Contactless payment over £/€30

cloud_dog

takman wrote: »

So there are lots of scare stories but in reality your very unlikely to be affected it.

Au contraire Slackbladder, I've been affected.

The bank trapped it so, obviously their monitoring software is very good, and I wasn't financially adversely affected. The CC company wouldn't confirm how the fraudulent transaction was instigated. It was a new card and the first contactless payment card (from Tesco CC) I'd had.

The annoying thing was that I was then without the CC for 7 days whilst a new one was organised.

takman

cloud_dog wrote: »

Au contraire Slackbladder, I've been affected.

The bank trapped it so, obviously their monitoring software is very good, and I wasn't financially adversely affected. The CC company wouldn't confirm how the fraudulent transaction was instigated. It was a new card and the first contactless payment card (from Tesco CC) I'd had.

The annoying thing was that I was then without the CC for 7 days whilst a new one was organised.

I didn't say nobody has been affected by it so i'm not surprised someone from this vast forum has!.

But what exactly happened? Did the card get lost or did you still have the card and just received call out the blue saying there was a fraudulent contactless transaction?

cloud_dog

Just received a call from the call centre out of the blue.

Robisere

It's not the card that's unsafe, it's usually the account holder not taking sufficient care of it. Mine is removed from the RFID-proof wallet, used and put back immediately. I keep every receipt until the payment is taken, then shred them. And I have one arm restricted, due to mobility problems.

2 weeks ago I had to call after a young man who left his card on the counter at Superdrug.

sccooter

like Robisere says above you can get special wallets that shield your contactless cards until you take them out that might be helpful. example below:
https://youtu.be/5C574p2uPII

glennevis

Money saving tip. For about 10p each (pack of 25) I got RFID blocking plastic sleeves to store my contactless cards in. The edges of the sleeves can be trimmed with scissors so the cards still fit in my existing wallet. A lot cheaper than a new wallet.

AllieKat

adonis10 wrote: »

So the card can be cancelled but still used for contactless payments? That is outrageous. How on earth was contactless brought in with such a flaw?

As noted above, it isn't a flaw, but no one seems to have really got into the 'why?'

When contactless was first introduced, terminals were generally connected by dial-up lines and took ages to process. The idea of running all contactless offline was to make it an instant, cash-like experience. Online wasn't even supported, generally, in the UK. Instead, you had an offline transaction counter that, once hit, forced the card to be inserted. You also had a per-transaction limit.

This is a risk banks take to offer you a better experience, and you are never out the money for fraud as long as you take reasonable care, and report the card stolen as soon as you realise it (and you realise it in a reasonable time, etc). It doesn't matter if additional offline transactions happen, you aren't liable.

Yes, contactless could have been made online-only, but it would have been a poor experience on dial-up terminals. The US launched contactless this was (mostly because the security measures to protect against cloned cards, even contactless, in the US have historically been much worse, so the banks needed to check if a card was cancelled). Visa is making this change now. Any mobile payment has always been online. Mastercard and Amex are increasingly pushing payments online, though not very small transactions yet.

As for the limit, British banks agreed together on the (currently) £30 limit for contactless transactions with no CVM (Cardholder Verification Method). This provides consistency of marketing and sets consumer expectations. CVM on contactless has traditionally been difficult here: offline PIN isn't supported (do not confuse offline PIN with offline authorisation, they're unrelated - offline PIN is normal for all transactions in the UK and means the PIN is checked by the card) since contactless doesn't keep the card around after PIN entry to check the PIN was correct, online PIN is not widely supported in the UK, and signature is not considered acceptably secure to most UK banks. Mobile payments, however, introduce CVM to contactless in the UK for the first time by using CDCVM - Consumer Device Cardholder Verification Method. This allows the phone itself to verify you securely as the cardholder, using your fingerprint or phone PIN. Thus, there is no limit on these transactions generally (One bank has a £100 limit on Android, but their app is terrible, so it's no surprise to me they don't trust it above that).

Other countries may have no limits at all, or different CVM standards. In the US, for example, the standard for ALL transactions - contact chip, contactless, and magstripe is either signature or no CVM depending on the amount. Contactless (EMV mode) is equally secure to contact (and far more secure (even in magstripe emulation mode) than magstripe, still widely used there), so there is no limit.

