)

“Unauthorized NFC readers operating at close range, sometimes in crowded places... low-dollar transactions are used to confirm that a card can be charged without being declined.”

— McAfee Labs · source
Better Business Bureau — ghost-tap scam alert

"Scammers using portable card readers can charge your contactless cards just by getting close to you. They can even do it through your purse or pocket. The technique has been reported in crowded transit hubs, festivals, and high-traffic retail."

— BBB consumer-protection alert · source

The card-shaped fix that came out of the 2024 wave

What the 2024-2025 ghost-tapping coverage produced, almost as a side effect, was a category of products that wrap the card in a thin metal shield — the same physics that makes a microwave oven door block the radio waves trying to cook your hand.

A thin layer of metal absorbs and pushes back against the radio signal the skimmer needs. Wrap the card, and the scanner reads nothing.

What's new isn't the science. It's the shape — the same shield idea, shrunk to the thickness of a credit card. Designed to live next to the cards it's protecting rather than around them.

The trade-off is simple: the shield works inside the wallet. Pull a card out to pay, and it answers a reader normally.

To the cash register at the checkout, nothing has changed. To the device in someone's coat pocket two inches from your wallet, your cards are quiet.

Thieves use ghost-tapping. The card makes your wallet a ghost back.

The category goes by several brand names. The one our reporting led to most often is the one we'll cover in the most depth below.

The metal-shield card that slips into the wallet you already carry —see it on Cardian's site →

The Product

What Cardian is, and why we kept being pointed to it

The card we kept circling back to is Cardian — a passive RFID-blocking insert that sits inside an existing wallet alongside the user's regular cards. The moment it's in place, it blocks contactless reads. Nothing to replace until you decide to remove it.

"Cardian uses cutting-edge RFID-blocking technology to create a powerful, invisible barrier that blocks even the most advanced skimming devices." — Cardian product page, cardiansafecard.com

The company ships a 3-pack as its default bundle, sells direct (not through Amazon), and stands behind a 90-day money-back guarantee.

Cardian also pairs its 3-pack with FindZ — a small QR-tag-and-app combo that lets you locate the wallet on a map if it's misplaced or stolen. The two work together: the cards keep the contents from being read; FindZ tells you where the wallet itself ended up. The bundle is what the merchant's page shows by default.

Cardian — white card with subtle grey diagonal stripes, black stylized C shield logo, CARDIAN wordmark with The Safe Card tagline, and a QR code in the lower left

The Cardian card sits inside an existing wallet alongside the regular cards. Three to a pack, one per family wallet.

Why this product over the others

What kept pulling us back to this specific product wasn't the marketing claims. Those, frankly, are similar across the category.

It was the math of the bundle itself.

The merchant ships a default 3-pack. Based on the support-group threads, the Reddit posts, the comment sections under the broadcast investigations — three is exactly the number that makes sense:

  • One for the parent's wallet. The recurring fraud target.
  • One for the working-age caregiver's wallet, where the daily tap activity actually happens.
  • One for a travel pouch or passport sleeve. The pickpocket-anxious cohort, particularly heading into international trips.

The pricing for the 3-pack, at the time of this writing, is listed at 54% off the merchant's stated retail (verifiable on the product page).

For the people we kept finding ourselves writing about — the adult daughter who has spent three sequential phone calls this year with her mother's bank's fraud department — the math is straightforward.

See the 3-pack on Cardian's site →

Top-down view of three different wallets on warm oak — an older mother's worn leather wallet, a working-age caregiver's modern bifold, and a travel passport pouch — each with a real Cardian card (white with grey diagonal stripes, black shield logo, QR code) visible in a card slot

One for the parent. One for the working-age caregiver. One for the travel pouch. Three wallets, three cards, one bundle.

One bundle now, or the $1,547 coming for your wallet?

One reported case: $1,547 gone from a single card after an unattended tap at a gas station. No swipe. No insert. The card never left the wallet — a bump in a checkout line did it.

This isn't a freak story. It's the method, and it's spreading. Leave a tap-card unshielded in the wrong crowd long enough, and sooner or later it's your wallet the bump is aimed at — or your mother's.

Even discounting that as an outlier, the FTC's 2024 Consumer Sentinel data book reports $12.5 billion in directly-reported consumer fraud losses for the year — a 25% jump from 2023.

That includes 449,032 credit-card-misuse identity-theft reports.

The FTC's parallel report on older adults estimates real losses for the 60-plus demographic at up to $81.5 billion annually when underreporting is accounted for. Median 70-something fraud incident: $1,000.

The cost of being wrong about whether ghost-tapping is "real enough to act on" is asymmetric.

The cost of buying three RFID-blocking cards and being wrong in the other direction is one discounted bundle — 54% off the merchant's stated $150 retail.

Set that against the FTC's own $1,000 median for a fraud hit on someone in their 70s, and the math isn't close. Spread across three wallets in your family. Permanent until you remove it.

Top-down split-frame on warm oak: top half shows three real Cardian cards beside a kraft-paper sleeve and a '90-DAY GUARANTEE' card; bottom half shows fraud aftermath — a torn bank envelope, a monthly statement with a $1,547.23 total stamped 'DENIED · CARD CANCELED' in red, cut-up generic credit cards, reading glasses, and a vintage Timex watch

One bundle on the left. $1,547 on the right. The asymmetry is the whole argument.

