Banks race to fix security flaw in contactless cards as it's revealed that thieves can use them for MONTHS after they’ve been reported stolen
Banks are urgently trying to close a dangerous security loophole in millions of contactless debit and credit cards.
Virtually all ‘tap and pay’ cards – which can make purchases under £30 without the need for a PIN – can be used by thieves even after they are reported stolen.
In some cases, criminals have been able to use cards for up to eight months after they were cancelled, say watchdogs.
The problem stems from the fact contactless cards can authorise purchases ‘offline’. This means payments are automatically approved without the reader connecting to the customer’s bank to check a card is valid.
The use of contactless cards has soared in recent years and ‘tap and pay', accounting for one in four payments
Banks have refused to say how many times a card can be used after it has been cancelled, citing security reasons.
Some indicated the cards could only be used for a ‘low number’ of purchases up to the value of £50.
But lawyers say banks’ failure to warn customers about the security risk means they could be breaching industry regulations. Watchdog the Financial Conduct Authority said it was ‘urgently’ working to solve the problem.
A spokesman told the Daily Mail: ‘In a limited number of circumstances, it is possible for a cancelled contactless card to be used by fraudsters. While there are controls in place and the overall risk is low, the FCA has been urgently working with card schemes and banks to ensure this issue is fixed.’
The use of contactless cards has soared in recent years and ‘tap and pay’ now makes up one in four of all card payments.
There is a grey area regarding who takes responsibility for money that goes missing from a customer’s account after a contactless card is stolen. In theory, the bank should pick up the transactions and refund the money automatically, but it seems some expect the customer to spot them.
In some cases, banks do not even tell customers when their stolen card has been used. Andy Stamp, 34, a local councillor from Medway in Kent, said around £50 of transactions – including in McDonald’s and KFC – went through after he reported his debit card stolen.
Lawyers claim most customers have no idea about the security loophole. Cindy Dorrington, of London firm Bivonas Law, said: ‘The cards need to come with a warning. By not providing one the providers are being reckless.
‘Financial institutions are meant to have systems in place to prevent fraud but the way contactless payment cards are set up at the moment makes it very easy.
‘It seems to me that banks are in breach of their contract with the individual customer: that they should be doing everything they can to prevent fraud.’
Data from industry body Financial Fraud Action shows that 152,727 cards were lost or stolen in the UK in 2015. The longest recorded gap between cancellation and fraudulent contactless use was eight months.
The UK Cards Association, which speaks for banks and card firms, said: ‘Every card has an in-built security check which triggers the need to enter a PIN at certain points. While opportunistic fraud for a handful of low value payments remain rare, we are not complacent and are working with our members, the FCA and the card schemes, on ways to improve the already-robust security features for contactless cards.
While UK Cards Association says, customers will never be left out of pocket if they are the victim of this type of fraud, merchants such as shopkeepers and Taxi drivers are at the mercy of third party pay back schemes.