Now, back to your original question - when all the banks were happily agreeing that contactless in the UK was always no CVM and £30 limit, terminals were hard programmed with the £30 limit. Today, that's generally been removed if a terminal supports CDCVM to allow >£30 transactions. How the terminal behaves may vary, the terminal may still refuse to proceed if CDCVM isn't available, but it may not - it may just (and, by the standards probably should) simply submit the transaction online for authorisation (since it's over £30 it should never happen offline per the card, even amounts smaller than that usually won't anymore); and it depends how touchy your bank is whether it gets approved or not.

The important thing to remember, is that this is a risk your BANK takes to keep you happy. Approved transactions = happy customers. You're never liable for fraud. They took on the risk if they approved it. Same with getting your PIN wrong. I saw a hilariously bad article in a major newspaper recently about the 'horrible flaw' that if you entered your PIN wrong three times, the card would revert to chip and signature and still work.

It's. Not. A. Flaw. Offline PIN, to prevent offline cracking, has a three-attempt counter. If you use up the three attempts, it will move to the next CVM in the list, which is usually either signature or online PIN (which British terminals usually don't support, and will thus move on again, to signature).

The authorisation message to the bank (since the first supported CVM failed, this has to go online) will note 'offline PIN failed, signature succeeded'. Signature is considered a much weaker CVM by most banks, and they make a risk management decision to approve or decline it. If it's for a purchase you regularly make, in your home area, many banks will approve it to keep you happy, assuming you just messed up your PIN - especially if the amount is small and they're not out much if they get it wrong. If you go and do the same thing for a diamond engagement ring, it will almost certainly be declined!

/end of long message, but I hope it comforts you that these things aren't flaws, they're intentional risk management decisions and you aren't liable if the bank gets their guesses wrong. But they usually don't, and when they get them right, your transactions go through and you're on your way. Ultimately, that's the goal. They could implement truly secure multi-factor auth on every transaction, but people don't really want security. They'd all switch to cash. Which, you'll note, is far less secure than any of this - you have no protection against theft whatsoever.

P.S. The reason the US can be so much more lax is that shops are charged far higher fees to take cards in the US than in the UK, so the banks can afford to get it wrong more often.

P.P.S. RFID blocking wallets are a waste of money... modern EMV mode contactless is extremely secure against counterfeit card fraud. The idea of someone brushing up against you and copying your card is a complete work of fiction in EMV mode (and even in magstripe emulation mode, not that easy to do, and they wouldn't get a perfect copy, just the ability to pre-play a transaction)

flavione74

adonis10 wrote: »

I have a contactless transaction on my credit card for €36/£32.42 but was sure that the limit is 30 in a single transaction. The vendor told me my payment declined and so I used another card so have been charged on both. Can contactless be used for over 30?

From my experience in Italy and Poland, yes, the POS machine won't refuse the card when you use it contactless for amounts higher than e.g. 25 euros - you just need to type your PIN (or sometimes sign the receipt) to complete your transaction.

zerog

The contactless limit in Australia is $100, double the UK's and I don't see the amount of complaints that I see in the UK, neither do people seem to worry about it as much as they do in the UK.

(I don't think I interact with a particularly different groups of people in Australia compared to the UK, and I think I consume the same sorts of media - though obviously it's all anecdotal anyway.)

A$100 is a much more useful limit than £30 as you can use contactless for things like filling up a vehicle, a weekly supermarket shop or a restaurant meal for 2.

AllieKat

zerog wrote: »

The contactless limit in Australia is $100, double the UK's and I don't see the amount of complaints that I see in the UK, neither do people seem to worry about it as much as they do in the UK.

(I don't think I interact with a particularly different groups of people in Australia compared to the UK, and I think I consume the same sorts of media - though obviously it's all anecdotal anyway.)

A$100 is a much more useful limit than £30 as you can use contactless for things like filling up a vehicle, a weekly supermarket shop or a restaurant meal for 2.

I expect the UK no CVM contactless limit will go up, and that forcing all contactless online is the precursor to this. My bet is on £50.

Australia also has wide support for online PIN, I believe? That is, if you tap for over $100 does it decline, or does it just prompt for PIN? The latter requires online PIN support not configured on most UK terminals.