Contactless card security flaw largely fixed, in win for MSE's two-year campaign - MSE News

Options
The financial regulator has said that "almost all" contactless transactions from the two biggest card schemes are now processed 'online' in order to combat a security flaw which meant crooks could use cards months after they'd been cancelled...
Read the full story:
'Contactless card security flaw largely fixed, in win for MSE's two-year campaign'
OfficialStamp.gif
Click reply below to discuss. If you haven’t already, join the forum to reply.

Comments

  • grumbler
    grumbler Posts: 58,629 Forumite
    Name Dropper First Post Photogenic First Anniversary
    edited 29 January 2019 at 5:23PM
    Options
    I didn't keep an eye on the whole story, so I wonder why does it take MSE campaign and the regulator's intervention to fix the flaw?

    The flaw was obvious from the very start, it didn't need any confirmation in practice and any 'investigation' to confirm it.

    After reporting the card lost/stolen customers aren't liable for any transactions.

    So, is it not up to the banks and Visa/Mastercard/Amex to decide and fix the problem themselves?
  • Terry_Towelling
    Options
    This really isn't news. The people that come up with these new POS card-acceptance processes have a rosy view of the world and just failed to consult properly with the right people in their organisations. This used to happen when I worked in cards and we had to shout very loudly at people to make them understand the fraud risks involved and to show them how to take appropriate preventative measures.

    With contactless payments the banks had obviously decided that the fraud risk with off-line processing was acceptable and that they could stomach any losses given the predicted overall increase in genuine sales volume and a faster/better customer experience at the POS.

    If it took some kind of campaign to 'fix' the problem then that must have been contrary to what the card industry wanted. Most card issuers, if they experience too many fraud losses, will get changes made without any outside intervention.

    Fraud is like a balloon. If you squeeze it in one area, it pops out in another. Sometimes it is better not to squeeze too hard in one area lest it pops out in another area where it is harder to contain. That could have been the thinking behind allowing a certain level of fraud to continue in the contactless arena.

    As for cards being used months after being cancelled, that is not new either. Criminals have long known that a card issuer will block a stolen/lost card for a number of months following its loss and then allow the block to lapse on the basis that the fraud risk will have passed by then. The more patient crooks simply waited until the block had lapsed and spent willy-nilly. CHIP and PIN and lesser reliance on something known as 'Stand-in Processing' (STIP) for authorisations helped reduce the potential for losses in this area - and then along came 'contactless' to open it all up again.

    I can, of course, understand that card issuers need to be more mindful of the customer experience and, whilst customers will not be liable for losses following loss/theft, they may still have a problematic time if the card involved is suddenly used again after months.
  • davethorp
    davethorp Posts: 1,577 Forumite
    First Post First Anniversary
    Options
    There never was a flaw with contactless cards. They were working as intended which was to speed up POS transaction processing by taking small value transactions offline.

    Once a card was reported lost/stolen any liability for the fraudulent transactions lay with the banks themselves and all that it would have taken to fix this “flaw” would have been for the banks to modify their systems so transactions on a cancelled card never reach consumers accounts in the first place.

    Instead we now have a zero floor limit on contactless transactions which slows down the processing of transactions by a few seconds and only really benefits the banks whose fraud exposure on contactless cards has been reduced.

    So well done MSE in declaring victory in your campaign with a result that only really benefits the banks themselves. So much for being consumer champions
  • ryan121
    ryan121 Posts: 209 Forumite
    First Anniversary First Post
    Options
    If you report your card lost or stolen and transactions are made afterwards the bank will refund you anyway.

    As others have said this really is a non-issue.

    People are so concerned about contactless for some reason when at most someone could maybe get away with three transactions amounting to £90 before they're asked for the pin and the bank will refund it anyway.
  • newfoundglory
    newfoundglory Posts: 1,912 Forumite
    First Anniversary Combo Breaker First Post
    edited 3 February 2019 at 12:28PM
    Options
    I recall a time when all card payments went down in Wilko stores, I asked if I could try anyway, and of course my Amex card in contactless mode worked without problem (I knew that it had offline authorisation of small payments).

    I can only think this is why Wilko stopped accepting Amex contactless in store, but do accept Amex chip and pin payment....... all a bit strange really.
  • chattychappy
    chattychappy Posts: 7,302 Forumite
    Options
    With contactless payments the banks had obviously decided that the fraud risk with off-line processing was acceptable and that they could stomach any losses given the predicted overall increase in genuine sales volume and a faster/better customer experience at the POS.

    The banks were never free to make this choice. Unlike "normal" businesses (eg a shop deciding it's cheaper to allow petty theft rather than have security staff/CCTV systems/products locked up), financial institutions are under a statutory obligation to reduce financial crime. This has been the case since the passing of the Financial Services Markets Act 2001 and was in section 6 (since reorganised).

    They engaged with all the AML stuff - probably because of compliance risk rather than commercial risk. Seems they are now doing the same in respect of contactless cards, albeit late in the day.
  • phillw
    phillw Posts: 5,595 Forumite
    First Anniversary Name Dropper First Post
    Options
    The UK banks chose a cheaper and less secure chip and pin system and tried saying it was secure and therefore all transactions must have been authorised by the card holder. There have been a couple of published attacks which the UK were slow to act on, but other countries acted immediately.

    Its therefore no surprise that contactless has security issues which banks are still passing the buck on. Who cares if its online or offline? That is the banks problem. They shouldn't be applying contactless transactions to lost or stolen cards.
  • grumbler
    grumbler Posts: 58,629 Forumite
    Name Dropper First Post Photogenic First Anniversary
    Options
    phillw wrote: »
    They shouldn't be applying contactless transactions to lost or stolen cards.
    Do they?.......
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 343.6K Banking & Borrowing
  • 250.2K Reduce Debt & Boost Income
  • 449.9K Spending & Discounts
  • 235.8K Work, Benefits & Business
  • 608.8K Mortgages, Homes & Bills
  • 173.3K Life & Family
  • 248.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards