We have all experienced "pocket dialing". Yesterday was my first (and hopefully only) case of "pocket pay". Returning from a trip into Toronto, I paid with my Presto card and boarded the subway only to find out that due to a medical incident, shuttle buses were providing service between Bloor and Eglinton. I ended up stuck in the bus rear entrance up against the Presto card reader. My phone started beeping and the Presto reader displayed a message I could not see. I carry my phone in a holster on my hip, which happened to line up with the Presto reader.
When I was able to move, I found two Google Wallet transactions to Presto with no amounts. So far, these transactions have not shown up on my Presto or credit card account, and I have not been able to get a clear answer from Presto Customer Support. However, the incident raised concerns about Google Wallet security - my phone was locked and Google Wallet was not active. According to https://support.google.com/wallet/answer/12059519?hl=en, Google Wallet requires a screen lock, but further down mentions that No unlock needed for smaller payments.
On Android, It is possible to block these small payments by enabling Require device unlock for NFC (instructions in the above Google post). It is unclear when this option was introduced (I cannot find it on a phone running an older version of Android), what the default setting is (I have no recollection of disabling this option), or what the use case might be for allowing NFC to launch apps while the phone is locked.
Blog comments