A flaw which means contactless cards can be used AFTER they've been cancelled has still not been fully fixed almost 18 months after MoneySavingExpert.com began campaigning on the issue.
As our investigation revealed in 2016, a shocking security flaw means crooks can sometimes use contactless cards after they've been cancelled, due to the way some transactions are processed.
When payments are processed online the payment machine immediately communicates with the customer's bank to check if there are enough funds in the customer's bank account. If a card's been cancelled due to being lost or stolen, this will be flagged immediately and a payment won't be allowed.
Shops sometimes, however, process lower value card transactions 'offline', meaning they don't immediately check with banks when a payment is made, and so cancelled cards may not receive the instruction from the bank to stop working. Contactless cards are at a greater risk of being used after cancellation because you don't need to enter a PIN each time you use them.
But speaking yesterday at a Treasury Committee session, Financial Conduct Authority chairman John Griffith-Jones said that although progress on the issue "was moving satisfactorily", he didn't believe the issue had been fully solved.
What was said at the Treasury Committee meeting?
During the session, Labour MP Catherine McKinnell asked Griffith-Jones to provide an update on contactless card fraud.
He replied: "That seems to be moving in a reasonably satisfactory manner.
"Visa has introduced more online transactions, I'm sorry I don't have the number, but much more. The banks have also looked at this and broadly speaking the more online transactions there are, the less fraud is possible and we're moving, we think, satisfactorily in that direction."
McKinnell then interjected to say: "Fraudsters are still able to use cards even once the card has been cancelled where it's still an offline transaction."
Griffith-Jones replied that the offline transactions are the weakness in the system, and later clarified that they had not been "turned off technically".
We asked the Financial Conduct Authority for clarification and it confirmed that Griffith-Jones was explaining that card schemes have taken steps to make most contactless transactions 'online' since the issue was raised in 2016, but this has not been fully completed.
We are checking this with the card schemes and will update once we know more.
What should I do if my card's been lost or stolen?
- Tell your bank or card provider as soon as possible, so it can cancel the card and send a replacement.
- Keep an extra-vigilant eye on your account and scrutinise small contactless payments to make sure they're legit.
- If you think your card's being used fraudulently, tell your bank or building society immediately and report it to Action Fraud.
Griffith-Jones confirmed to the committee that the "onus is on the bank" to identify fraud, and not on the customer. Despite this, it's still worth checking your statements if you've cancelled a card.
If your card's used without your permission you are protected by the Lending Code and shouldn't lose money as a consequence, provided you inform the bank within 13 months of the fraudulent transaction and you have not acted fraudulently or without reasonable care (eg, you haven't disclosed your PIN to someone else, or written it down and kept it with the card).
As long as you meet these conditions, your bank or building society will usually reimburse you for your loss.
However, you're liable for up to £35 of any fraudulent spending that happens before you report the card's loss or theft to your bank. So if thieves spend £300 from your account before you warn the bank, you may only get £265 back. That's why it's vital to report a lost or stolen card the moment you realise it's gone.