NOW OPEN: the MSE Forum 'Ask An Expert' event. This time we'd like your questions on TRAVEL & HOLIDAY DEALS. Post by Wed and deals expert MSE Oli will answer as many as he can.

MSE News: Banks must take action over contactless card security flaw, says leading MP

in Credit cards
22 replies 4K views
The chair of the House of Commons' influential Treasury Select Committee has called for banks to do more to protect customers after MoneySavingExpert.com revealed that crooks are able to use contactless credit and debit cards months after they have been cancelled....
Read the full story:
'Banks must take action over contactless card security flaw, says leading MP'
OfficialStamp.gif
Click reply below to discuss. If you haven’t already, join the forum to reply. If you aren’t sure how it all works, read our New to Forum? Intro Guide.
«13

Replies

  • fun4everyonefun4everyone Forumite
    2.3K Posts
    Seventh Anniversary 1,000 Posts Name Dropper Photogenic
    Forumite
    Contactless decreases the security around your money shocker. Joke that currently it works if you use a cancelled card.
  • RedDwarf82RedDwarf82 Forumite
    163 Posts
    Ninth Anniversary 100 Posts Name Dropper Combo Breaker
    Forumite
    Either banks have been careless, or they need to sort out their IT systems
    I think he meant banks "need to sort out their IT systems" because they "have been careless".

    Isn't the careless part a given?
  • nic_cnic_c Forumite
    2.6K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    Forumite
    The banks allow cards to be used off-line whether this be contactless or chip-n-pin, its just less likely to have your card and pin stolen. So I assume if your pin was known, even if a card was cancelled it could be used as c&p months after if offline.

    The onus on stopping transactions on cancelled cards from appearing on an account should be with the bank, since you have done your part and got the card cancelled, you shouldn't need to be still checking eight months later. Its convenient for banks to allow off-line transactions and not monitor accounts for such small transactions.
    There needs to be either an improvement in their IT systems or a financial penalty. Such as if you find transactions from cancelled cards, not only will they reimburse you but pay an additional £50 per transaction.
  • PincherPincher
    6.6K Posts
    Forumite
    Now the TSB demand for PIN after several transactions suddenly make excellent sense.

    I find even when blocked this way, you can still use it for Oyster transactions. Otherwise, bus won't let you ride, in the middle of the night, they discover your body next day, raped, robbed, stabbed and then raped again by necrophiliacs. Bad publicity for Contactless.
  • nic_cnic_c Forumite
    2.6K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    Forumite
    Pincher wrote: »
    Now the TSB demand for PIN after several transactions suddenly make excellent sense.

    I find even when blocked this way, you can still use it for Oyster transactions. Otherwise, bus won't let you ride, in the middle of the night, they discover your body next day, raped, robbed, stabbed and then raped again by necrophiliacs. Bad publicity for Contactless.
    Hmm, the point isn't fraudulent use before its been reported and cancelled, but months afterwards. You could be attacked, have your PIN revealed under torture and killed etc, just because they then went on a spending spree by the time your body was discovered doesn't mean bad publicity of C&P.
  • millermiller Forumite
    1.5K Posts
    Part of the Furniture 1,000 Posts Combo Breaker Photogenic
    Forumite
    AFAIK TfL use a local "deny list" at each validator so a reported card could not be used for travel (or used in other scenarios where outstanding fares have not been paid, for example, insufficient funds at end of day). In a way, it is probably one of few places where the reported card could not be used.

    As mentioned, where transaction value counters are breached (i.e. several contactless transactions have been made without the use of a PIN) travel is permitted (provided the card is not on the deny list).
  • millermiller Forumite
    1.5K Posts
    Part of the Furniture 1,000 Posts Combo Breaker Photogenic
    Forumite
    nic_c wrote: »
    The onus on stopping transactions on cancelled cards from appearing on an account should be with the bank

    This is it in a nutshell really. It's not really a security flaw IMO, it's an implementation flaw (well, from the customers' point of view; I'm sure most banks like the status quo).

    From the table in the article, M&S is the only bank to have a "correct" implementation (i.e. customer reports card lost/stolen, no transactions appear and they are not contacted about them).
  • nic_cnic_c Forumite
    2.6K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    Forumite
    miller wrote: »
    This is it in a nutshell really. It's not really a security flaw IMO, it's an implementation flaw (well, from the customers' point of view; I'm sure most banks like the status quo).

    From the table in the article, M&S is the only bank to have a "correct" implementation (i.e. customer reports card lost/stolen, no transactions appear and they are not contacted about them).
    With the move to C&P the onus changed to the user to prove misuse, and contactless is deemed to use C&P security. Yes it can't be cloned like magstripe cards but they can still be stolen. Security has been sacrificed for ease of use, which wouldn't be as much of a problem if consumers had the choice as to whether to be exposed.

    The problem is that banks don't see it as a problem! They would most likely cite that any fraudulent transactions from lost/stolen cards would be reimbursed and completely miss the fact that the consumer has to identify them, when really they should be able to check every transaction, irrespective of amount and irrespective of whether it was done offline/online.
  • jonesMUFCforeverjonesMUFCforever Forumite
    28.9K Posts
    Part of the Furniture 10,000 Posts Name Dropper
    Forumite
    The consumer should ALWAYS check their statements to check all transactions are genuine - that is a given because if they do not they deserve to lose out IMO.

    These days it is not rocket science is it to check either their paper statements or onlinr statement or on a mobile device (or even telephone banking).
  • nic_cnic_c Forumite
    2.6K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    Forumite
    The consumer should ALWAYS check their statements to check all transactions are genuine - that is a given because if they do not they deserve to lose out IMO.

    These days it is not rocket science is it to check either their paper statements or onlinr statement or on a mobile device (or even telephone banking).
    We entrust the banks to look after our cash and keep it safe. Why should we need to second guess the banks. Having a card stolen is traumatic enough, especially having to scour statements in the short term for fraudulent transactions. Usually people want closure, but still having to be vigilant eight months later isn't closure.

    It's like losing your house keys with address information, and the insurance company saying "don't bother changing your locks, just take inventory every day and if ever there anything missing you can start a claim"
This discussion has been closed.
Latest MSE News and Guides

Energy Price Cap change

Martin Lewis on what it means for you

MSE News

Best £1 you've ever spent?

Share your most impressive bargains

MSE Forum