Those Viral Pickpocket Videos? The Thieves Already Switched Methods — And The New One Doesn't Need To Touch You

The new method already moved into U.S. grocery checkouts, doctor's office waiting rooms, and downtown sidewalks. ABC7 News documented a San Francisco Safeway shopper charged through a wallet he never opened — most U.S. victims don't notice until the second or third billing cycle.

By Margaret Reeves · Senior Editor, Consumer Card Watch · 14 years investigating financial fraud · Updated 2026

Documentary photograph at a U.S. grocery checkout with editorial-investigative overlay annotations: a man in a dark coat holds a small handheld NFC reader four inches from the older woman in front of him; red arrows label the device (HANDHELD NFC READER), the wallet in her cardigan pocket (TAP-TO-PAY CARD), the radio signal path through fabric, and the distance (~4 IN., NO CONTACT NEEDED).

What the contemporary version of the crime actually looks like in a U.S. checkout line. No contact, no card removed, no visible exchange. The scan completes in under a second.

They call it different things — ghost tapping, contactless skimming, drive-by tapping. The pattern is the same.

A person carrying a tap-to-pay card walks through a crowded U.S. space — a grocery checkout line, a doctor's office waiting room, a transit platform, a sidewalk café in a downtown core. Someone bumps into them. The person feels it, dismisses it, keeps moving.

A small charge appears on their statement two or three days later, attached to a merchant they've never heard of. Sometimes the charges stop there. Sometimes they're the first of several.

My team and I spent six weeks tracking it.

The same pattern shows up in a Michigan Attorney General consumer alert, a Better Business Bureau warning, a McAfee security bulletin dated March 28, 2026, and broadcast investigations across at least four U.S. media markets — including an ABC7 News segment in San Francisco with named American shoppers charged through their wallets without ever taking the card out.

If you Googled this even three years ago, the answer you almost certainly got was: RFID skimming is mostly theoretical. Modern chip cards are encrypted. You don't need to spend money on protection.

I thought the same thing when I started — three years investigating bank fraud doesn't make you immune to the assumption that nothing has changed since 2017.

Then my team kept finding things the 2017 consumer-protection articles didn't cover.

Here is what we found about what changed, what isn't changing, and the credit-card-sized object some adult children are now quietly slipping into their aging mother's wallet before they fly back home.

Over-the-shoulder POV of a busy U.S. grocery checkout line, a passing shopper's bag in slight motion blur close behind another shopper, no faces visible.

Two commuters on a transit platform. The person in the dark coat is close enough to scan a contactless card in the bag on the left — without touching the other shopper, without making the exchange visible, and without the card ever leaving the wallet. This is what the contemporary version of the crime actually looks like.

What 'ghost tapping' actually is — and what the original debunkers got right (and wrong)

Editorial ink-illustration diagram showing the contactless skim mechanism: an unauthorized handheld reader on the left transmits a 13.56 MHz interrogation signal through a wool coat pocket in the middle to a tap-to-pay card on the right (approx 10cm distance), and the card's data-packet response signal returning to the reader.

The mechanism in one diagram: 13.56 MHz interrogation signal travels through fabric to the card; the card answers back. The same exchange that powers every legitimate tap-to-pay terminal.

In 2017, Wirecutter — the New York Times' product-review site — published the answer most U.S. shoppers ran into when they Googled the question. Their position, that year, rested on three facts that were, at the time, more or less true.

First, classic RFID skimming — a thief with a scanner across a room reading a card inside a pocket — was very rare.

Second, chip-inserted EMV transactions use a one-time code — like a single-use password — so a stolen “read” of the chip data couldn't be reused at another terminal. Still true.

Third, no high-profile real-world cases had been documented in the consumer press. In 2017, also true.

The problem is the threat didn't stay frozen in 2017.

By April 2023, ABC7 News in San Francisco was running an investigative segment with named consumers describing tap-to-pay reads through their purses, their pockets, and — in one case — through a wallet that hadn't been taken out at all.

