MSE News

Amex fixes contactless card security flaw in final win for MSE's campaign

Amex fixes contactless card security flaw in final win for MSE's campaign

American Express has fixed a security flaw which meant lost or stolen contactless cards could be used AFTER they'd been cancelled, in the final step for MoneySavingExpert.com's campaign which has now successfully forced the three biggest card providers to tackle the issue.

American Express has told us that over 95% of all contactless transactions are now being processed 'online' – meaning that customers' banks are immediately alerted that a transaction has been made.

In September 2016, our investigation revealed that lost and stolen contactless cards could be used by criminals long after cancellation. One MoneySaver found five purchases totalling nearly £30 were made on his Halifax debit card eight months after it was stolen and he'd cancelled it.

The security flaw arose because some lower-value transactions were being processed 'offline' – meaning the customer's bank wasn't immediately alerted when a transaction was made, so cancelled cards didn't always receive its instruction to stop working.

MSE has campaigned for three years for card issuers to combat this security flaw, and in January 2019 Mastercard and Visa confirmed the issue was largely fixed, meaning we can now declare a decisive victory as American Express has also fixed the issue.

See our Stop Scams guide for ways to protect yourself from fraudsters.

'It's now much, much less likely this type of fraud will happen to you'

Kirsty Good, head of campaigns at MoneySavingExpert.com, said: "Finally, after years of campaigning, the last major card provider has managed to close this security loophole, making this type of contactless fraud – with a few exceptions – a thing of the past.

"It was outrageous that consumers – months after cancelling their stolen cards – were seeing money fraudulently taken out of their account. All credit to Visa, Mastercard and American Express for tackling this head on.

"If your card is lost or stolen, you still need to tell your bank to cancel it as soon as possible. As always, be extra vigilant when looking at your account and flag any dodgy transactions. But thankfully, it's now much, much less likely that this type of fraud will happen to you."

What's been done to fix the problems?

Visa, Mastercard and American Express have worked to tackle the issue by ensuring the majority of transactions are processed online, though some transactions will have to continue to be processed offline – for example, Transport for London (TfL) journeys will continue to be processed offline as the price you pay depends on how many trips you take and the final amount won't be known until the end of the day or week.

Here's what the major card schemes told us:

  • American Express previously said it would fix the issue by August, and has now confirmed 95% of its transactions are online. It says some transactions, such as those on trains, and at some car parks and train stations, may still be offline.

  • Mastercard says most contactless transactions have been online since March 2018. Again, there are a few exceptions, such as TfL payments.

  • Visa says most contactless transactions have been online since October 2017. It says there are some exceptions relating to payments for public transport.

How MSE campaigned on contactless card fraud

What should I do if my card's been lost or stolen?

Here's what to do:

  1. Tell your bank or card provider as soon as possible, so it can cancel the card and send a replacement.
  2. Keep an extra-vigilant eye on your account and scrutinise small contactless payments to make sure they're legit.
  3. If you think your card's being used fraudulently, tell your bank or building society immediately and report it to Action Fraud.