The never-ending saga of contactless card fraud

The never-ending saga of contactless card fraud

Security measures for the UK's contactless card programme have been derided as 'chaotic' after it emerged that customers can still be subject to fraudulent transactions up to eight months after reporting lost or stolen cards.

An investigation by consumer Website has discovered that customers whose lost or stolen contactless cards have been cancelled may need to comb through months of statements to check for fraudulent transactions.

MSE cites the case of subscriber Justin Robson who discovered that his Halifax cards - cancelled by his bank when stolen last November - were used to make a series of fraudulent contactless purchases eight months later.

The problem arises when tap and go card payments are authorised offline by retailers without first going through the bank's filters.

"Our investigation highlights a chaotic system in which banks are powerless to prevent cancelled cards being used by fraudsters, and don't even know when the fraud will end," says MSE. "And while some banks prevent accounts being raided by this type of fraud, others leave it to unsuspecting customers to spot dodgy payments - even though they can start happening months down the line."

Industry bodies say there are no readily available figures for the number of contactless cards lost or stolen every year, but there were 152,727 cases of fraud involving lost or stolen debit and credit cards reported in 2015.

The UK Cards Association states: "Fraud on contactless cards is rare and considerably lower than overall card fraud. Consumers are fully protected against any fraud losses and will not be left out of pocket.

"As always it is important to check bank or card statements regularly for any unusual transactions, especially if a card has been lost or stolen. When a customer reports a lost or stolen card they will be advised to report any transactions they do not recognise to their bank."

Comments: (5)

A Finextra member
A Finextra member 09 September, 2016, 12:18Be the first to give this comment the thumbs up 0 likes

What's the fuss? Consumers are protected, issuers are "OK" with that status quo.

A Finextra member
A Finextra member 09 September, 2016, 12:55Be the first to give this comment the thumbs up 0 likes

There's a lot of nonsense hype in the newpaper coverage but the fuss relates to offline authed contactless cards that remain active until expiry.  That means that a fraudster could enact a transation many months after the card was stolen and the customer has stopped being as vigilant on the account.

Yes they can get a refund but it might go unnoticed.

A Finextra member
A Finextra member 09 September, 2016, 13:073 likes 3 likes

It shouldn't go unnoticed by the bank.  Once a card has been reported as stolen the bank should be able to trap any offline-authed txns that turn up at a later date.  I don't see why it should be up to the cardholder to notice these.

And BTW all contactless cards [should] have a counter on the chip which forces the card to be dipped in a chip and pin terminal after a certain number of consecutive contactless txns.  Therefore its not quite true to say that they will remain active until expiry

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 09 September, 2016, 19:142 likes 2 likes

My bank will stop sending me statements after I cancel my credit card. How the heck do I "comb through months of statements to check for fraudulent transactions" that happen several months thereafter?

A Finextra member
A Finextra member 12 September, 2016, 07:221 like 1 like Dear Finextra mbr: Yes you are right on the trx counter that should allow only a few offline trx. Furthermore, the counter date on when last an online trx was made should block offline trx if no online trx for some weeks. If an issuer allows multiple offline trx to take place months after card cancellation snd slso posts these to the cardholder account, thos is close to criminal neglect! Customers should if so be cautioned before they start using cards from such careless issuers.