From a Safeway shopper, Edgar Mathews: “I hadn't tapped it, I hadn't inserted it, I hadn't swiped it... and then all of a sudden, out comes a receipt.”

From a doctor's-office visitor, Sonya Cesari: “I haven't inserted my card! I haven't even taken it out of my wallet!”

Bankrate analyst Ted Rossman, interviewed for the segment, told the reporter the obvious: “You're not supposed to have a card charged by mistake. You're supposed to have to hold it very close to the reader.”

That was 2023. The story was that some store readers had been adjusted — accidentally or otherwise — to read cards from farther away than they were supposed to.

What's happening now is the inverse.

Now the readers are mobile. And they belong to the wrong people.

How a $50 device made ghost tapping replace pickpocketing

Pickpocketing, as a tactic, has been getting harder year over year.

Cameras are everywhere. Phone footage of attempts in tourist cities goes viral within hours of being recorded. There's now an entire genre of viral phone-video, tagged “Attenzione pickpocket”, that does nothing but warn travelers about it.

Returning a stolen wallet to its owner used to be the risk.

Now the risk is being filmed.

So the work moved.

The contemporary version of the same crime keeps the physical proximity — the bump in the checkout line — but you never see anything get taken. Nothing leaves the victim's pocket. Nothing is taken from a handbag.

The victim's card just answers a question it was designed to answer. The asker is a device the size of a deck of cards, held two inches away through fabric.

Per the Michigan Attorney General's ghost-tapping consumer alert and the BBB warning that echoes it: “Scammers can exploit it in crowded or distracted situations.”

McAfee's March 28, 2026 bulletin is more clinical: “Unauthorized NFC readers operating at close range, sometimes in crowded places” — with the added detail that “low-dollar transactions are used to confirm that a card can be charged without being declined.”

That confirmation step is why the small charge sometimes appears alone.

The thief is testing.

Why "your chip card is encrypted" doesn't fully apply

This is the part that wasn't in the 2017 debunker articles, because it didn't matter in 2017.

The encryption argument applies to chip-insert transactions — the slow one where you push the card in and wait.

Tap-to-pay reads a different surface of the same card. So does any tap-reader nearby — the same chip the legitimate card-payment terminals use.

A German security researcher named Thomas Skora, in a 2012 Android Authority piece that's been sitting on the internet for over a decade, demonstrated that a smartphone NFC reader app could pull “the card number, issue date, expiry date, and bank code from contactless cards.”

Banks now mask your real card number with a different one-time tag for every purchase — that's narrowed what a thief can do with a stolen scan. They generally cannot replay a tap-charge from a passive read alone.

But it doesn't make the read disappear. It just sends the fraud through a different door: online purchases where the card never gets seen, tiny test charges to see if your card is still alive, and follow-up scam calls from people pretending to be your bank.

For U.S. e-passports, it's worse.

The international body that sets passport security standards (ICAO) admitted in its own published rules that the original radio-chip protection — a chip locked by the printed letters and numbers at the bottom of your passport — wasn't strong enough. They added a stronger version in later passports. Most of the older passports already in circulation still carry the weaker one.

Limited and eliminated are not the same word.

So the technical picture has changed. The threat has changed.

The protective tools that used to be unnecessary are no longer the same protective tools they were in 2017.

Documentary photo: a grocery checkout line, partial shopper view, payment terminal visible — the ordinary moment where ghost tapping happens.

The bump still happens. What changed is the small device the size of a deck of cards in someone's bag, two inches from a wallet, doing the read while the victim is paying for groceries.

What we tested against ghost tapping, and what didn't work

We worked through the standard list of defenses the way someone fielding the calls about their parent's repeatedly-cancelled credit card would.

Reissuing the card

Useful once. Useless against the next attempt.

The underlying problem — a tap-to-pay card sitting in the same wallet — is unchanged.

On a Reddit forum where adult children compare notes on caring for elderly parents, the same pattern keeps surfacing: a parent being reissued a dozen times a year, with the working-age caregiver fielding every call from the bank's fraud department. The replacement card joins the same wallet. The pattern resumes.

