Banks race to fix security f law in tap and pay cards
Thieves can use them for MONTHS after they’ve been reported stolen
BANKS are urgently trying to close a dangerous security loophole in millions of contactless debit and credit cards.
Virtually all ‘tap and pay’ cards – which can make purchases under £30 without the need for a PIN – can be used by thieves after they are reported stolen.
In some cases, criminals have been able to use cards for up to eight months after they were cancelled, say watchdogs.
The problem stems from the fact contactless cards can authorise purchases ‘offline’. This means payments are automatically approved without the till connecting to the customer’s bank to check a card is valid.
Banks have refused to say how many times a card can be used after it has been cancelled, citing security reasons.
Some indicated the cards could only be used for a ‘low number’ of purchases up to the value of £50.
But lawyers say banks’ failure to warn customers about the security risk means they could be breaching industry regulations. Watchdog the Financial Conduct Authority said it was ‘urgently’ working to solve the problem.
A spokesman told the Daily Mail: ‘In a limited number of circumstances, it is possible for a cancelled contactless card to be used by fraudsters. While there are controls in place and the overall risk is low, the FCA has been urgently working with card schemes and banks to ensure this issue is fixed.’
The use of contactless cards has soared in recent years and ‘tap and pay’ now makes up one in four of all card payments.
There is a grey area regarding who takes responsibility for money that goes missing from a customer’s account after a contactless card is stolen. In theory, the bank should pick up the transactions and refund the money automatically, but it seems some expect the customer to spot them.
In some cases, banks do not even tell customers when their stolen card has been used. Andy Stamp, 34, a local councillor from Medway in Kent, said around £50 of transactions – including in McDonald’s and KFC – went through after he reported his debit card stolen.
Lawyers claim most customers have no idea about the security loophole. Cindy Dorrington, of London firm Bivonas Law, said: ‘The cards need to come with a warning. By not providing one the providers are being reckless.
‘Financial institutions are meant to have systems in place to prevent fraud but the way contactless payment cards are set up at the moment makes it very easy.
‘It seems to me that banks are in breach of their contract with the individual customer: that they should be doing everything they can to prevent fraud.’
Data from industry body Financial Fraud Action shows that 152,727 cards were lost or stolen in the UK in 2015. The longest recorded gap between cancellation and fraudulent contactless use was eight months.
The UK Cards Association, which speaks for banks and card firms, said: ‘Every card has an in-built security check which triggers the need to enter a PIN at certain points. While opportunistic fraud for a handful of low value payments remain rare, we are not complacent and are working with our members, the FCA and the card schemes, on ways to improve the alreadyrobust security features for contactless cards.
‘Customers ... will never be left out of pocket if they are the victim of this type of fraud.’