Contactless payment security, concerns and considerations


Updated on 13 January 2021

As a banking group pushes to raise the contactless payment limit to £100, we take another look at whether the technology really is as safe as banks claim, and how you can keep yourself safe.

Contactless limit could rise to £100

The UK Government is facing calls to dramatically increase the contactless limit from £45 to £100 in order to make payments safer. 

UK Finance, the banking trade body, claims the increase would help further reduce the need to hand over cards or make any physical contact when paying in shops  – a big plus during the coronavirus pandemic.

The contactless payment limit was only increased from £30 to £45 last April, in part because of the pandemic but also in line with changes seen in many Europen countries.

According to The Times, the banking industry has positioned the proposed increase as not only more hygienic but that it also "could be seen as one of the first concrete examples of Britain parting company with Brussels on standards".

Time will tell whether the Government acts on the suggestion to increase the limit, but there's no question some shoppers would be nervous about the prospect of being able to part with such huge sums of money with no authentication needed.

So how safe is contactless really? The rest of this article runs through some of the most common security concerns and myths that surround contactless payments to help you stay better informed.

It's VERY difficult to steal directly from a contactless card

Many banks and consumers assume that contactless fraud is where money is stolen from your contactless card directly.

It's a theory seemingly backed up on social media every few months with images (as below, from Tumblr) and warnings posted of supposed fraudsters carrying Chip & PIN machines, stealing from seemingly oblivious members of the public.

While this sounds, in principle, like a valid concern, it would be incredibly difficult for criminals to operate such a machine without being noticed almost immediately.

There are myths about how easy contactless card fraud can be carried out (Image: Tumblr)

Chip & PIN machines need to be registered with a payment vendor and linked to a bank account before they can be used to charge cards – like how you need to register your mobile phone’s SIM card with a network before you can make a call.

Since every transaction is monitored for fraudulent activity, and applying for such a device is a lengthy process with many safeguards to stop fraudulent uses, it’d be incredibly risky for any criminal to do this without drawing an incredible amount of attention to themselves.

Contactless “skimming” is a fraud risk

Contactless payment fraud image (Image: Shuttrstock)

While there may be no hard evidence of contactless based fraud, this doesn’t take into consideration if card details are stolen via contactless for later use – better known as “skimming”.

Using widely available technology, or even a smartphone app, criminals can wirelessly read data from your contactless card without charging you a penny.

In most cases, the data includes the full 16-digit card number, the card type (Visa, MasterCard, or similar), the issuing bank, the expiry date, the card owner’s name, and in some cases (worryingly) a mini-bank statement.

With this data, it’s possible for criminals to create a cloned card with the original card details for use at older ATMs, shops, or even websites with poor security checks.

Alternatively, they could simply collect thousands of card details with the intention of selling them on to the highest bidder.

As there’s no financial transaction taking place, there’s no record of how many times it’s been read wirelessly, where it was read, by whom, and what their motive was.

Lost and stolen cards CAN still work months after cancelling

Contactless card fraud: hackers can use cancelled cards (Image: Shutterstock)

When contactless payments were first rolled out, concerns were raised about pickpockets and thieves being able to use a stolen card, without verification, to make high-value purchases.

Reporting a card lost or stolen, and reporting any suspicious activity on your bank statement immediately should theoretically block that card from being used fraudulently.

However, there have been mixed reports from members of the public that their cards continued to work long after being reported as lost or stolen.

Banks have complex security limitations in place to detect fraudulent contactless transactions, but consumers should keep an eye on their bank statements and flag transactions they don’t recognise immediately – even if the card has been cancelled.

You should also keep an eye on your credit report for suspicious transactions.

What about ApplePay and Google Wallet?

Apply Pay and Google Wallet: how safe are they? (Image: Apple, Google, loveMONEY)

When contactless payments first made their debut on smartphones concerns were raised about the security of card details being stored on, and transmitted from, a smartphone.

The initial fear was that instead of a malicious person reading card details wirelessly from a wallet – which tends to reside in a limited number of secluded places, such as a pocket or a bag – they could read them from a phone – an item we tend to carry more publicly.

Fears surrounding this potential threat quickly subsided, however, as the technology was showcased to only work in the specific context of paying for goods.

In the case of ApplePay, for example, card details are only transmitted when the phone detects a Chip & PIN machine that is requesting payment, it requires either a passcode, or thumbprint, to complete the transaction, and the 16-digit card number transmitted is semi-randomised per transaction.

These features give contactless payments via a phone another level of security in cases where the phone is either stolen, or a receipt is dropped at the point-of-sale terminal displaying the full card number.

Keep yourself safe from contactless fraud

Contactless payments offer a convenient way for consumers to pay for goods but, like most technology, come with a handful of security concerns that everyone should be aware of, but not scared of.

With that in mind, here are some top tips to help keep yourself safe from contactless-based fraud:

  • RFID-blocking wallets, or a few sheets of thick tinfoil, will block any wireless signal from leaving your wallet without your knowledge;
  • Some banks offer non-contactless cards to their customers, but you have to ask. Contactless is very much the standard-issue these days;
  • Using systems like ApplePay and Google Wallet gives an extra level of security when paying and don’t transmit your card details without your consent;
  • Report any cards that are lost or stolen immediately to your bank, and keep an eye on your bank statement for suspicious transactions.

Comments


Be the first to comment

Do you want to comment on this article? You need to be signed in for this feature

Copyright © lovemoney.com All rights reserved.

 

loveMONEY.com Financial Services Limited is authorised and regulated by the Financial Conduct Authority (FCA) with Firm Reference Number (FRN): 479153.

loveMONEY.com is a company registered in England & Wales (Company Number: 7406028) with its registered address at First Floor Ridgeland House, 15 Carfax, Horsham, West Sussex, RH12 1DY, United Kingdom. loveMONEY.com Limited operates under the trading name of loveMONEY.com Financial Services Limited. We operate as a credit broker for consumer credit and do not lend directly. Our company maintains relationships with various affiliates and lenders, which we may promote within our editorial content in emails and on featured partner pages through affiliate links. Please note, that we may receive commission payments from some of the product and service providers featured on our website. In line with Consumer Duty regulations, we assess our partners to ensure they offer fair value, are transparent, and cater to the needs of all customers, including vulnerable groups. We continuously review our practices to ensure compliance with these standards. While we make every effort to ensure the accuracy and currency of our editorial content, users should independently verify information with their chosen product or service provider. This can be done by reviewing the product landing page information and the terms and conditions associated with the product. If you are uncertain whether a product is suitable, we strongly recommend seeking advice from a regulated independent financial advisor before applying for the products.