Contactless debit and credit cards: what are the risks?

Reports of 'phantom' payments on contactless cards raises questions over their security

LAST UPDATED AT 13:15 ON Thu 30 May 2013

CONTACTLESS debit and credit cards – used without a PIN for transactions under £20 – are certainly convenient. But how safe are they, asks Rupert Jones in The Guardian. A spate of recent incidents has been ringing alarm bells.

Several Barclaycard users have reported cards making "phantom" payments on London buses, doubling up on their Oystercard payments. There have also been complaints (from M&S and Pret a Manger customers among others) about involuntary deductions from cards near payment terminals. Anecdotes of "duplicate" payments in shops and cafes – whether errors or petty scams – are also common.

Card issuers like Visa say these are isolated cases and insist the technology is safe, says Laura Whately in The Times. In theory at least,"a contactless card should not be debited unless within 10cm of a card reader". And if your card is stolen, you can't be taken to the cleaners. A thief can never spend more than £20 in one go, and several consecutive transactions will trigger a PIN request. As with all types of card fraud, "your bank is obliged to fund you any losses as long as you have acted with reasonable care".

Still, cyber-experts maintain that the cards, which operate by sending out a weak radio wave, nonetheless pose a fraud risk, says Ali Hussain in The Sunday Times. A team at Newcastle University's Centre for Cybercrime and Computer Security has demonstrated "how easy it is to scan details from contactless cards" using kit costing as little as £50. Cards issued before January 2013, when the banks began adopting new measures to prevent fraud, may be particularly vulnerable.

"The Newcastle research shows that anyone can develop a cheap card-reader that can record personal details from a contactless card," says Prof Ross Anderson of Cambridge University's Computer Laboratory. "Unless the banks have a different definition, this does not mean secure to me."

There's one good reason why banks are so keen to defend the technology, says Sam Dunn in the Daily Mail. A survey by MasterCard suggests people spend nearly one-third more on their account once it has contactless capacity: the handiness of "wave and pay" makes buying more impulsive.

Prof Anderson believes mistakes are being made because some retailers haven't set up their tills properly. As a result, they may accidentally take contactless payments when a customer also pays by chip and pin. "The worry could be that, like chip and pin, banks start to refuse to pay up in disputes," he says.

Given the massive scale of the current roll-out (there are now 32.5m cards in circulation), news that the industry is undertaking "an urgent investigation" is welcome.

This article appears in the 1 June 2013 edition of The Week. · 

Disqus - noscript

The data that can be read from the card is useless. Having said that, five contactless transactions - including London buses, with other modes of transport to follow - can be made without PIN. For now, the issuers are happy to eat that loss. What about tomorrow?..

Contactless cards - at present, at least - are significantly harder to clone compared to the magnetic stripe. However, the lack of PIN could be a (big) problem and does pose a risk. Is extra speed of a few seconds worth it? We'll see..

For further concise, balanced comment and analysis on the week's news, try The Week magazine. Subscribe today and get 6 issues completely free.