Contactless crooks cashing in thanks to ‘double tap’ trick
A SECURITY loophole is allowing fraudsters to break the £30 spending limit for contactless bank cards.
Banks and retailers are allowing customers to cover a single bill of more than £60 by making several ‘tap-and-go’ payments of £30 each.
Experts have warned this is making it easy for criminals to make more expensive purchases on stolen cards.
Contactless cards give customers the convenience of paying for items without having to input their Personal Identification Number (PIN). Instead, they simply tap their card on the payment terminal. A £30 contactless spending limit is imposed by the banks for each purchase to protect customers if their card is stolen.
But a shopping exercise by the Daily Mail discovered just how easy it is to break this limit.
A reporter used a Royal Bank of Scotland debit card to buy a £49.99 dress and a £19.99 skirt from the clothing chain Zara with two tap-and-go payments of £30 and another for £9.98.
Waitrose took two contactless payments of £30 and £10 for a £40 electric toothbrush.
Another reporter used his Santander debit card to pay for a £60.98 meal from a high street Indian restaurant chain in three taps of £20.34, £20.32 and £20.32.
A £40.10 shopping bill at Whole Foods supermarket was allowed in two payments of £30 and £10.10. And the Mail also used a Tesco credit card to pay for a £50.63 restaurant meal in two payments of £25.62 and £25.01.
In contrast, attempts to make multiple tap-and-go payments for a purchase at Marks and Spencer and Sainsbury’s were refused by staff or the second payment declined by the card machine. David Emm, of the internet security consultancy Kaspersky Lab, said: ‘The whole point of the limit is it reduces the scope of any loss if there is any criminal activity.
‘This loophole makes a mockery of the limit and gives criminals more scope to go on a spending spree with a stolen card before the customer gets the chance to report it.
‘It sounds as if [banks] are exploiting this loophole that is there by accident or design but retailers should be enforcing the limit too.’
Wes Streeting, a Labour member of the Treasury committee, said: ‘This is ludicrous. The £30 limit is there because the banks recognise these cards make it easier for criminals to steal our money. If people can tap their card multiple times for the same purchase the limit is clearly rendered meaningless.’
Banks are obliged to refund customers for money fraudulently taken from their account unless they are deemed to have been careless with their card, PIN or account details. Guy Anker, of the consumer website Moneysavingexpert, said: ‘Limits are there for people’s protection. The industry needs to get its act together.’
UK Finance, which represents banks, said contactless cards have an inbuilt security feature that means account holders are required from time to time to enter their PIN.
It added tougher rules are being introduced to require customers to enter their PIN after every five contactless payments or once they have spent £130.
It said fraud on contactless cards was ‘low’ with £10.2million of losses on £38billion of spending in the first half of the year.
Santander said: ‘We use a very sophisticated model to detect unusual transactions based on each customer’s regular spending patterns and a number of other factors.
‘ In this instance [the Mail reporter’s transaction] there was not enough to trigger additional checks.’
Responding to the toothbrush purchase, a Waitrose spokesman said: ‘This should not have happened and was clearly an error by one individual.
‘We will be reminding our partners that they shouldn’t accept more than one contactless payment on the same card within a single transaction.’
Zara declined to comment. Whole Foods was contacted.
‘It gives criminals more scope’