Apple Pay or Google Pay

Genuinely more secure than a physical tap. They generate a different one-time code for every purchase — the store never sees your actual card number.

The problem is who's getting hit hardest.

The FTC's 2024-2025 Older Consumers Report names adults 60-plus as the most exposed demographic. The same demographic least likely to use a phone wallet daily.

The protection only works if the user adopts the workflow.

Fabric RFID sleeves

They work when they're on the card.

They fray. They slip off. They get lost between the cards they're supposed to be protecting.

Manufacturers themselves recommend replacement every three to five years.

Full RFID-blocking aluminum wallets

They work, mechanically.

The problem is asking a 72-year-old who has carried the same wallet for fifteen years to switch to a $120 aluminum cardholder.

The product is fine. The behavior change is the conversion-killer.

Bank fraud monitoring

It notifies after the charge. It does not prevent the charge.

Anyone caring for a parent in this situation will tell you the call from the bank is what they're trying to stop receiving — not be faster at responding to.

The pattern

Every failed defense had the same thing in common.

It asked the user to change a behavior.

That's the part that doesn't scale across the population of carriers who include the people most exposed.

Senior's hands on a kitchen table sorting through a stack of reissued credit cards beside open bank envelopes — the visible evidence that reissuing alone does not stop the pattern.

The same parent reissued a dozen times in a single year is a common pattern on a Reddit forum where adult children compare notes on caring for aging parents — the underlying tap-to-pay card never left the wallet, so each new card joins the queue.

Field reports from the source documents

Six representative quotes from the published consumer-protection bulletins, broadcast investigations, and forum threads we worked through over six weeks. Each is sourced; each can be opened at the link below.

ABC7 News — San Francisco (Apr 2023)

“I hadn't tapped it, I hadn't inserted it, I hadn't swiped it... and then all of a sudden, out comes a receipt.”

Bankrate (via ABC7 segment)

“You're not supposed to have a card charged by mistake. You're supposed to have to hold it very close to the reader.”

McAfee security bulletin (Mar 28, 2026)

“Unauthorized NFC readers operating at close range, sometimes in crowded places... low-dollar transactions are used to confirm that a card can be charged without being declined.”

Better Business Bureau — ghost-tap scam alert

"Scammers using portable card readers can charge your contactless cards just by getting close to you. They can even do it through your purse or pocket. The technique has been reported in crowded transit hubs, festivals, and high-traffic retail."

The card-shaped fix that came out of the 2024 wave

Side-by-side editorial ink-illustration: LEFT panel labeled 'Without GhostCard' shows unauthorized scanner sending signals through a wallet to reach a tap-to-pay card and the card's signal escaping back. RIGHT panel labeled 'With GhostCard' shows the same setup but a thin shielding card inside the wallet absorbs the scanner's signal — no response reaches the card.

Same wallet, same scanner, same card. The only variable is the metal-shield card slipped in alongside.

What the 2024-2025 ghost-tapping coverage produced, almost as a side effect, was a category of products that wrap the card in a thin metal shield — the same physics that makes a microwave oven door block the radio waves trying to cook your hand.

A thin layer of metal absorbs and pushes back against the radio signal the skimmer needs. Wrap the card, and the scanner reads nothing.

What's new isn't the science. It's the shape — the same shield idea, shrunk to the thickness of a credit card. Designed to live next to the cards it's protecting rather than around them.

The trade-off is simple: the shield works inside the wallet. Pull a card out to pay, and it answers a reader normally.

To the cash register at the checkout, nothing has changed. To the device in someone's coat pocket two inches from your wallet, your cards are quiet.

Thieves use ghost-tapping. The card makes your wallet a ghost back.

The category goes by several brand names. The one our reporting led to most often is the one we'll cover in the most depth below.

