Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • MSE Faye
    • By MSE Faye 30th Mar 17, 6:47 AM
    • 146Posts
    • 55Thanks
    MSE Faye
    MSE News: Regulator to tackle contactless card security flaw after MSE investigation
    • #1
    • 30th Mar 17, 6:47 AM
    MSE News: Regulator to tackle contactless card security flaw after MSE investigation 30th Mar 17 at 6:47 AM
    Bank customers who have cancelled a contactless card may no longer have to check statements for signs of fraud....
    Read the full story:
    'Regulator to tackle contactless card security flaw after MSE investigation'

    Click reply below to discuss. If you havenít already, join the forum to reply. If you arenít sure how it all works, read our New to Forum? Intro Guide.
    Last edited by MSE Faye; 07-04-2017 at 4:02 PM.
    See the latest news from MoneySavingExpertNews
    Follow the MSE on Twitter: @MoneySavingExp
    Get Martin's Money Tips
    Join the MSE Forum
Page 1
    • bigadaj
    • By bigadaj 30th Mar 17, 8:13 AM
    • 10,828 Posts
    • 7,162 Thanks
    bigadaj
    • #2
    • 30th Mar 17, 8:13 AM
    • #2
    • 30th Mar 17, 8:13 AM
    Surely you'd be a fool not to check your statements, for contactless fraud or any other sign of misuse or issue.
    • gavrc
    • By gavrc 30th Mar 17, 8:49 AM
    • 7,682 Posts
    • 823,233 Thanks
    gavrc
    • #3
    • 30th Mar 17, 8:49 AM
    • #3
    • 30th Mar 17, 8:49 AM
    Not much good if the stolen card is being used to buy low value items every now and then. Are you going to remember you didn't spend £2.48 in Tesco four weeks ago? The bank knows when the payment hit it if the card used is valid or not, ie if the payment is fraud or not. The money shouldn't be taken from your account if you've cancelled the card. You did your bit , anything after that is the bank's problem. Full stop.

    gav
    • muhandis
    • By muhandis 30th Mar 17, 8:55 AM
    • 592 Posts
    • 238 Thanks
    muhandis
    • #4
    • 30th Mar 17, 8:55 AM
    • #4
    • 30th Mar 17, 8:55 AM
    Exactly. The customer's responsibility ends when they inform the bank. It's good to see that the FCA is acting to make that crystal clear.

    Not much good if the stolen card is being used to buy low value items every now and then. Are you going to remember you didn't spend £2.48 in Tesco four weeks ago? The bank knows when the payment hit it if the card used is valid or not, ie if the payment is fraud or not. The money shouldn't be taken from your account if you've cancelled the card. You did your bit , anything after that is the bank's problem. Full stop.

    gav
    Originally posted by gavrc
    • StopIt
    • By StopIt 30th Mar 17, 9:01 AM
    • 1,392 Posts
    • 1,250 Thanks
    StopIt
    • #5
    • 30th Mar 17, 9:01 AM
    • #5
    • 30th Mar 17, 9:01 AM
    This must be the easiest flaw to solve I have ever seen.


    Just make contactless transactions online. Yes it'll take a few seconds longer (God forbid!) but means it'll then check the live hot files.


    The other steps become completely un-needed. Visa have the right idea.
    • eddddy
    • By eddddy 30th Mar 17, 10:09 AM
    • 7,895 Posts
    • 8,044 Thanks
    eddddy
    • #6
    • 30th Mar 17, 10:09 AM
    • #6
    • 30th Mar 17, 10:09 AM
    This must be the easiest flaw to solve I have ever seen.

    Just make contactless transactions online. Yes it'll take a few seconds longer (God forbid!) but means it'll then check the live hot files.

    The other steps become completely un-needed. Visa have the right idea.
    Originally posted by StopIt
    Not in all circumstances.

    London Underground entrance gates accept credit/debit contactless cards - they allow 40 passengers a minute through. And there are still queues at rush hour.

    Adding 2 seconds per passenger might cut throughput by half, and therefore double the queue lengths.

    All London busses accept contactless - online checking over a wireless data connection might take even longer than 2 seconds, and might be impossible if a bus stop is under a bridge etc.

    All London Black Cabs accept contactless - they maybe dropping off a passenger in a place with no data signal.

    Many toll roads and bridges accept contactless - adding 2 seconds per vehicle would increase queuing times.



    On a broader level, the card networks, card issuers and the merchants have taken the decision that they will take the hit on fraud losses, because of the reduced costs and increased revenues generated by offline contactless transactions - which is fine.

    But the card issuers should be highlighting potentially fraudulent transactions to their customers, instead of just quietly slipping them on to their statements.
    Last edited by eddddy; 30-03-2017 at 10:12 AM.
    • StopIt
    • By StopIt 30th Mar 17, 10:53 AM
    • 1,392 Posts
    • 1,250 Thanks
    StopIt
    • #7
    • 30th Mar 17, 10:53 AM
    • #7
    • 30th Mar 17, 10:53 AM
    Not in all circumstances.

    London Underground entrance gates accept credit/debit contactless cards - they allow 40 passengers a minute through. And there are still queues at rush hour.

    Adding 2 seconds per passenger might cut throughput by half, and therefore double the queue lengths.

    All London busses accept contactless - online checking over a wireless data connection might take even longer than 2 seconds, and might be impossible if a bus stop is under a bridge etc.

    All London Black Cabs accept contactless - they maybe dropping off a passenger in a place with no data signal.

    Many toll roads and bridges accept contactless - adding 2 seconds per vehicle would increase queuing times.



    On a broader level, the card networks, card issuers and the merchants have taken the decision that they will take the hit on fraud losses, because of the reduced costs and increased revenues generated by offline contactless transactions - which is fine.

    But the card issuers should be highlighting potentially fraudulent transactions to their customers, instead of just quietly slipping them on to their statements.
    Originally posted by eddddy

    Ah, London. Forgot about that.


    Edge case though. And easily identified too especially if you lose your card and suddenly someone decides to go on a binge of TFL related fun at your expense.
    • King Of Fools
    • By King Of Fools 30th Mar 17, 10:55 AM
    • 1,551 Posts
    • 599 Thanks
    King Of Fools
    • #8
    • 30th Mar 17, 10:55 AM
    • #8
    • 30th Mar 17, 10:55 AM
    Just make contactless transactions online. Yes it'll take a few seconds longer (God forbid!) but means it'll then check the live hot files.
    Originally posted by StopIt
    The work canteen uses contactless and offline transactions are instant. However, every so often it decides to do an online transaction and this takes about 30 seconds. I have no idea why it takes so long but the cashier always groans when it happens and says, "Not another one!"

    I hate to think what would happen if they all start taking 30 seconds.

    The obvious solution is to do the check before applying the charge to the bill, when you have the time and computing power to do it overnight.
    Last edited by King Of Fools; 30-03-2017 at 10:59 AM.
    • VT82
    • By VT82 30th Mar 17, 10:57 AM
    • 1,040 Posts
    • 878 Thanks
    VT82
    • #9
    • 30th Mar 17, 10:57 AM
    • #9
    • 30th Mar 17, 10:57 AM
    Seems like a very good result. An easy answer would have been to force banks to take the hit when offline payments are made on a stolen contactless card, by having them cross-reference against the list of cancelled cards and refunding them to the customer automatically.

    The whole raft of measures coming out of the investigation sounds like the FCA are going above and beyond to improve best practice across the board, out of what was really only a relatively minor issue. Good stuff MSE.
    • rtho782
    • By rtho782 30th Mar 17, 11:03 AM
    • 1,129 Posts
    • 820 Thanks
    rtho782
    To me, if the transaction is online or offline is an irrelevance. If a retailer wishes to process offline it should be down to their risk if they process a lost/stolen card. When the transaction is eventually processed, it should be blocked.

    Whoever takes the hit - retailer, bank, etc - it shouldn't be the customer.
    Deposit Saved since 01/12/15: £13,000 / £15,000 House Bought!

    Debt Cleared since 01/12/15: £6,000 / £7,500
    • James
    • By James 30th Mar 17, 11:12 AM
    • 2,014 Posts
    • 614 Thanks
    James
    Opt out of Contactless
    If YOU donít want a conctactless card then can I suggest the following:

    Speak to your card issuer and ask them to furnish you with a non-contactless card. Some card issuers do this, others donít.

    If you card issuer canít issue you with a non-contactless card then have them record on your account that you will not be carrying out any contactless transactions. If a contactless transaction is recorded on your account then they should treat it as fraudulent. The ball is now in their court.

