A security loophole that leaves contactless card users open to fraud will finally be closed as the Financial Conduct Authority (FCA) agrees to take action on the issue.
After a grilling from MPs on the Commons Treasury Select Committee, the regulator will get banks to address the flaw, which allows ‘tap and go’ payments on lost and stolen contactless cards to carry on long after they have been cancelled.
However, the UK Cards Association says that implementing measures to protect users will take until the end of June.
How the security flaw works
The security flaw lies in whether the contactless payment is processed ‘online’ or ‘offline’ by a business.
When payments are processed online, the card machine instantly contacts the customer’s bank to check for sufficient funds and, if a card has been cancelled, it will be flagged – so there is less risk of fraud.
However, if a payment is processed offline, the card machine stores up a batch of payments to process online later. This process is allowing criminals to get away with using stolen contactless cards long after they’ve been cancelled.
What’s more, some banks don’t inform customers when their cancelled card is used and don’t check whether it was the customer who made the payment.
This policy puts the onus on customers to spot fraudulent payments and get a refund, when it should be something the banks are looking out for.
Andrew Tyrie MP, Chairman of the Treasury Committee, said: "As things stand, in order to mitigate the risk of fraud, customers are expected to comb through their bank statements months after they have instructed their banks to block their lost or stolen cards.
“That seems unreasonable. The Treasury Committee has urged the FCA to sort this out.
“One of the FCA's operational objectives is to ‘secure an appropriate degree of protection for consumers’. The Committee will do what it can to hold the FCA to it."
What’s going to happen?
John Griffith-Jones, chairman of the FCA, set out the action it will take to better protect contactless card users in a letter to the Commons Treasury Select Committee.
He stated its top priorities were to "remove any onus on customers to identify fraudulent transactions" and to work on "technical enhancements to reduce the likelihood of post-cancellation contactless fraud" with the industry.
He also said the FCA was exploring making sure the option to not have a contactless card was made more visible during card issuing and providing more information on the clearing times for contactless payments.
The Commons Treasury Select Committee said banks were leaving customers in an ‘unacceptable situation’ and the problem needed to be dealt with urgently.
Rachel Reeves MP, a member of the Treasury Committee, said "The security flaws that allow fraudsters to use contactless cards even after they have been cancelled need to be tackled urgently.
“Customers are in the unacceptable situation that they are still vulnerable to fraudulent transactions - despite reporting their cards lost or stolen.”
However, the industry doesn’t seem to be in a hurry to rectify the problem and measures to address the problem will be implemented by the end of June.
Do you have to use a contactless card?
Most banks now issue contactless cards unless instructed otherwise.
Lloyds, Halifax, Barclays, HSBC, Nationwide, Santander, TSB and Barclays say they give customers a choice at sign up and would swap a contactless card for a contact card if a customer requested it.
However, Barclaycard, Royal Bank of Scotland and NatWest only offer contactless cards and customers don’t have the choice to opt out.
A Barclaycard spokesperson said: “Barclaycard does not offer non-contactless credit cards as we believe contactless payments are integral to ensuring our customers are able to pay conveniently, securely and quickly for small value items if they choose to use this function.
“If a customer’s card is lost or stolen they are always protected against any fraudulent activity. Should a fraudulent transaction take place, Barclaycard will automatically provide a refund to the customer after their card is cancelled.”
Are contactless cards safe?
Contactless card fraud is low. The FCA reports it stood at 0.027% of transactions by value in 2016, down from 0.036% in 2015.
Even though payments don’t require a PIN, card issuers will limit the number of contactless transactions that can be made in a day before a PIN is asked for to prevent fraud.
Fraudulent activity via contactless cards are protected by the same rules that apply to other card payments. So, if you fall victim your bank should refund you the money as long as it wasn’t down to your own negligence.
However, there is some evidence that fraudsters are using contactless card readers to steal details from people to perform transactions in certain online stores.
A metal case can help keep this information safe from scammers. However, tin foil is also known to be just as effective at preventing the card from being read.