Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • MSE Faye
    • By MSE Faye 9th Feb 17, 2:24 PM
    • 146Posts
    • 55Thanks
    MSE Faye
    MP demands action over contactless card security flaw
    • #1
    • 9th Feb 17, 2:24 PM
    MP demands action over contactless card security flaw 9th Feb 17 at 2:24 PM
    Senior Labour MP Rachel Reeves cited MSE's case study in Parliament...
    Read the full story:
    'MP demands action over contactless card security flaw'

    Click reply below to discuss. If you havenít already, join the forum to reply. If you arenít sure how it all works, read our New to Forum? Intro Guide.
    See the latest news from MoneySavingExpertNews
    Follow the MSE on Twitter: @MoneySavingExp
    Get Martin's Money Tips
    Join the MSE Forum
Page 1
    • JuicyJesus
    • By JuicyJesus 9th Feb 17, 3:02 PM
    • 3,478 Posts
    • 3,937 Thanks
    JuicyJesus
    • #2
    • 9th Feb 17, 3:02 PM
    • #2
    • 9th Feb 17, 3:02 PM
    It's not a security flaw, it's how contactless payments (and offline debit cards) work.

    I fail to see the problem so long as banks refund the payments. Not to mention, contactless fraud is so negligible that it isn't worth worrying about. Fraudsters don't buy McDonalds with contactless, they go on the Apple website and buy an iMac they can sell on using the card number and CVV, or use TransferWise or similar to send themselves the money.

    I've still not heard of any cases of contactless fraud, or the "flaw" in this article rearing its head - because it would be an utterly pointless waste of time for a fraudster compared to, say, nicking a card and buying a computer with it.
    Last edited by JuicyJesus; 09-02-2017 at 3:07 PM.
    urs sinserly,
    ~~joosy jeezus~~
    • Bob_Dean
    • By Bob_Dean 9th Feb 17, 3:43 PM
    • 18 Posts
    • 8 Thanks
    Bob_Dean
    • #3
    • 9th Feb 17, 3:43 PM
    • #3
    • 9th Feb 17, 3:43 PM
    It certinaly is a security flaw, (it is a design flaw). It should not be possible to use a contactless card after it has been canceled. I would personally like to have to authorise my contactless payments with my pin to prevent my card getting used if stolen.
    • phillw
    • By phillw 9th Feb 17, 3:55 PM
    • 2,281 Posts
    • 1,799 Thanks
    phillw
    • #4
    • 9th Feb 17, 3:55 PM
    • #4
    • 9th Feb 17, 3:55 PM
    I fail to see the problem so long as banks refund the payments. Not to mention, contactless fraud is so negligible that it isn't worth worrying about.
    Originally posted by JuicyJesus
    The problem is that you've lost your card, or had it stolen and even though you have reported that the card is no longer under your control then for the next couple of years you have to keep track of every transaction that you make in case the criminal goes shopping in the same stores as you do.

    At first the cards I used contactless had to be re-activated with a PIN every four uses, but that restriction is unreliable as eventually I could continually use contactless and never had to enter my PIN.

    Fraudsters don't buy McDonalds with contactless,
    Originally posted by JuicyJesus
    Probably not, as they'll be trying to max out the £30 transaction limit. Either buying things to sell, or just buying their food shopping.

    Skimmed cards have larger transactions go through and in a shorter time, because they know that the cards will stop working soon. For stolen cards the window should be small, but if you make contactless payments then you have months of safely spending £30 a time. It's a simple fix for the banks, but they would rather not do it as they'll have to refund all the transactions and not just the ones the customer happens to notice.

    They did the same thing with chip and pin. They picked the cheapest solution, knowing that it was woefully insecure & refusing to do anything about fixing it even when the flaws were publicly revealed. They knew that a lot of people won't notice and if when they did then the banks lied about how secure it was to convince the customer they must be responsible.

    The banks even tried it on in the old days of the credit card imprinter. After complaining about a couple of transactions, one store couldn't be bothered to look for the receipt as the value was quite small so that got written off. The bank told me I had made the other transaction so it had been reinstated, even though the signature didn't match the signature they had on file and the expiry date didn't match!any card that they had ever issued me. When I complained about the wording of the letter they told me that it was an old letter that should not have been sent to me.

    There are reports online, it's likely that there are people who have reported cards stolen and haven't realised that it's happened to them as the transactions don't stand out. They could fix it, but it's not in their financial interest to fix it.
    Last edited by phillw; 09-02-2017 at 4:14 PM.
    • Pincher
    • By Pincher 9th Feb 17, 4:25 PM
    • 6,516 Posts
    • 2,491 Thanks
    Pincher
    • #5
    • 9th Feb 17, 4:25 PM
    • #5
    • 9th Feb 17, 4:25 PM
    I was trying to use a £6 off if you spend £60 voucher in Waitrose.

    Obviously you have to spend at least £54, which is over £30.

    I just had to ask, and the cashier split the payment, so I paid Contactlessly twice. Why? Because I get 5% cash back with the TSB card, but only if I paid contactlessly.

    So, a cashier could easily overcome the £30 limit, if they wanted to.

