Bank customers whose lost or stolen contactless cards have been cancelled may need to comb through months or even years of statements to check for fraudulent transactions, an MSE investigation has found.
The shocking security flaw emerged after MoneySaver Justin Robson discovered his Halifax cards – cancelled by his bank when stolen last November – were used to make a series of fraudulent contactless purchases eight months later.
The problem is that shops don't always immediately check with your bank when a payment is made on your card, so cancelled cards may not receive the instruction from the bank to stop working. Contactless cards are particularly at risk of being used after cancellation because you don't need to enter a PIN each time you use them.
There are 92 million contactless cards in the UK, many of which could be vulnerable if lost or stolen – and thousands of people whose contactless cards have been lost or stolen should check statements for fraudulent transactions that may not have been flagged.
Our investigation highlights a chaotic system in which banks are powerless to prevent cancelled cards being used by fraudsters, and don't even know when the fraud will end. And while some banks prevent accounts being raided by this type of fraud, others leave it to unsuspecting customers to spot dodgy payments – even though they can start happening months down the line.
Industry bodies say there are no readily available figures for the number of contactless cards lost or stolen every year, but there were 152,727 cases of fraud involving lost or stolen debit and credit cards reported in 2015 and the total number of cards cancelled is likely to be many more.
'My stolen card was used eight months after cancellation'
Justin, a computer engineer from Cheshire, had his contactless debit and credit cards stolen from the glove box of his BMW when the vehicle was snatched from outside his house in November 2015. He reported the theft to Halifax, which cancelled the cards and issued replacements, and thought no more of it.
However in late July 2016, he spotted payments he hadn't made coming out of his account: five contactless purchases totalling nearly £30 were made at a retailer 30 miles away in Stoke-on-Trent.
After Justin contacted Halifax, he was told fraudsters were using his cancelled stolen debit card to make contactless purchases – and warned the contactless function on the card could continue to work for an unknown length of time. The bank has also advised him to keep a vigilant eye on his accounts because no one is sure if the card's contactless function is still working or not.
Halifax has now refunded Justin for the thefts, paid him £6 for the cost of calls he made to the fraud team and £100 for the distress and inconvenience he'd experienced. A spokesperson for the bank told us: "In the unlikely event that contactless transactions have been made on a cancelled lost or stolen card, we will always refund the customer in order to ensure they are not out of pocket."
Justin says: "I am still confused and concerned to be told I could continue to be vulnerable for an undetermined amount of time."
How can cards be used after cancellation?
The problem lies in contactless card payments being processed in one of two ways: 'online' or 'offline'.
- When payments are processed online (LESS of a fraud risk), the card and payment machine immediately communicates with the customer's bank to check for sufficient funds in the customer's bank account.
If a card's been cancelled due to being lost or stolen, this will be flagged immediately and a payment won't be allowed.
- By comparison, a payment which is processed offline (MORE of a fraud risk) is one that's stored up in a batch by the retailer and then only processed 'online' to the bank later on – usually overnight in the case of big retailers, but with smaller stores, it could take a few days.
This allows a thief to buy goods on a stolen card undetected – and because not all banks investigate payments made on a cancelled contactless card, the fraud could happen at any point. Although banks and trade bodies don't keep statistics, eight months is the longest gap between card loss/theft and fraud we have heard of.
Chip and PIN transactions can sometimes be processed offline too, but it doesn't present such a big fraud risk on lost or stolen cards because thieves are unlikely to know your PIN.
Two things can bring the fraudster to a halt. One is that the contactless card's been used the maximum number of times before a PIN is required. The frequency of these PIN checks varies between cards, and banks keep this information secret to avoid their cards being targeted.
Crooks can also be tripped up if they buy goods which trigger a forced online transaction – when it would normally have been offline – and inadvertently alert the bank.
MSE understands that Visa, Mastercard and Amex set what's known as a 'floor limit', at which payments are forced to go online for authorisation – that means anything above this limit is checked out immediately with the issuing bank.
Visa has told us its floor limit is £15, but Mastercard and Amex haven't confirmed theirs with us. Retailers and their banks can set lower thresholds than the card companies (for example, £10) but this is largely commercially confidential to avoid encouraging fraudsters.
Contactless cards are increasingly popular in the UK, with the value of contactless purchases increasing by 232% in the past year to reach almost £1.9 billion in total.
