We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

MP demands action over contactless card security flaw

Senior Labour MP Rachel Reeves cited MSE's case study in Parliament...
Read the full story:
'MP demands action over contactless card security flaw'
OfficialStamp.gif
Click reply below to discuss. If you haven’t already, join the forum to reply. If you aren’t sure how it all works, read our New to Forum? Intro Guide.
See the latest news from MoneySavingExpertNews
Follow the MSE on Twitter: @MoneySavingExp
Get Martin's Money Tips
Join the MSE Forum
«1

Comments

  • JuicyJesus
    JuicyJesus Posts: 3,830 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    edited 9 February 2017 at 4:07PM
    It's not a security flaw, it's how contactless payments (and offline debit cards) work.

    I fail to see the problem so long as banks refund the payments. Not to mention, contactless fraud is so negligible that it isn't worth worrying about. Fraudsters don't buy McDonalds with contactless, they go on the Apple website and buy an iMac they can sell on using the card number and CVV, or use TransferWise or similar to send themselves the money.

    I've still not heard of any cases of contactless fraud, or the "flaw" in this article rearing its head - because it would be an utterly pointless waste of time for a fraudster compared to, say, nicking a card and buying a computer with it.
    urs sinserly,
    ~~joosy jeezus~~
  • Bob_Dean
    Bob_Dean Posts: 20 Forumite
    It certinaly is a security flaw, (it is a design flaw). It should not be possible to use a contactless card after it has been canceled. I would personally like to have to authorise my contactless payments with my pin to prevent my card getting used if stolen.
  • phillw
    phillw Posts: 5,630 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    edited 9 February 2017 at 5:14PM
    JuicyJesus wrote: »
    I fail to see the problem so long as banks refund the payments. Not to mention, contactless fraud is so negligible that it isn't worth worrying about.

    The problem is that you've lost your card, or had it stolen and even though you have reported that the card is no longer under your control then for the next couple of years you have to keep track of every transaction that you make in case the criminal goes shopping in the same stores as you do.

    At first the cards I used contactless had to be re-activated with a PIN every four uses, but that restriction is unreliable as eventually I could continually use contactless and never had to enter my PIN.
    JuicyJesus wrote: »
    Fraudsters don't buy McDonalds with contactless,

    Probably not, as they'll be trying to max out the £30 transaction limit. Either buying things to sell, or just buying their food shopping.

    Skimmed cards have larger transactions go through and in a shorter time, because they know that the cards will stop working soon. For stolen cards the window should be small, but if you make contactless payments then you have months of safely spending £30 a time. It's a simple fix for the banks, but they would rather not do it as they'll have to refund all the transactions and not just the ones the customer happens to notice.

    They did the same thing with chip and pin. They picked the cheapest solution, knowing that it was woefully insecure & refusing to do anything about fixing it even when the flaws were publicly revealed. They knew that a lot of people won't notice and if when they did then the banks lied about how secure it was to convince the customer they must be responsible.

    The banks even tried it on in the old days of the credit card imprinter. After complaining about a couple of transactions, one store couldn't be bothered to look for the receipt as the value was quite small so that got written off. The bank told me I had made the other transaction so it had been reinstated, even though the signature didn't match the signature they had on file and the expiry date didn't match!any card that they had ever issued me. When I complained about the wording of the letter they told me that it was an old letter that should not have been sent to me.

    There are reports online, it's likely that there are people who have reported cards stolen and haven't realised that it's happened to them as the transactions don't stand out. They could fix it, but it's not in their financial interest to fix it.
  • Pincher
    Pincher Posts: 6,552 Forumite
    1,000 Posts Combo Breaker
    I was trying to use a £6 off if you spend £60 voucher in Waitrose.

    Obviously you have to spend at least £54, which is over £30.

    I just had to ask, and the cashier split the payment, so I paid Contactlessly twice. Why? Because I get 5% cash back with the TSB card, but only if I paid contactlessly.

    So, a cashier could easily overcome the £30 limit, if they wanted to.