    The thief will need to wear a disguise though, as security cameras can easily be matched to the time stamp. Not that they (bank, police) could be bothered for such small amounts.
    • JuicyJesus
    • By JuicyJesus 9th Feb 17, 4:26 PM
    • 3,478 Posts
    • 3,937 Thanks
    JuicyJesus
    • #6
    • 9th Feb 17, 4:26 PM
    • #6
    • 9th Feb 17, 4:26 PM
    All of that is well and good, but I've still never seen a person actually defrauded through contactless which negates your entire post. I also fail to see why a fraudster would care about a £30 spend limit at all when it's more productive to just buy stuff online without any limit other than the funds in the account.
    urs sinserly,
    ~~joosy jeezus~~
    • Anthorn
    • By Anthorn 10th Feb 17, 6:55 AM
    • 4,298 Posts
    • 1,201 Thanks
    Anthorn
    • #7
    • 10th Feb 17, 6:55 AM
    • #7
    • 10th Feb 17, 6:55 AM
    Agree with JuicyJesus. Really! I'm agreeing!

    Contactless cards are not actually contactless cards per se. They are debit cards and credit cards (and pre-paid cards). It's pretty much well known that all cards continue to work after they have been cancelled. This is an anti-fraud measure to prevent a card-holder buying something with their card and then cancelling it before the card is charged as in the case of for example offline cards.

    The campaign should not be to stop the anti-fraud measure outlined above, but to force card issuers to fully withdraw a card when it's proved to be subjected to fraud.
    • HornetSaver
    • By HornetSaver 10th Feb 17, 7:55 AM
    • 3,051 Posts
    • 5,145 Thanks
    HornetSaver
    • #8
    • 10th Feb 17, 7:55 AM
    • #8
    • 10th Feb 17, 7:55 AM
    There are all sorts of crimes I'm fortunate enough never to have seen. It's a pretty weak argument to use to claim it doesn't happen.

    Nonetheless, I do accept the point which was intended - contactless is a significantly lower-impact fraud than other types out there. Though given the lack of incentive for retailers (or below a certain level of prevelance, even the police) to spend significant time to investigate a fraudulent £25 transaction in which the retailer has already been paid and will not be required to refund the money, the chances of it happening are therefore relatively high.

    What you also need to bear in mind is that crime is like a drug. People who get used to using a stolen or found contactless card might think less of committing other types of theft, fraud etc which would have a bigger impact.

    In my opinion, the groups of people most likely to be actually losing out by the current practise are people already in debt but not at the point of recognising that they're in serious trouble, families with joint accounts, and people who are not as fastidious at monitoring their statements as they ought to be. MSE stories tend to be littered with examples of people saving huge amounts of money by doing simple things, and MSE are perfectly right to tout their trumpet about these real-life successes from their advice. But the flip side of this is that there a litters of examples of people squandering huge amounts of money by not doing said simple things.

    My conclusion is that if the fault for the ability of this fraud to continue lies with the banks for not pressing ahead with improving security on the basis that it's actually cheaper not to, then the compensation to customers who do notice should be relatively punitive for the banks. Full refund, plus lost interest, plus any fees or charges incurred as a direct result, plus a payment to reflect the amount of time and if applicable cost spent by the customer in following the matter up. Subtotal, and then apply a penalty which is a percentage of that figure. This would create a stronger than ever incentive for people to go through their accounts more carefully, and for the banks to conclude that sorting this issue out is worth it.
    I'm standing by my pre-referendum prediction: "Brexit will lead to a recession"

    forums.moneysavingexpert.com/showthread.php?p=70662330
    • 20aday
    • By 20aday 10th Feb 17, 8:48 AM
    • 2,437 Posts
    • 1,042 Thanks
    20aday
    • #9
    • 10th Feb 17, 8:48 AM
    • #9
    • 10th Feb 17, 8:48 AM
    One thing I can't seem to grasp is this: every so often you need to insert your card and enter the PIN.

    Surely if a card has been reported as lost/stolen the issuing bank should update their hot card file-then after 'x' amount of fraudulent transactions when the terminal asks for a PIN the card is declined (and retained).
    It's not your credit score that counts, it's your credit history. Any replies are my own personal opinion and not a representation of my employer.
    • dk5294
    • By dk5294 10th Feb 17, 9:16 AM
    • 173 Posts
    • 21 Thanks
    dk5294
    wrong place - sorry
    Last edited by dk5294; 10-02-2017 at 10:29 AM. Reason: put on wrong forum
    • Ben8282
    • By Ben8282 10th Feb 17, 9:56 AM
    • 2,957 Posts
    • 1,549 Thanks
    Ben8282
    I had a contactless debit card stolen a few months ago. Loss was reported immediately. The card was used for a few transactions over the next 3 days in well known retailers known to use offline terminals. Then it stopped when the offline terminals updated. Bank immediately refunded. No activity since.
    There is really no way to eliminate this unless all terminals are online and every single transaction is authorised which is unlikely to be cost effective.
    Compared to what happened years ago when I had a cheque book and cheque guarantee card stolen this is nothing.
    • Pincher
    • By Pincher 10th Feb 17, 12:21 PM
    • 6,516 Posts
    • 2,491 Thanks
    Pincher
    A week ago, Santander rang me up, saying there is a suspicious transaction, was it mine. Someone had used my credit card to try to withdraw cash, OVERSEAS, but I had just used it in Waitrose!