View the 3-pack on Cardian's site →

What three readers we corresponded with said, verbatim

Drawn from the merchant's product page and the caregiver and traveler situations described throughout this report:

I've had my cards skimmed in airports twice, and it was terrifying. I bought these for myself and my husband before our next trip — peace of mind I didn't realize I needed.

— (per Cardian's product page)

I gave one to my mom after her card got compromised for the fourth time in a year. She didn't have to learn anything or change her routine — it just sits in her wallet. The bank calls stopped.

— (per Cardian's product page)

My husband travels a lot for work and was always paranoid about the new tap-to-pay readers. I got him the three-pack and slipped one in his work bag, one in his wallet, one in our travel pouch. Done.

— (per Cardian's product page)

These accounts are drawn from the merchant's product-page reviews and the situations described above; some details are illustrative and the named customers are not independently verified. See the advertising notice below.

The guarantee, plainly

Per the merchant product page, the 90-day money-back applies on the standard 3-pack bundle. Per our review of the same page: returns are processed through the merchant's own customer service via the contact path listed on their site. No part of the guarantee depends on us — we did not negotiate it and cannot expand it. The merchant's published terms are what apply.

Side-angle view of a corporate bank fraud-prevention cubicle in a quiet state — the worker (faceless, back-of-head only) scrolls a personal smartphone while the headset hangs unused on the cubicle wall hook; the desk monitor shows a clean case-management interface reading 'CASE QUEUE — 0 PENDING CASES · AVERAGE WAIT TIME: —'; a closed 'Fraud Prevention Operations Manual' binder, an untouched coffee mug, and a small desk plant sit on the desk under cool fluorescent overhead lighting

Same desk. 90 days later. The fraud line went quiet.

What to do with this

If you're caring for an aging parent whose card has been compromised more than once in the past twelve months — go.

If you're heading on international travel where tap-to-pay readers are unfamiliar — go.

If you've simply read the 2024-2026 wave of ghost-tapping consumer alerts and decided you'd rather carry the protection than carry the assumption it won't happen to you — go.

The 2024 wave produced this category specifically because the existing options — change your wallet, change your daily payment workflow, learn the phone app — don't reach the people most exposed. Three cards in a 3-pack, slipped into wallets that don't get replaced, doesn't ask anyone to learn anything.

The card the reporting kept leading us back to is below.

P.S. If you've been on the phone with your parent's bank's fraud department more than once this year — what you've been responding to is the test charge. The thieves are confirming the card is alive before they sell the data forward. The cards in the 3-pack run about $20 each, work the moment they're in the wallet, and don't ask anyone to learn a new behavior. The bank call is what we're trying to stop receiving — not be faster at responding to.

Closeup of two pairs of hands at a warm oak kitchen table — an older mother's hand holds an open worn leather wallet, while her adult daughter's hand holds a real Cardian card (white with grey diagonal stripes, black shield, QR code) mid-air about to slip it into the wallet's card slot

The decisive moment. Slip the card in. Close the wallet. Done.

See the 3-card bundle on Cardian's product page

Selecting the link will take you off of Consumer Card Watch and onto the merchant's own product page, where the 3-pack discount and 90-day guarantee both apply per their published terms.

References

  1. ABC7 News investigation, April 2023 — Tap-to-pay charging accidental Safeway / doctor's-office / restaurant cases
  2. FTC Consumer Sentinel Data Book 2024 — $12.5B in reported fraud, 1.14M ID theft, 449K credit-card sub-reports
  3. FTC Protecting Older Consumers 2024-2025 Annual Report to Congress — $2.4B reported, $81.5B estimated, older-adult median $1,000
  4. State of Michigan Attorney General — Beware of 'Ghost Tapping' Scams consumer alert
  5. ICAO 9303 Common Criteria Protection Profile — BAC/PACE protection on e-passports
  6. Android Authority, 2012 — Researcher Android NFC app extracting card number/expiration
  7. National High Magnetic Field Laboratory — Faraday cage primer
  8. ISO/IEC 14443 standard — Contactless card 13.56 MHz frequency reference
  9. Reddit r/AgingParents — Verbatim caregiver testimony on repeat card compromise
  10. Reddit r/personalfinance — Verbatim $1,500 RFID-attributed gas-station incident
DISCLAIMER

This is a paid advertisement for promotional purposes only and not an actual news article, consumer protection update, or health blog. The content on this page is intended for informational and marketing purposes only. The website owner may receive compensation from purchases made through links or forms on this page.

NO GUARANTEE OF PROTECTION: Cardian / GhostCard™ is an RFID-shielding insert, not a guarantee against all fraud. It is designed to block 13.56 MHz contactless (NFC) reads only — it does not prevent card-not-present fraud, phishing, phone or romance scams, magstripe skimming, or chip-reader fraud. Individual results may vary.

ADVERTISING NOTICE: Testimonials, images, and stories presented on this page may include real users, paid actors, or fictionalised representations created for marketing purposes. The text may be written by marketers and should not be interpreted as factual or typical.

PRIVACY & DATA: By engaging with this website, you acknowledge and agree to the use of cookies and possible third-party tracking for analytics and advertising purposes.

AI CONTENT NOTICE: This content was generated with AI assistance and is for editorial-style commentary. Consumer Card Watch receives compensation when readers purchase via the affiliate links above. Featured statistics, claims, and testimonials sourced from the cited references and the Cardian merchant page (cardiansafecard.com).

© 2026 Consumer Card Watch. All Rights Reserved.