MP demands action over contactless card security flaw

Pincher

A week ago, Santander rang me up, saying there is a suspicious transaction, was it mine. Someone had used my credit card to try to withdraw cash, OVERSEAS, but I had just used it in Waitrose!

The system declined the ATM transaction, and they think the old card got "skimmed", i.e. cloned when swiping, and they got the old PIN at the same time. We agreed to replace the card, with a new PIN sent out, but they said I should keep an eye out for unknown transactions anyway.

I assume a cloned card can't be used for Contactless, or can it?

The new card has a new PIN, and a new card number, so the old card is definitely cancelled.

JuicyJesus

Pincher wrote: »

I assume a cloned card can't be used for Contactless, or can it?

Nope. You can't make a cloned card that works with contactless.

badmemory

Where does the idea that you have to put your pin number in after 3 or 4 transactions come from? The terms & conditions if I remember correctly. So how come I used it for 7 transactions in a row without having to put my pin number in. According to the T & Cs you should only ever have a maximum of 4 fraudulent contactless transactions, so how come some are still showing up years after?

PixelPound

badmemory wrote: »

Where does the idea that you have to put your pin number in after 3 or 4 transactions come from? The terms & conditions if I remember correctly. So how come I used it for 7 transactions in a row without having to put my pin number in. According to the T & Cs you should only ever have a maximum of 4 fraudulent contactless transactions, so how come some are still showing up years after?

Because if they are done by an offline reader it doesn't know and the transactions are simply uploaded and approved.

kjetilniki

what happens if your card getvstolen

If contactless you are at risk as the thief can use it any number of times altho only £30 at a time.

If not contactless it is chip and pin only. In order to use it the thief would have to know your pin no or be a professional thief with access to ability to get the pin no

On the internet in either case you are at risk as the thief has the back of the card for the 3 digit the check no. altho some banks do follow up with a check that requires the use of the pin no as well

You are liable for up to £50 of fraudulent use. s83 of the Consumer Credit Act limits the loss thro fraud to £50 and it is for the card co to prove it wasn't fraud.

you get full protection from after you tell them.

However initial losses for many people can cause very major hardship especially if you are living off £56pw (under 25 JSA income).

Also in some cases the banks don't automatically pick up on contactless fraudulent use after notification and may have to spot and reclaim for fraudulent use even mnths later

solution

Unless the bank agrees to no loss at all from fraudulant use including fraudulent use before the credit token is reported stolen

the regulator should require

1 no one can issue a contactless credit token unless there is an option without detriment for a non-contactless credit token

2 no contactless credit token unless the consumer has agreed b4 hand expressly for it be contactless. (no default)

3 In any process the default option has to be for non contactless.

in the meantime everyone should refuse to have a contactless and ask for their contactless to be replaced by a non-contactless version of their credit token

kjetilniki

on MSE it is said
"Richard Koch, head of policy at trade body the UK Cards Association, says:

"Fraud on contactless cards is low. Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket." "


Note there is no caveat.

Either
MSE has misquoted him
OR
there is a clear statement condition in the terms and conditions by each of the credit token companies to that effect
OR
he is incompetant
OR
he is knowingly making a misleading statement for effect and ignoring the caveats.

phillw

Pincher wrote: »

I just had to ask, and the cashier split the payment, so I paid Contactlessly twice. Why? Because I get 5% cash back with the TSB card, but only if I paid contactlessly.

I had 5% too and most places wouldn't allow card payments to be split across cards, those that did would only allow contactess once & the others had to use a PIN. As the £30 limit is there to stop you doing exactly what you did, they may have violated the T&C of their payment processor if they did allow you.

nic_c wrote: »

Because if they are done by an offline reader it doesn't know and the transactions are simply uploaded and approved.

The card can know how many contactless transactions have been made since you last entered a PIN. It has local storage and computing power. If the cards don't track it then it's another flaw.