However, some card providers are more proactive than others when it comes to protecting your funds and spotting fraud, as this table shows:
Post-cancellation contactless purchases on lost and stolen cards
|Card provider||Can contactless cards be used after cancellation?||Is the money automatically debited from your account?||Does provider always check with you whether a purchase made on cancelled card was yours?|
|Barclaycard||Yes||It may be on the day the block's applied – it won't be from the day after||No|
|Barclays||Yes||It may be on the day the block's applied – it won't be from the day after||Yes|
|First Direct||Yes||No – it's assessed case by case||No|
|HSBC||Yes||No – it's assessed case by case||No|
|NatWest||Yes||Yes||Not always, but it does investigate all such cases and may contact you|
|RBS||Yes||Yes||Not always, but it does investigate all such cases and may contact you|
|Santander||Yes||No||Yes – checks initial spending, then applies a block if it's disputed|
|TSB||Yes||It won't be if a card's reported stolen – it will if reported lost||No|
Whatever your bank, building society or card provider's stated policy is, you should regularly comb your statements to check you recognise all payments – and it's even more important to do this if your contactless card has recently been lost or stolen.
'Very real risk fraud is going undetected'
Steve Nowottny, News and Features Editor at MoneySavingExpert.com, says: "Most cardholders will be frankly astonished to learn that they're still at risk of contactless fraud months after cancelling lost or stolen cards – and the implications are worrying and wide-ranging.
"There's a very real risk that fraud is going undetected because people have cancelled their cards and wrongly assume that means they can no longer be used. And the fact that when a cancelled card is used some banks will still automatically debit your account and not check whether you made the purchase is shocking.
"Unfortunately, for many who've lost a contactless card or had it stolen, the only way to now be certain you haven't been a victim of fraud is to trawl through months of old statements looking for suspicious low-level transactions – a laborious, ridiculous and for some a simply unrealistic task."
What should I do if my card's been lost or stolen?
- Tell your bank or card provider as soon as possible, so it can cancel the card and send a replacement.
- Keep an extra-vigilant eye on your account and scrutinise small contactless payments to make sure they're legit.
- If you think your card's being used fraudulently, tell your bank or building society immediately and report it to Action Fraud.
If you've also been a victim of fraud after cancelling your card, let us know by emailing email@example.com
What are my rights if I'm a victim of fraud?
If your card's used without your permission you are protected by the Lending Code and shouldn't lose money as a consequence, provided you inform the bank within 13 months of the fraudulent transaction and you have not acted fraudulently or without reasonable care (eg, you haven't disclosed your PIN to someone else, or written it down and kept it with the card).
As long as you meet these conditions, your bank or building society will usually reimburse you for your loss.
However, you're liable for up to £50 of any fraudulent spending that happens before you report the card's loss or theft to your bank. So if thieves spend £300 from your account before you warn the bank, you may only get £250 back. That's why it's vital to report a lost or stolen card the moment you realise it's gone.
What do security experts say?
Independent cyber security consultant Robert Pritchard says: "Most consumers would not expect a cancelled card to continue to work, and certainly not to continue making debits from their account. Therefore I would expect all banks and card providers to meet the same standards as the best practices identified in MoneySavingExpert.com's investigation.
"It's not unreasonable to expect a consumer to check transactions made on the same day as the card was cancelled, but after that the transactions should not be hitting their accounts.
"Given that contactless payments are for relatively small amounts, it would be easy for these transactions to be overlooked, and hence consumers risk losing out to fraud that they have already reported."
What does the industry say?
All the banks we spoke to admitted their cards could be vulnerable to this type of post-cancellation fraud. That's because it's an industry-wide issue with contactless card technology itself.
For example, a spokesperson for M&S Bank told us: "Most contactless cards can be used in an 'offline' environment, meaning that merchants can accept contactless payments without contacting the bank to verify whether the card is still valid or the account holds enough funds."
"It is not possible to differentiate between an offline contactless payment made by the rightful cardholder and one made by someone else."
A spokesperson for Lloyds Banking Group, which includes Halifax and Bank of Scotland, says: "Most contactless payment terminals are online and most transactions require this in order to be successful, with the exception of some very small contactless transactions.
"It's rare that a card can continue to be used for any length of time for contactless payments once a customer has cancelled their card."
Richard Koch, head of policy at trade body the UK Cards Association, says: "Fraud on contactless cards is low. Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket.
"It is essential anyone who loses their card or believes it has been stolen contacts their bank immediately."