MSE News: Banks must take action over contactless card security flaw, says leading MP

Options
Former_MSE_Steve_1
Former_MSE_Steve_1 Posts: 79 Forumite
Combo Breaker First Anniversary Newshound! Chutzpah Haggler
in Credit cards
The chair of the House of Commons' influential Treasury Select Committee has called for banks to do more to protect customers after MoneySavingExpert.com revealed that crooks are able to use contactless credit and debit cards months after they have been cancelled....
Read the full story:
'Banks must take action over contactless card security flaw, says leading MP'
OfficialStamp.gif
Click reply below to discuss. If you haven’t already, join the forum to reply. If you aren’t sure how it all works, read our New to Forum? Intro Guide.
«13

Comments

  • fun4everyone
    fun4everyone Posts: 2,340 Forumite
    First Anniversary Name Dropper Photogenic First Post
    Options
    Contactless decreases the security around your money shocker. Joke that currently it works if you use a cancelled card.
  • RedDwarf82
    RedDwarf82 Posts: 178 Forumite
    First Anniversary Name Dropper First Post Combo Breaker
    Options
    Either banks have been careless, or they need to sort out their IT systems
    I think he meant banks "need to sort out their IT systems" because they "have been careless".

    Isn't the careless part a given?
  • nic_c
    nic_c Posts: 2,930 Forumite
    Name Dropper First Post First Anniversary
    Options
    The banks allow cards to be used off-line whether this be contactless or chip-n-pin, its just less likely to have your card and pin stolen. So I assume if your pin was known, even if a card was cancelled it could be used as c&p months after if offline.

    The onus on stopping transactions on cancelled cards from appearing on an account should be with the bank, since you have done your part and got the card cancelled, you shouldn't need to be still checking eight months later. Its convenient for banks to allow off-line transactions and not monitor accounts for such small transactions.
    There needs to be either an improvement in their IT systems or a financial penalty. Such as if you find transactions from cancelled cards, not only will they reimburse you but pay an additional £50 per transaction.
  • Pincher
    Pincher Posts: 6,552 Forumite
    Combo Breaker First Post
    Options
    Now the TSB demand for PIN after several transactions suddenly make excellent sense.

    I find even when blocked this way, you can still use it for Oyster transactions. Otherwise, bus won't let you ride, in the middle of the night, they discover your body next day, raped, robbed, stabbed and then raped again by necrophiliacs. Bad publicity for Contactless.
  • nic_c
    nic_c Posts: 2,930 Forumite
    Name Dropper First Post First Anniversary
    Options
    Pincher wrote: »
    Now the TSB demand for PIN after several transactions suddenly make excellent sense.

    I find even when blocked this way, you can still use it for Oyster transactions. Otherwise, bus won't let you ride, in the middle of the night, they discover your body next day, raped, robbed, stabbed and then raped again by necrophiliacs. Bad publicity for Contactless.
    Hmm, the point isn't fraudulent use before its been reported and cancelled, but months afterwards. You could be attacked, have your PIN revealed under torture and killed etc, just because they then went on a spending spree by the time your body was discovered doesn't mean bad publicity of C&P.
  • miller
    miller Posts: 1,630 Forumite
    Name Dropper Combo Breaker First Post Photogenic
    Options
    AFAIK TfL use a local "deny list" at each validator so a reported card could not be used for travel (or used in other scenarios where outstanding fares have not been paid, for example, insufficient funds at end of day). In a way, it is probably one of few places where the reported card could not be used.

    As mentioned, where transaction value counters are breached (i.e. several contactless transactions have been made without the use of a PIN) travel is permitted (provided the card is not on the deny list).
  • miller
    miller Posts: 1,630 Forumite
    Name Dropper Combo Breaker First Post Photogenic
    Options
    nic_c wrote: »
    The onus on stopping transactions on cancelled cards from appearing on an account should be with the bank

    This is it in a nutshell really. It's not really a security flaw IMO, it's an implementation flaw (well, from the customers' point of view; I'm sure most banks like the status quo).

    From the table in the article, M&S is the only bank to have a "correct" implementation (i.e. customer reports card lost/stolen, no transactions appear and they are not contacted about them).
  • nic_c
    nic_c Posts: 2,930 Forumite
    Name Dropper First Post First Anniversary
    Options
    miller wrote: »
    This is it in a nutshell really. It's not really a security flaw IMO, it's an implementation flaw (well, from the customers' point of view; I'm sure most banks like the status quo).

    From the table in the article, M&S is the only bank to have a "correct" implementation (i.e. customer reports card lost/stolen, no transactions appear and they are not contacted about them).
    With the move to C&P the onus changed to the user to prove misuse, and contactless is deemed to use C&P security. Yes it can't be cloned like magstripe cards but they can still be stolen. Security has been sacrificed for ease of use, which wouldn't be as much of a problem if consumers had the choice as to whether to be exposed.

    The problem is that banks don't see it as a problem! They would most likely cite that any fraudulent transactions from lost/stolen cards would be reimbursed and completely miss the fact that the consumer has to identify them, when really they should be able to check every transaction, irrespective of amount and irrespective of whether it was done offline/online.
  • jonesMUFCforever
    jonesMUFCforever Posts: 28,898 Forumite
    Name Dropper First Post First Anniversary
    Options
    The consumer should ALWAYS check their statements to check all transactions are genuine - that is a given because if they do not they deserve to lose out IMO.

    These days it is not rocket science is it to check either their paper statements or onlinr statement or on a mobile device (or even telephone banking).
  • nic_c
    nic_c Posts: 2,930 Forumite
    Name Dropper First Post First Anniversary
    Options
    jonesMUFCforever wrote: »
    The consumer should ALWAYS check their statements to check all transactions are genuine - that is a given because if they do not they deserve to lose out IMO.

    These days it is not rocket science is it to check either their paper statements or onlinr statement or on a mobile device (or even telephone banking).
    We entrust the banks to look after our cash and keep it safe. Why should we need to second guess the banks. Having a card stolen is traumatic enough, especially having to scour statements in the short term for fraudulent transactions. Usually people want closure, but still having to be vigilant eight months later isn't closure.

    It's like losing your house keys with address information, and the insurance company saying "don't bother changing your locks, just take inventory every day and if ever there anything missing you can start a claim"
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 343.6K Banking & Borrowing
  • 250.2K Reduce Debt & Boost Income
  • 449.9K Spending & Discounts
  • 235.7K Work, Benefits & Business
  • 608.7K Mortgages, Homes & Bills
  • 173.3K Life & Family
  • 248.3K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards