Fraud alert over new tap and pay bank cards: Thieves use scanners to steal account details - even when contactless card is in your wallet
- Contactless cards could be exposing millions of customers to risk of fraud
- Thieves holding scanners can capture details and use for online purchases
- Scanners held near till transaction can pick up data from card, posing risk
- At least 58million contactless cards are currently in circulation in Britain
Contactless bank cards may be exposing millions of customers to the risk of fraud.
Tests show that thieves armed with scanners can capture the numbers and expiry dates on the cards and use them for online purchases. Touted as a boon for shoppers making small transactions, the ‘tap and pay’ cards do not need a PIN number. Instead they have a tiny antenna that links with a till terminal through near-field communication, or NFC. But a scanner held nearby can pick up this NFC data, according to the consumer group Which?.
Its researchers tested ten cards – six debit and four credit – and found all of them had the security flaw. ‘Using a reader and free software to decode data, we were able to read the card number and expiry date from all ten,’ Which? reported. ‘Some cards revealed certain details of the last ten transactions, but no cards revealed the CVV security code – the number on the back.
We doubted we’d be able to make purchases without the cardholder’s name or CVV code, but we were wrong. ‘We ordered two items – one a £3,000 TV – from a mainstream online shop using “stolen” card details, combined with a false name and address. We’ve alerted the store involved.
‘By touching volunteers’ cards to our card reader, we got enough details to go on an internet spree.’ At least 58million of the cards are in circulation, with total spending reaching £2.32billion last year. The £20 purchase limit is to rise to £30 in September but there is no maximum online. Which? said that 90 per cent of its members have contactless cards.
Peter Eisenegger, a privacy standards expert at the National Consumers Federation, said: ‘It may be possible for a small percentage of cards to be read 15-20cm from the reader. Even if this was to occur in 0.1 per cent of cases, with more than 300million transactions taking place last year, many consumers could be affected. ‘It’s vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.’
The UK Cards Association, which speaks for the banks, admitted that although levels of encryption have increased, it is possible for card details to be read remotely. It stressed the value of security features, such as Verified By Visa, where the bank requires online shoppers to answer security questions before a purchase is authorised.
Which? said: ‘This may stop some transactions, but our tests suggest that some online shops sacrifice financial security in favour of an easier checkout. ‘Presumably they believe the increased sales outweigh the chargebacks they’ll incur from banks if the store’s lack of security is to blame for a fraud.’ There is some research to suggest the scanners can capture the card details simply by being held close to a handbag or wallet while positioned near people in a shop or standing in a queue. In theory, the distance between the card and scanner should be no more than 5cm to guarantee a connection, but experts have found they can operate over a wider range.
Richard Koch, of the UK Cards Association, said: ‘Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket. ‘Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless – far lower even than overall card fraud. The method shown by Which? is not a new discovery. However, any such technology can only obtain the card number and expiry date – information that has always been available simply by looking at the front of a card. ‘The vast majority of online retailers require additional data such as the card security code, along with the cardholder’s address, which cannot be harvested electronically.’
Q&A: CAN YOU AVOID THE SCAM?
Can you stop your card details being scanned by a criminal?
Some firms sell protective metal wallets that are designed to stop a scanner picking up the card details. Tests by Which? also found that wrapping the card in tin foil kept the details secure.
What protection is in place against accidental payments being made?
The cashier needs to activate the terminal (or you need to select this option yourself at a self-service till) to accept contactless payments, reducing the risk of mistakes. To avoid paying with the wrong card or making a double payment, always touch the card to the reader – don’t wave your wallet or purse over it.
If a thief steals my card, or copies my card details, will my bank reimburse me?
In theory, yes. Card providers should reimburse victims of contactless fraud, as long as customers have taken ‘all reasonable steps’ to keep their card safe. With fraudulent transactions it is the responsibility of the card provider to prove that you authorised the payment or were negligent. If it cannot, then it must reimburse you.