Thieves can use tap and go cards YEARS af ter you cancel them
AN astonishing security flaw in contactless cards has left millions of people vulnerable to fraudsters.
Criminals can make payments on ‘tap and go’ cards months or even years after they have been cancelled by their owners, an investigation found.
Last night an MP said the flaw – which was exposed by finance website Moneysavingexpert – was ‘deeply worrying’ and showed banks are taking a ‘cavalier’ attitude towards fraud.
It also emerged that Britain’s biggest banks were aware of the problem but have failed to alert the public.
Shockingly, some banks will not spot the fraudulent payments on their systems and it is up to customers to check old statements. Only then, if a fraud is detected and reported, will the banks refund a customer. The root of the security failure is that payments made on contactless cards can be
‘Cavalier behaviour’
processed ‘online’ and ‘offline’. When payments are processed online, the card and payment machine immediately communicate with the customer’s bank to check for sufficient funds in the customer’s bank account. If a card has been cancelled due to being lost or stolen, this will be flagged immediately and a payment won’t be allowed. But smaller payments generally take place ‘offline’.
This means the transaction is authorised at the payment terminal and not by the bank.
These payments are stored in a batch by the retailer and then only processed ‘online’ to the bank at a later point. Usually this happens overnight in the case of big retailers, but with smaller stores it could take a few days. This allows a thief to buy goods on a stolen card undetected.
Most banks then fail to check these batch payments to ensure the contactless card has not been cancelled.
Barclaycard, Barclays, First Direct, Halifax, HSBC, Lloyds, Nationwide, NatWest, Royal Bank of Scotland and Santander are just some of the banks which confirmed that their contactless cards can still be used after they have been cancelled.
All of them apart from Barclays and Santander also confirmed they do not always check with customers that they made the payment, if it was on a cancelled card. This means that fraudsters can still raid people’s bank accounts months, or even years, after cards are cancelled.
Moneysavingexpert said it was first alerted to the security failure by a user of the website.
Justin Robson, 42, cancelled his stolen Halifax credit cards last November – but only spotted three fraudulent contactless payments eight months later.
However, the computer engineer, from Congleton, Cheshire, was told by the bank they could not stop any future payments until the card expired. He said: ‘As far as they are concerned they can carry on until the expiry date runs out which is alarming.’
More than 90 million contactless cards are in circulation and £9billion was spent on them in the first half of this year – outstripping contactless spending in the whole of 2015.
Persistent security fears over the cards, which have a £30 spend limit, have been played down by the banking industry which has insisted they pose minimal risk for customers.
But Labour MP John Mann, a member of the Commons’ Treasury Committee, said banks could not ignore this latest security alarm and called on regulators to launch an investigation.
He said: ‘This will be a shock to many people.
‘We urgently need an explanation from the banks. This must be sorted out immediately. This looks like very cavalier behaviour by the banks.’ Steve Nowottny, from Moneysavingexpert, said: ‘Most cardholders will be frankly astonished to learn that they’re still at risk of contactless fraud months after cancelling lost or stolen cards – and the implications are worrying and wide-ranging.’
Banks are legally obliged to refund customers if a fraudulent payment has been made from their bank account. But consumer campaigners fear many customers won’t even be aware their account has been raided as the sums are relatively small.
Last night a spokesman for The UK Cards Association, which represents the banks, said: ‘Fraud on contactless cards is rare and considerably lower than overall card fraud. Consumers are fully protected against any fraud losses.’