Contactless cards
Modern ‘tap-and-go’ bank cards are so very convenient and almost everyone’s got one. But read how fraudsters can steal YOUR details just by standing close to you — and ask yourself . . .
BETHAN DAVIES considers herself a pretty savvy consumer. The 37-year- old communications director, checks her bank balances each month and uses cash for daily transactions to help her budget while she saves to buy her own home.
A recent incident, however, has made her even more careful. On a night out with friends in London’s West End, she lost her contactless debit card.
‘It was either lost or possibly stolen from my back pocket,’ she says. ‘We’d gone out to dinner and then on to a bar. Because I use contactless so much, I do tend to put my card in my back pocket — it’s just so much easier.’ Bethan didn’t realise it was missing until early the next morning and immediately called her bank, HSBC.
‘The bank told me that no transactions had gone through during the evening. I thought, thank goodness, I’ve sorted it out before anything happened.’ Her card was cancelled and a new one sent out. No harm was done — though she vowed to stop putting her card in her back pocket.
But then something rather strange happened.
About a week later, while checking her bank account online, she noticed a series of small purchases.
‘I was sure at first that I hadn’t made them,’ she says. ‘Some were just £2 or £3 and all were under £20 at places like Tesco, or a takeaway chicken shop. That couldn’t be me, I thought — I can’t remember the last time I went to a chicken shop. And there was a payment at a dog grooming parlour, and I do have a dog — but he’s a beautiful mutt and not the sort of dog you groom.’
The purchases, all made by someone else, added up to well over £100. But because they had all been under the contactless limit of £30, they had gone through — even though the card had been cancelled.
When Ms Davies queried this with her bank, she learned that it was a ‘quirk’ of contactless technology. Incredibly, in a small number of cases, a cancelled card used to continue to function for a time and no one was exactly sure why.
While banks will refund any losses incurred after the card has been cancelled, her experience is just one alarming example of contactless fraud, now the fastest growing area of card fraud in the UK. The technology makes consumers vulnerable in several ways.
Contactless has become the default for nearly all debit and most credit cards in Britain. In the space of three years the number of cards has doubled, from 59 million in the UK in 2015 to 119 million by the end of 2017. Undeniably convenient — you just tap the card on a reader without having to type in a PIN — they have been welcomed by banks and retailers.
Shopkeepers like them because their ease of use seems to encourage consumers to spend a bit more money. Banks like them because as people use contactless more, they use cash less, and handling notes and coins is cumbersome and expensive. But the rise of contactless has led to the relentless rise of contactless fraud.
FIGURES published this month show that losses — such as that experienced by Ms Davies — climbed to £ 14 million last year, up from £6.9 million the previous year and £2.8 million in 2015, according to Financial Fraud Action UK. For the first time, contactless fraud has overtaken cheque fraud, which totalled £9.8 million last year.
UK Finance, which represents banks and card issuers and also runs Financial Fraud Action UK, says the statistic is to be expected. Fewer people are writing cheques and contactless is very popular. They add that contactless fraud is — in relative terms — a small problem.
Not so, say other financial experts. With £52 billion spent on contactless cards last year, they believe the official fraud figures are a significant underestimate.
And when one of the most senior women in the City lets it be known that she does not use contactless, then perhaps it’s time we all thought again about our blase use of the technology. Last month Victoria Cleland, chief cashier of the Bank of England, whose signature is on every banknote, said: ‘I do hear stories of friends — this is a personal anecdote, this isn’t the official Bank view — whose money has been taken off contactless when you walk past something.
‘And it’s only up to £30. So I use cash for lower transactions anyway and for big ones contactless wouldn’t work.’
Can this really be true? Can money be ‘taken off’ your contactless card by a ‘ digital pickpocket’, standing beside you with a card reader?
In theory at least, it can — and quite easily.
To realise how, one needs to understand the technology behind contactless cards.
When you tap one on a reader in a shop, or when you get on a bus, your card details are transferred to the reader wirelessly using a radio wave.
The banking industry insists that someone needs to be within two inches of the reader for it to work. But research challenges that claim.
In a study published in the Journal of Engineering in 2013, scientists at the University of Surrey said they had ‘ successfully received contactless transmission from distances of 18 to 31 inches . . .’
So, anyone with a hand-held card reader — what waiters use when you pay your bill — could key in sums up to £30 and take money off your card by standing close to you.
In practice, however, nearly all experts say this sort of ‘digital pickpocketing’ is highly unlikely. That’s not because it’s not possible — simply that it’s likely that a criminal would be caught.
Katy Worobec, managing director of economic crime at UK Finance, explains that for someone to get hold of a ‘ merchant’s terminal’ — the type of reader retailers use to take cash from your card — would require being registered as a retailer and going through security checks.
And anyone who used such a device to steal cash would be traceable. ‘We have never seen an incident reported, where someone has lost money in that way,’ she says.
But stealing cash from someone’s card contactlessly is not the only problem. The biggest threat to consumers is having their contactless card details ‘skimmed’ — when a fraudster doesn’t steal cash, but
takes card details — using a simple bit of kit which you can buy, legally, for £20 on eBay. Or even simpler, you can download an app onto a mobile phone and use the phone as a card reader. They don’t take cash but do read card details.
