New research from Which? has revealed contactless cards, which allow you to tap and pay without entering a Pin, are leaving users vulnerable to fraud.

The consumer group found someone standing close by to someone with a contactless enabled card can easily ‘lift’ sensitive account details using card readers readily available online.

However, Which? says this can be prevented by wrapping your wallet lining or individual card in tin foil, as this can deflect the reader and shield the card, even when a crook is in close range. A more refined metal card holder, available from retailers like Amazon, will also do the trick.

Which? also suggests taking the card you wish to make a payment with out of your purse or wallet in order to avoid mishaps like paying twice or with the wrong one.

There are now 58 million contactless cards in circulation in the UK, which allow transactions up to £20 without a Pin.

[Related story: New Post Office credit card offers 25 months interest free on spending]

How it was tested

Which? tested 10 cards (six debit, four credit) provided by a group of volunteers.

From there, it was just case of buying an ‘easily obtainable’ reader and downloading free software. The reader was able to remotely pick up the card number and expiry date from all 10 cards along with limited details from previous transactions, though none revealed the security (CVV) code on the back.

This method of data theft was first reported two years ago, according to Richard Koch of the UK Cards Association, adding that you can only get information that’s on front of the card, such as the card number and expiry date.

He says that for the majority of retailers you’d need the security code and the cardholder’s address to make a fraudulent purchase online, neither of which can be accessed electronically.

Worryingly, this didn’t matter in some cases as the Which? researchers were able to make purchases without that all-important CVV code.

Two items were bought, including a £3,000 TV from a mainstream online shop. What’s more, they were using a fake name and address as well as stolen card details.

Minimal risk

The UK Cards Association says that although contactless encryption levels have increased, it’s still possible for cards to be read remotely.

From 1st September, the contactless transaction limit will rise to £30. However, online transactions have an unlimited transaction amount as they are not contactless so web purchases are more liable to be made fraudulently.

According to the most recent statistics, the amount of money lost to fraud is 0.7p for every £100 spent on contactless – less than on non-contactless cards overall.

There’s full protection against fraud losses on contactless cards anyway. Your provider will refund money lost through fraudulent contactless payments, as long as you have acted reasonably to keep your card safe.

Earn up to 5% interest on your money: compare current accounts