    The thief will need to wear a disguise though, as security cameras can easily be matched to the time stamp. Not that they (bank, police) could be bothered for such small amounts.
  • JuicyJesus
    JuicyJesus Posts: 3,830 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    All of that is well and good, but I've still never seen a person actually defrauded through contactless which negates your entire post. I also fail to see why a fraudster would care about a £30 spend limit at all when it's more productive to just buy stuff online without any limit other than the funds in the account.
    urs sinserly,
    ~~joosy jeezus~~
  • Anthorn
    Anthorn Posts: 4,362 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Agree with JuicyJesus. Really! I'm agreeing!

    Contactless cards are not actually contactless cards per se. They are debit cards and credit cards (and pre-paid cards). It's pretty much well known that all cards continue to work after they have been cancelled. This is an anti-fraud measure to prevent a card-holder buying something with their card and then cancelling it before the card is charged as in the case of for example offline cards.

    The campaign should not be to stop the anti-fraud measure outlined above, but to force card issuers to fully withdraw a card when it's proved to be subjected to fraud.
  • HornetSaver
    HornetSaver Posts: 3,732 Forumite
    1,000 Posts Fourth Anniversary Name Dropper Combo Breaker
    There are all sorts of crimes I'm fortunate enough never to have seen. It's a pretty weak argument to use to claim it doesn't happen.

    Nonetheless, I do accept the point which was intended - contactless is a significantly lower-impact fraud than other types out there. Though given the lack of incentive for retailers (or below a certain level of prevelance, even the police) to spend significant time to investigate a fraudulent £25 transaction in which the retailer has already been paid and will not be required to refund the money, the chances of it happening are therefore relatively high.

    What you also need to bear in mind is that crime is like a drug. People who get used to using a stolen or found contactless card might think less of committing other types of theft, fraud etc which would have a bigger impact.

    In my opinion, the groups of people most likely to be actually losing out by the current practise are people already in debt but not at the point of recognising that they're in serious trouble, families with joint accounts, and people who are not as fastidious at monitoring their statements as they ought to be. MSE stories tend to be littered with examples of people saving huge amounts of money by doing simple things, and MSE are perfectly right to tout their trumpet about these real-life successes from their advice. But the flip side of this is that there a litters of examples of people squandering huge amounts of money by not doing said simple things.

    My conclusion is that if the fault for the ability of this fraud to continue lies with the banks for not pressing ahead with improving security on the basis that it's actually cheaper not to, then the compensation to customers who do notice should be relatively punitive for the banks. Full refund, plus lost interest, plus any fees or charges incurred as a direct result, plus a payment to reflect the amount of time and if applicable cost spent by the customer in following the matter up. Subtotal, and then apply a penalty which is a percentage of that figure. This would create a stronger than ever incentive for people to go through their accounts more carefully, and for the banks to conclude that sorting this issue out is worth it.
  • 20aday
    20aday Posts: 2,610 Forumite
    Ninth Anniversary 1,000 Posts Combo Breaker PPI Party Pooper
    One thing I can't seem to grasp is this: every so often you need to insert your card and enter the PIN.

    Surely if a card has been reported as lost/stolen the issuing bank should update their hot card file-then after 'x' amount of fraudulent transactions when the terminal asks for a PIN the card is declined (and retained).
    It's not your credit score that counts, it's your credit history. Any replies are my own personal opinion and not a representation of my employer.
  • dk5294
    dk5294 Posts: 178 Forumite
    edited 10 February 2017 at 11:29AM
    wrong place - sorry
  • Ben8282
    Ben8282 Posts: 4,821 Forumite
    1,000 Posts Combo Breaker Newshound!
    I had a contactless debit card stolen a few months ago. Loss was reported immediately. The card was used for a few transactions over the next 3 days in well known retailers known to use offline terminals. Then it stopped when the offline terminals updated. Bank immediately refunded. No activity since.
    There is really no way to eliminate this unless all terminals are online and every single transaction is authorised which is unlikely to be cost effective.
    Compared to what happened years ago when I had a cheque book and cheque guarantee card stolen this is nothing.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 346.6K Banking & Borrowing
  • 251.4K Reduce Debt & Boost Income
  • 451.4K Spending & Discounts
  • 238.8K Work, Benefits & Business
  • 614.3K Mortgages, Homes & Bills
  • 174.8K Life & Family
  • 252.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.