Amex fixes contactless card security flaw in final win for MSE's campaign
American Express has fixed a security flaw which meant lost or stolen contactless cards could be used AFTER they'd been cancelled, in the final step for MoneySavingExpert.com's campaign which has now successfully forced the three biggest card providers to tackle the issue.
American Express has told us that over 95% of all contactless transactions are now being processed 'online' – meaning that customers' banks are immediately alerted that a transaction has been made.
In September 2016, our investigation revealed that lost and stolen contactless cards could be used by criminals long after cancellation. One MoneySaver found five purchases totalling nearly £30 were made on his Halifax debit card eight months after it was stolen and he'd cancelled it.
The security flaw arose because some lower-value transactions were being processed 'offline' – meaning the customer's bank wasn't immediately alerted when a transaction was made, so cancelled cards didn't always receive its instruction to stop working.
MSE has campaigned for three years for card issuers to combat this security flaw, and in January 2019 Mastercard and Visa confirmed the issue was largely fixed, meaning we can now declare a decisive victory as American Express has also fixed the issue.
See our Stop Scams guide for ways to protect yourself from fraudsters.
'It's now much, much less likely this type of fraud will happen to you'
Kirsty Good, head of campaigns at MoneySavingExpert.com, said: "Finally, after years of campaigning, the last major card provider has managed to close this security loophole, making this type of contactless fraud – with a few exceptions – a thing of the past.
"It was outrageous that consumers – months after cancelling their stolen cards – were seeing money fraudulently taken out of their account. All credit to Visa, Mastercard and American Express for tackling this head on.
"If your card is lost or stolen, you still need to tell your bank to cancel it as soon as possible. As always, be extra vigilant when looking at your account and flag any dodgy transactions. But thankfully, it's now much, much less likely that this type of fraud will happen to you."
What's been done to fix the problems?
Visa, Mastercard and American Express have worked to tackle the issue by ensuring the majority of transactions are processed online, though some transactions will have to continue to be processed offline – for example, Transport for London (TfL) journeys will continue to be processed offline as the price you pay depends on how many trips you take and the final amount won't be known until the end of the day or week.
Here's what the major card schemes told us:
American Express previously said it would fix the issue by August, and has now confirmed 95% of its transactions are online. It says some transactions, such as those on trains, and at some car parks and train stations, may still be offline.
Mastercard says most contactless transactions have been online since March 2018. Again, there are a few exceptions, such as TfL payments.
Visa says most contactless transactions have been online since October 2017. It says there are some exceptions relating to payments for public transport.
In September 2016, an MSE investigation found contactless cards could be used fraudulently months or even years after they'd been cancelled.
We began discussions with the powers that be, including going to the Financial Conduct Authority (FCA) – and in the wake of our investigation, Lloyds, Halifax and Bank of Scotland said they would review their fraud procedures.
In February 2017, Labour MP Rachel Reeves cited our investigation when she quizzed industry regulators about what they were doing to combat contactless fraud.
In March 2017, the FCA promised Parliament that it would clamp down on offline transactions, and its chief executive Andrew Bailey wrote a guest comment piece for MSE outlining the action it would take.
In February 2018, card providers Visa, Mastercard and American Express told us they would help tackle the issue by bringing the majority of contactless transactions online.
In January 2019, the FCA confirmed "almost all" contactless transactions from Mastercard and Visa were being processed online.
What should I do if my card's been lost or stolen?
Here's what to do:
Tell your bank or card provider as soon as possible, so it can cancel the card and send a replacement.
Keep an extra-vigilant eye on your account and scrutinise small contactless payments to make sure they're legit.
If you think your card's being used fraudulently, tell your bank or building society immediately and report it to Action Fraud.