Three banks allow thieves a contactless spreeWe reveal cards used to spend more than £200 each
18 November 2016
A new Which? investigation reveals that three banks are doing less than the rest to limit spending on stolen contactless cards.
We surveyed 1,066 people about their views on contactless cards. While 73% of the public think having a contactless card makes it quicker to pay for items, 69% are concerned about their contactless card being stolen and used.
If your contactless card does fall into the wrong hands, two obvious security safeguards are the £30-per-transaction limit, and the need to enter a Pin after a certain number of purchases. But our investigation revealed holes in these safeguards.
The banks that should do more
We ‘stole’ 12 contactless credit and debit cards to see how much a thief could spend unchecked. Our volunteers used tap-and-pay cards in high street shops continuously until they were asked for a Pin, or the card was blocked. We asked them to spend between £20 and £30 (the contactless limit) each time.
Three banks – Barclays, the Co-operative Bank and TSB – let us spend more than £200 through 10 consecutive transactions in just a few hours on debit cards, and we were never asked for a Pin.
The Co-operative Bank and Barclays say that customers will be asked for a Pin ‘from time to time’, or ‘if someone makes several contactless payments in a row’. But our researchers made 10 in a row unchecked and a real thief might well have continued.
TSB says contactless is ‘as safe as using chip and Pin’. Our tests suggest otherwise.
Other contactless cards
In contrast, the credit cards we tested from Barclaycard, Halifax and Santander, plus the debit cards from First Direct, HSBC, Lloyds, NatWest, Nationwide and Santander, either asked for a Pin, or blocked the card, after three to five consecutive transactions.
Barclaycard, Nationwide and Santander also called or texted the card owner to check the transactions were genuine.
None of our testers found these extra checks onerous, which begs the question why the other three don’t seem to use them in the same way.
Refunds for victims of card fraud
Banks seem happy to shoulder the risk of contactless fraud.
The Co-operative Bank said that the contactless function involves a risk to the bank, which is closely controlled and monitored. TSB said its debit cardholders are no more vulnerable to contactless fraud than customers of other UK card issuers, and that the benefits far outweigh the amount of fraud.
Barclays told us that all transactions made after a card is reported lost or stolen are checked with the customer and will not appear on their account if fraudulent.
But our research into card fraud last year found that many victims can wait up to a month to get their money back, and banks sometimes wrongly refuse refunds altogether.
Can you opt-out of contactless cards?
If you’re worried about contactless card fraud, keep a close eye on bank statements and report an unauthorised payment as soon as possible.
If you don’t want a contactless card, many providers let you opt-out, although some big banks and credit card providers do not – see the table, below.
|Credit and debit card providers||Automatically sends contactless cards to new customers||Allows customers to opt out|
|NatWest/Royal Bank of Scotland||a|
aNot all card types have been upgraded to contactless. bDebit cards only; credit card customers can’t opt out. cDebit cards only, credit card is chip and Pin. dExcludes legacy business cards. eCustomers must opt out again when new cards are issued.
- Everything you need to know in our guide to contactless payments
- What to do if there's a transaction your credit card you know nothing about
- Not sure which debit card is best for you? Take a look at our bank account tables