‘It’s a dinner party trick of mine,’ explains Nigel Swabey, an entrepreneur who runs mail order company, Scotts of Stow and has an interest in card fraud. ‘You hold up the phone to the pocket of a guest and say: “Ah, it’s an Amex, I see. Your number is this, and your expiry date is this.” They freak out.’
It works like this. The latest smartphones have contactless technology in-built so they can double up as contactless cards — so instead of tapping a card on a reader, we can tap our phones. But that same technology also means some phones can double as a phone reader, courtesy of an app called ‘credit card reader NFC’. It is completely legal and free.
Mr Swabey believes contactless cards are skimmed on a regular basis — and card details sold to criminals, who use them to either clone a card or make fraudulent purchases. SuCh
is his concern — and seeing a marketing opportunity — he bought the European rights to an Australian-designed wallet, called Skim Guard, which has a chip embedded into it. It can tell if any device is trying to connect with the contactless cards inside the wallet and jam the signal.
Many other (usually simpler) protection wallets are available, and have been given out by Police Scotland at the Edinburgh Festival, while various councils, including St Albans, have issued them to residents.
Despite this, the banks continue to dismiss such concerns and claim wallet manufacturers and retailers are whipping up conspiracy theories. What is not in doubt is that it requires only a very simple bit of kit to read the long card number and the expiry date off any contactless card if you are within a few inches of it.
The banks do concede this is a potential risk, but also maintain that having just the long card number and expiry date is pretty useless to criminals.
‘While it may be possible to copy the information off the card, it doesn’t get you anywhere,’ says Ms Worobec at uK Finance. ‘There are very limited circumstances you can use this in. Most retailers require the security, or CVV, number on the back.’ Yes, most online retailers insist you give the CVV code — the three digit security code on the back of the card which can’t be read by a skimmer. But not all do — including the uK’s fifth largest retailer, Amazon.
You can type in any name and address, provide the long card number and expiry date of a card and buy something of any value — well over £30.
The retailer does not necessarily cross-reference the card number with any billing address. Similarly, many non-uK websites do not ask for a CVV.
In a 2015 investigation consumer organisation Which? used a simple card-reading device to skim details off ten cards. Even without the names of the cardholders and the CVV code, the Which? team were able to make two purchases, one for a £3,000 TV online.
Experts believe criminals are exploiting contactless technology to steal tens of thousands of card details which they sell to be used on ‘cloned’ cards overseas. In Africa, Asia and America, card security is not as strict as in Europe and for most purchases all that is needed is the long card number and the expiry date.
Aggie Leighton, 36, from West London, believes this happened to her. The IT manager, who also runs money-saving website Savvycomper, received a text from her bank, Barclays, to warn her she had gone overdrawn. ‘I couldn’t work it out. Nearly £800 had left my account in the space of a few hours, while I had been asleep,’ she says.
When she checked her account online, she found eight transactions had been made — in Chicago. ‘The first had been a small amount at a petrol station, but then the fraudster went to a shop and restaurant. It looked like they went on a real spending spree.’
Ms Leighton had never been to the u.S., let alone Chicago. She is convinced her card was cloned by a criminal who had obtained her card details via an electronic skimmer. ‘I can’t be 100 per cent sure,’ she says. ‘But it was around this time that I started to use my contactless card on the London underground, so I had my card out a lot of the time.’
She was reimbursed the full amount, although it took numerous phone calls and bank visits.
Significantly, Ms Leighton’s case — a victim whose card was cloned and used overseas — is not recorded under contactless card figures.
The banks record this type of crime as ‘card not present’ or ‘remote card’ fraud, not ‘contactless’ — despite contactless technology, in all probability, allowing it to happen.
Last year, this type of fraud totalled £409 million — overshadowing the official uK contactless fraud figure of £14 million.
It is, for the moment, impossible to say what proportion of this larger figure was due to criminals here electronically skimming the contactless cards of shoppers, commuters and tourists in Britain, and then selling the numbers. MANY
experts believe contactless security needs to be beefed up — including Ross Anderson, a former banking industry security consultant and now a professor of security engineering at the Computer Laboratory at Cambridge university.
‘The problem is the banks only count as fraud what they admit is fraud. Even in the official figures, contactless fraud is the fastest form of fraud in the uK,’ he says. ‘People should worry about this.’
Not least because the money lost by consumers and banks is going to increase. The contactless card limit has risen rapidly from £10, when cards were launched ten years ago, to £20 and now £30. Many banks are talking about
raising it to £40 or £50. Sarah Lewis, head of ID and fraud decision strategy at Equifax uK, the credit checking agency, says: ‘I do understand that people want things quicker, and it’s great for many consumers, but there is an element of risk. The fewer barriers you put in front of the fraudster the easier it is for them.’
Contactless has been great for many consumers — but it has also been a bonanza for criminals, and until banks start taking it more seriously, nothing will change.