Three banks allow thieves a contactless spreeWe reveal cards used to spend more than £200 each

18 November 2016

Contactless cards

Three banks allowed us to spend more than £200 on 'stolen' contactless debit cards

A new Which? investigation reveals that three banks are doing less than the rest to limit spending on stolen contactless cards. 

We surveyed 1,066 people about their views on contactless cards. While 73% of the public think having a contactless card makes it quicker to pay for items, 69% are concerned about their contactless card being stolen and used.

If your contactless card does fall into the wrong hands, two obvious security safeguards are the £30-per-transaction limit, and the need to enter a Pin after a certain number of purchases. But our investigation revealed holes in these safeguards.

The banks that should do more 

We ‘stole’ 12 contactless credit and debit cards to see how much a thief could spend unchecked. Our volunteers used tap-and-pay cards in high street shops continuously until they were asked for a Pin, or the card was blocked. We asked them to spend between £20 and £30 (the contactless limit) each time.

Three banks – Barclays, the Co-operative Bank and TSB – let us spend more than £200 through 10 consecutive transactions in just a few hours on debit cards, and we were never asked for a Pin.

The Co-operative Bank and Barclays say that customers will be asked for a Pin ‘from time to time’, or ‘if someone makes several contactless payments in a row’. But our researchers made 10 in a row unchecked and a real thief might well have continued. 

TSB says contactless is ‘as safe as using chip and Pin’. Our tests suggest otherwise.

Other contactless cards

In contrast, the credit cards we tested from Barclaycard, Halifax and Santander, plus the debit cards from First Direct, HSBC, Lloyds, NatWest, Nationwide and Santander, either asked for a Pin, or blocked the card, after three to five consecutive transactions.

Barclaycard, Nationwide and Santander also called or texted the card owner to check the transactions were genuine. 

None of our testers found these extra checks onerous, which begs the question why the other three don’t seem to use them in the same way.

Refunds for victims of card fraud

Banks seem happy to shoulder the risk of contactless fraud.

The Co-operative Bank said that the contactless function involves a risk to the bank, which is closely controlled and monitored. TSB said its debit cardholders are no more vulnerable to contactless fraud than customers of other UK card issuers, and that the benefits far outweigh the amount of fraud. 

Barclays told us that all transactions made after a card is reported lost or stolen are checked with the customer and will not appear on their account if fraudulent.

But our research into card fraud last year found that many victims can wait up to a month to get their money back, and banks sometimes wrongly refuse refunds altogether. 

Can you opt-out of contactless cards?

If you’re worried about contactless card fraud, keep a close eye on bank statements and report an unauthorised payment as soon as possible.

If you don’t want a contactless card, many providers let you opt-out, although some big banks and credit card providers do not – see the table, below.

Contactless cards
Credit and debit card providersAutomatically sends contactless cards to new customersAllows customers to opt out
American Expressa
Barclays
Barclaycard
Capital One
Co-operative Bankab
First Directc
Halifax
HSBCc
Lloyds Bank
M&S Bankc
MBNA
NatWest/Royal Bank of Scotlanda
Nationwidec
Santandera
Tesco Bankd
TSBe

Table notes
aNot all card types have been upgraded to contactless. bDebit cards only; credit card customers can’t opt out. cDebit cards only, credit card is chip and Pin. dExcludes legacy business cards. eCustomers must opt out again when new cards are issued.

More on this...