    The system declined the ATM transaction, and they think the old card got "skimmed", i.e. cloned when swiping, and they got the old PIN at the same time. We agreed to replace the card, with a new PIN sent out, but they said I should keep an eye out for unknown transactions anyway.

    I assume a cloned card can't be used for Contactless, or can it?

    The new card has a new PIN, and a new card number, so the old card is definitely cancelled.
    • JuicyJesus
    • By JuicyJesus 10th Feb 17, 3:41 PM
    • 3,478 Posts
    • 3,937 Thanks
    JuicyJesus
    I assume a cloned card can't be used for Contactless, or can it?
    Originally posted by Pincher
    Nope. You can't make a cloned card that works with contactless.
    urs sinserly,
    ~~joosy jeezus~~
    • badmemory
    • By badmemory 11th Feb 17, 1:03 PM
    • 2,512 Posts
    • 3,952 Thanks
    badmemory
    Where does the idea that you have to put your pin number in after 3 or 4 transactions come from? The terms & conditions if I remember correctly. So how come I used it for 7 transactions in a row without having to put my pin number in. According to the T & Cs you should only ever have a maximum of 4 fraudulent contactless transactions, so how come some are still showing up years after?
    • nic_c
    • By nic_c 11th Feb 17, 1:30 PM
    • 1,901 Posts
    • 1,016 Thanks
    nic_c
    Where does the idea that you have to put your pin number in after 3 or 4 transactions come from? The terms & conditions if I remember correctly. So how come I used it for 7 transactions in a row without having to put my pin number in. According to the T & Cs you should only ever have a maximum of 4 fraudulent contactless transactions, so how come some are still showing up years after?
    Originally posted by badmemory
    Because if they are done by an offline reader it doesn't know and the transactions are simply uploaded and approved.
    • kjetilniki
    • By kjetilniki 11th Feb 17, 3:53 PM
    • 13 Posts
    • 3 Thanks
    kjetilniki
    campign 4 change
    what happens if your card getvstolen

    If contactless you are at risk as the thief can use it any number of times altho only £30 at a time.

    If not contactless it is chip and pin only. In order to use it the thief would have to know your pin no or be a professional thief with access to ability to get the pin no

    On the internet in either case you are at risk as the thief has the back of the card for the 3 digit the check no. altho some banks do follow up with a check that requires the use of the pin no as well

    You are liable for up to £50 of fraudulent use. s83 of the Consumer Credit Act limits the loss thro fraud to £50 and it is for the card co to prove it wasn't fraud.

    you get full protection from after you tell them.

    However initial losses for many people can cause very major hardship especially if you are living off £56pw (under 25 JSA income).

    Also in some cases the banks don't automatically pick up on contactless fraudulent use after notification and may have to spot and reclaim for fraudulent use even mnths later

    solution

    Unless the bank agrees to no loss at all from fraudulant use including fraudulent use before the credit token is reported stolen

    the regulator should require

    1 no one can issue a contactless credit token unless there is an option without detriment for a non-contactless credit token

    2 no contactless credit token unless the consumer has agreed b4 hand expressly for it be contactless. (no default)

    3 In any process the default option has to be for non contactless.

    in the meantime everyone should refuse to have a contactless and ask for their contactless to be replaced by a non-contactless version of their credit token
    • kjetilniki
    • By kjetilniki 11th Feb 17, 4:11 PM
    • 13 Posts
    • 3 Thanks
    kjetilniki
    on MSE it is said
    "Richard Koch, head of policy at trade body the UK Cards Association, says:

    "Fraud on contactless cards is low. Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket." "


    Note there is no caveat.

    Either
    MSE has misquoted him
    OR
    there is a clear statement condition in the terms and conditions by each of the credit token companies to that effect
    OR
    he is incompetant
    OR
    he is knowingly making a misleading statement for effect and ignoring the caveats.
    • phillw
    • By phillw 12th Feb 17, 9:06 AM
    • 2,281 Posts
    • 1,799 Thanks
    phillw
    I just had to ask, and the cashier split the payment, so I paid Contactlessly twice. Why? Because I get 5% cash back with the TSB card, but only if I paid contactlessly.
    Originally posted by Pincher
    I had 5% too and most places wouldn't allow card payments to be split across cards, those that did would only allow contactess once & the others had to use a PIN. As the £30 limit is there to stop you doing exactly what you did, they may have violated the T&C of their payment processor if they did allow you.

    Because if they are done by an offline reader it doesn't know and the transactions are simply uploaded and approved.
    Originally posted by nic_c
    The card can know how many contactless transactions have been made since you last entered a PIN. It has local storage and computing power. If the cards don't track it then it's another flaw.
    Last edited by phillw; 12-02-2017 at 9:31 AM.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

1,949Posts Today

6,822Users online

Martin's Twitter