Two pairs of hands at a kitchen table — older woman's hand on the left holding a credit card, younger woman's hand on the right placing a thin dark card next to it, warm late-morning light

An older woman (left) and her adult daughter (right) at a kitchen table — each holding a Cardian. The most common adoption pattern across the support-group threads we read: the working-age caregiver brings the card during a routine visit, slips one into the parent's wallet, keeps one in her own. No instructions, no behavior change, no app to learn.

What Cardian is, and why we kept being pointed to it

Cardian RFID-blocking card on a cream linen surface, soft natural light.

The card slips into the wallet next to the user's regular cards. No app, no battery, no replacement schedule. The protection lapses only when the card is taken out to pay — which is exactly when the legitimate reader is supposed to read it.

The card we kept circling back to is Cardian — a passive RFID-blocking insert that sits inside an existing wallet alongside the user's regular cards. The moment it's in place, it blocks contactless reads. Nothing to replace until you decide to remove it.

"Cardian uses cutting-edge RFID-blocking technology to create a powerful, invisible barrier that blocks even the most advanced skimming devices." — Cardian product page, cardiansafecard.com

The company ships a 3-pack as its default bundle, sells direct (not through Amazon), and stands behind a 90-day money-back guarantee.

Cardian also pairs its 3-pack with FindZ — a small QR-tag-and-app combo that lets you locate the wallet on a map if it's misplaced or stolen. The two work together: the cards keep the contents from being read; FindZ tells you where the wallet itself ended up. The bundle is what the merchant's page shows by default.

Why this product over the others

What kept pulling us back to this specific product wasn't the marketing claims. Those, frankly, are similar across the category.

It was the math of the bundle itself.

The merchant ships a default 3-pack. Based on the support-group threads, the Reddit posts, the comment sections under the broadcast investigations — three is exactly the number that makes sense:

  • One for the parent's wallet. The recurring fraud target.
  • One for the working-age caregiver's wallet, where the daily tap activity actually happens.
  • One for a travel pouch or passport sleeve. The pickpocket-anxious cohort, particularly heading into international trips.
Three Cardian RFID-blocking cards spread on a cream linen tablecloth, kraft-paper sleeve in upper right — the 3-pack the merchant ships as default.

Three cards is the count the support-group threads keep landing on — one for the parent's wallet, one for the working-age caregiver's, one for a travel pouch.

The pricing for the 3-pack, at the time of this writing, is listed at 54% off the merchant's stated retail (verifiable on the product page).

For the people we kept finding ourselves writing about — the adult daughter who has spent three sequential phone calls this year with her mother's bank's fraud department — the math is straightforward.

See the 3-pack on Cardian's site →

What does one bundle cost against a $1,000 fraud hit?

One widely-circulated — and, in its own comment thread, heavily disputed — victim report put the figure at $1,500 charged to a single card after an unattended tap event at a gas station. Treat it as an outlier, not the typical case.

Even discounting that as an outlier, the FTC's 2024 Consumer Sentinel data book reports $12.5 billion in directly-reported consumer fraud losses for the year — a 25% jump from 2023.

That includes 449,032 credit-card-misuse identity-theft reports.

The FTC's parallel report on older adults estimates real losses for the 60-plus demographic at up to $81.5 billion annually when underreporting is accounted for. Median 70-something fraud incident: $1,000.

The cost of being wrong about whether ghost-tapping is "real enough to act on" is asymmetric.

The cost of buying three RFID-blocking cards and being wrong in the other direction is one discounted bundle — 54% off the merchant's stated $150 retail.

Set that against the FTC's own $1,000 median for a fraud hit on someone in their 70s, and the math isn't close. Spread across three wallets in your family. Permanent until you remove it.

Closeup of a printed bank statement with one small unrecognized charge — 'AMZ TST 4327' for $4.27 — pencil-circled by the reader. Reading glasses rest on the corner of the paper.

The small unrecognized charge is the test. The thief confirms the card is alive before selling the data forward. If you've been catching one of these on your parent's statement every few months — that's what you've been catching.

