New ways to pay
By Chiara Cavaglieri
Article 1 of 4
Contactless payments are quick and convenient, but are they safe?
Contactless payment security
When Which? surveyed 1,066 people in August 2016 about their views on contactless cards, we found that 73% of the public think having a contactless card makes it quicker to pay for things. But, 69% are concerned about their contactless card being stolen and used to make purchases.
These concerns are not unfounded. A recent Which? investigation into contactless card security revealed significant security flaws when we tested 12 leading credit and debit cards. And although banks say they will refund fraudulent purchases, our previous research has found card fraud cases where refunds were delayed – or wrongly refused.
How do contactless cards work?
Contactless debit or credit cards allow you to pay for items worth up to £30 at a time without entering your Pin.
Every contactless card has a small chip in it that emits radio waves. To pay for something, you hold the card near a payment terminal, which picks up a signal and processes the transaction.
You can tell whether your card is contactless by looking for a small logo on it which consists of four small curved lines, similar to the wi-fi symbol. The logo is also displayed on payment terminals that accept contactless payments.
Where can I make contactless payments?
Many shops accept contactless cards, including Marks & Spencer, Boots and Waitrose, although there are still some major stores that don’t offer contactless transactions, including Debenhams and John Lewis.
London commuters can use contactless cards through the entire transport network, and both Mastercard and Visa have set targets for terminals in every UK shop to accept contactless payments by 2020.
The technology behind contactless cards
1. A contactless card contains a chip that holds your account information and an antenna (a loop of cooper wire around the edge of the card) which picks up power from the signal sent out by the card reader.
2. A card-reading terminal emits an electromagnetic field – when a card enters this field it is powered 'on'.
3. The chip and the reader communicate with each other using an encrypted language. The reader can then 'introduce itself' to the card.
4. Only when the card recognises the reader will it 'reply' with a coded data transfer.
5. The card terminal should then confirm that payment has been accepted – this usually happens instantly.
Are contactless cards safe?
Card issuers restrict the number of contactless transactions that can be made before the Pin is requested, to prevent fraud. The £30-per-transaction limit is another safeguard, however, our research suggests that some banks are failing to protect their customers properly.
We asked volunteers to use their tap-and-pay cards on the high street, spending between £20 and £30 each time, and to keep shopping until they were asked for a Pin, to see how much a thief could spend unchecked.
While most banks asked for a Pin, or blocked the card, after three to five transactions, three debit card providers – Barclays, the Co-operative Bank and TSB – allowed our 'thieves' to spend more than £200 through 10 consecutive transactions in just three hours. This news story on our most recent investigation into contactless card security explains more.
Industry figures suggest contactless card fraud is low, amounting to 3.1p in every £100 spent using the technology, according to Financial Fraud Action UK.
However, it is possible that these figures do not reflect all losses – because fraud that is directly attributable to the contactless functionality of debit or credit cards cannot always be recorded as such.
For example, in 2015 Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV. Despite using the contactless functionality to obtain the card details, this would be documented as ‘remote purchase fraud’ and not attributed specifically to contactless fraud because the victim would not know how the details had been obtained.
Tips to avoid contactless card fraud
You can take simple step to minimise the risk of card fraud:
- Never hand over your card If your card is taken out of your sight someone could run it through a skimming device, which copies the data from its magnetic strip.
- Ask for a receipt Contactless users aren’t always offered a receipt – so if you want to keep track of spending and make sure you aren't being overcharged, you may need to ask for one.
- Check your statements You should do this as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled.
Can you opt-out of having a contactless card?
If you don’t want a contactless card, many providers let you opt-out, although some big banks and credit card providers do not – as you can see from the table below (correct at November 2016).
|Credit and debit card providers||Automatically sends contactless cards to new customers||Allows customers to opt out|
|NatWest/Royal Bank of Scotland||a|
a Not all card types have been upgraded to contactless.
b Debit cards only; credit card customers can’t opt out.
c Debit cards only, credit card is chip and Pin.
d Excludes legacy business cards.
e Customers must opt out again when new cards are issued.
Contactless cards: FAQs
Do protective wallets and foil stop contactless cards from being read?
There are metal cases that claim to protect your cards.
Although many members report using these successfully, we haven’t yet tested their effectiveness. Our researchers tested wrapping a card in tin foil – and this prevented it from being read, even when we rubbed it against the reader.
While we don’t think this is essential, we believe that lining your wallet with foil should protect your card details.
What protection is in place against accidental payments being made?
It is possible to pay for something without meaning to, but only when you’re close to the reader. The cashier needs to activate the terminal (or you need to select this option yourself at a self-service till) to accept contactless payments, reducing the risk of mistakes.
Contactless terminals are programmed so that they only take one payment from one card for any one transaction. Readers have also been designed to reject payment if two contactless cards are presented at the same time.
Is it possible for a thief to copy my card details?
Although the risks are low, this is possible.
Someone would probably have to be very close to you to ‘lift’ your card details without you knowing. In our tests, the card had to be touched against the mobile card reading device, although other readers might be more powerful.
If a thief steals my card, or copies my card details, will my bank reimburse me?
Fraudulent transactions on contactless cards are protected by the same rules that apply to other card payments. For more, see our guide to fraudulent activity.
If you believe a transaction was fraudulent, it’s the responsibility of the card provider to prove that you authorised the payment or were negligent in not taking reasonable care of your card's security features – and if it can’t, then it must reimburse you.
Which? has previously revealed that card providers sometimes wrongly refuse refunds so if you feel that your bank has acted unfairly, refer your complaint to the financialombudsman.org.uk.
- Last updated: November 2016
- Updated by: Chiara Cavaglieri