So they need to keep the victim’s card next to one phone, and then they can use another internet connected phone elsewhere to make a purchase. Doesn’t sound that scary to me. If they already have my card then does it matter how far away they can make a purchase?
This could be bad in the sense that anyone working a drive through could spend a day doing it.
You don’t actually give the card to the employees, do you?
Typically when I go through a drive thru, I hand my card to someone who then leans back inside to swipe/tap/whatever it, then they hand it back. So yes, commonly I do give my card to an employee for at least a few seconds.
During 2020-2022 more of them were in the habit of placing the PIN pad at the window so it could be reached by customers from their cars, but it wasn’t designed to be used that way and I’m sure it caused other issues.
I mean, this is “malware” in the obvious sense.
But it’s not compromising anything Android is doing. (Though it’s worth noting that things like this are why Apple restricts NFC).
It’s just phishing at the end of the day. Something you should make users aware of, but not a security flaw of the device.