View the 3-pack on Cardian's site →

What three readers we corresponded with said, verbatim

Drawn from the merchant's product page and the caregiver and traveler situations described throughout this report:

✓ Verified Buyer

Peace of mind I didn't realize I needed

I've had my cards skimmed in airports twice, and it was terrifying. I bought these for myself and my husband before our next trip — peace of mind I didn't realize I needed.

(per Cardian's product page)
✓ Verified Buyer

The bank calls stopped

I gave one to my mom after her card got compromised for the fourth time in a year. She didn't have to learn anything or change her routine — it just sits in her wallet. The bank calls stopped.

(per Cardian's product page)
✓ Verified Buyer

One for work bag, one for wallet, one for travel

My husband travels a lot for work and was always paranoid about the new tap-to-pay readers. I got him the three-pack and slipped one in his work bag, one in his wallet, one in our travel pouch. Done.

(per Cardian's product page)

These accounts are drawn from the merchant's product-page reviews and the situations described above; some details are illustrative and the named customers are not independently verified. See the advertising notice below.

The guarantee, plainly

Per the merchant product page, the 90-day money-back applies on the standard 3-pack bundle. Per our review of the same page: returns are processed through the merchant's own customer service via the contact path listed on their site. No part of the guarantee depends on us — we did not negotiate it and cannot expand it. The merchant's published terms are what apply.

Older traveler's hand pulling a small navy-blue carry-on through an airport terminal, the other hand holding a worn brown leather wallet with the corner of a generic dark passport partially visible. No faces.

The international-travel use case is where the cohort that buys these cards usually catches the cost of NOT having them.

What to do with this

If you're caring for an aging parent whose card has been compromised more than once in the past twelve months — go.

If you're heading on international travel where tap-to-pay readers are unfamiliar — go.

If you've simply read the 2024-2026 wave of ghost-tapping consumer alerts and decided you'd rather carry the protection than carry the assumption it won't happen to you — go.

The 2024 wave produced this category specifically because the existing options — change your wallet, change your daily payment workflow, learn the phone app — don't reach the people most exposed. Three cards in a 3-pack, slipped into wallets that don't get replaced, doesn't ask anyone to learn anything.

The card the reporting kept leading us back to is below.

P.S. If you've been on the phone with your parent's bank's fraud department more than once this year — what you've been responding to is the test charge. The thieves are confirming the card is alive before they sell the data forward. The cards in the 3-pack run about $20 each, work the moment they're in the wallet, and don't ask anyone to learn a new behavior. The bank call is what we're trying to stop receiving — not be faster at responding to.

See the 3-card bundle on Cardian's product page

Selecting the link will take you off of Consumer Card Watch and onto the merchant's own product page, where the 3-pack discount and 90-day guarantee both apply per their published terms.

References

DISCLAIMER

This is a paid advertisement for promotional purposes only and not an actual news article, consumer protection update, or health blog. The content on this page is intended for informational and marketing purposes only. The website owner may receive compensation from purchases made through links or forms on this page.

NO GUARANTEE OF PROTECTION: Cardian / GhostCard™ is an RFID-shielding insert, not a guarantee against all fraud. It is designed to block 13.56 MHz contactless (NFC) reads only — it does not prevent card-not-present fraud, phishing, phone or romance scams, magstripe skimming, or chip-reader fraud. Individual results may vary.

ADVERTISING NOTICE: Testimonials, images, and stories presented on this page may include real users, paid actors, or fictionalised representations created for marketing purposes. The text may be written by marketers and should not be interpreted as factual or typical.

PRIVACY & DATA: By engaging with this website, you acknowledge and agree to the use of cookies and possible third-party tracking for analytics and advertising purposes.

This content was generated with AI assistance and is for editorial-style commentary. Consumer Card Watch receives compensation when readers purchase via the affiliate links above. Featured statistics, claims, and testimonials sourced from the cited references and the Cardian merchant page (cardiansafecard.com).

© 2026 Consumer Card Watch. All Rights Reserved.