    Iíve done both the above. Itís my choice, not necessarily everyoneís, but it suits me. Just a suggestion.
    • RedDwarf82
    • By RedDwarf82 30th Mar 17, 11:25 AM
    • 133 Posts
    • 67 Thanks
    RedDwarf82
    "Finally some, but not all, card issuers have systems which identify and block cancelled card transactions before they are debited from customer accounts."

    Some card issuers charge customers for transaction they know (or they decide not to know) are fraudulent in the hope that the customer will not notice so they can keep the money... i.e. card issuers are committing fraud.

    "card issuers are committing fraud", can the FCA please say it (and then force them to refund it for customers that didn't notice, and finally fine them for it).
    • Reaper
    • By Reaper 30th Mar 17, 1:40 PM
    • 6,536 Posts
    • 4,891 Thanks
    Reaper
    A simple technical solution is to download the "Hot List" of cancelled cards to the terminals and update it on the occasions when it is online.

    7 million numbers might sound a lot but a simple list of digits doesn't take much space and can easily be compressed, and a sorted list should be speedy to check.

    Maybe that's the technical fix they refer to. I hope so.
    • miller
    • By miller 30th Mar 17, 1:41 PM
    • 1,309 Posts
    • 483 Thanks
    miller
    Seems like a very good result. An easy answer would have been to force banks to take the hit when offline payments are made on a stolen contactless card, by having them cross-reference against the list of cancelled cards and refunding them to the customer automatically.
    Originally posted by VT82
    AFAIUI this happens in the TfL cases mentioned earlier in this thread (at the gateline or bus validator) i.e. the card is checked against known stolen ones locally.
    • badmemory
    • By badmemory 30th Mar 17, 6:34 PM
    • 2,548 Posts
    • 4,025 Thanks
    badmemory
    A simple technical solution is to download the "Hot List" of cancelled cards to the terminals and update it on the occasions when it is online.
    Originally posted by Reaper
    Exactly.

    I would love to know just how many (or would it be the total value of) transactions before you need to put in your pin. They used to say 3 but is it actually 3, 6, 10 or even 20? I've easily made it to 6 before I've used it for over £30.

    With a cancelled card the banks know that it is fraudulent before it hits your account, therefore it should never actually hit your account. But if it didn't then they wouldn't stand a chance of slipping some through unnoticed.
    • Pincher
    • By Pincher 30th Mar 17, 11:23 PM
    • 6,516 Posts
    • 2,491 Thanks
    Pincher
    The Oyster card only allows me to charge up to about £80.

    Why don't they just make Contactless a voluntary charging facility?

    You use an ATM to charge or authorise a set limit, to suit your own lifestyle. If you know you use £30 a week on coffee etc. , you just have to top it up once a week at an ATM.

    Obviously, you can make the charged amount £0 for cards you don't want to use for Contactless.

    To go beyond the charged/authorised amount, when paying, you just use Chip and PIN.
    • miller
    • By miller 31st Mar 17, 10:39 AM
    • 1,309 Posts
    • 483 Thanks
    miller
    They certainly could make cards more configurable via an online interface/mobile app etc.
    • NJB62
    • By NJB62 5th Apr 17, 12:05 PM
    • 10 Posts
    • 1 Thanks
    NJB62
    I believe the best immediate resolve, is to transfer the credit balance to a splinter account (i.e. another account held with the same bank) via on-line banking.
    The lost contactless card would then be useless.
    • northwalesd
    • By northwalesd 5th Apr 17, 6:05 PM
    • 365 Posts
    • 281 Thanks
    northwalesd
    Why don't they just make Contactless a voluntary charging facility?
    Originally posted by Pincher
    I think if they did that, take up would be much lower than it has been so far. It's not a solution I'd use.
    • MSE Faye
    • By MSE Faye 7th Apr 17, 12:08 PM
    • 146 Posts
    • 55 Thanks
    MSE Faye
    Amex reviewing payment processes in bid to tackle contactless card security flaw
    The card scheme says it's "reviewing options" including one which would force almost all contactless payments 'online'...
    Read the full story:
    'Amex reviewing payment processes in bid to tackle contactless card security flaw'

    Click reply below to discuss. If you havenít already, join the forum to reply. If you arenít sure how it all works, read our New to Forum? Intro Guide.
    See the latest news from MoneySavingExpertNews
    Follow the MSE on Twitter: @MoneySavingExp
    Get Martin's Money Tips
    Join the MSE Forum
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

2,703Posts Today

7,599Users online

Martin's Twitter