/ Money

Contactless cards: shouldn’t all providers give you the choice to opt out?

contactless card payment

Love them or hate them, contactless cards are here to stay, with over £4bn being spent on them every month in the UK. While most providers allow you to opt out, some, such as Barclaycard, don’t. Is this right?

As well as being editor on Which? Money, I write a column for inews.co.uk, where readers can email me questions about money and personal finance. I was recently asked the following:

I’m not keen on contactless card technology, so have asked all my card providers not to provide me with contactless debit and credit cards, preferring to stick with chip and pin, which I think is more secure. All have been happy to do this, except Barclaycard, which is insisting I must have a contactless card. Is this right?

Personally, I love my contactless cards.

I don’t think it’s an exaggeration to say that they’ve transformed everyday spending for those who’ve embraced them. They’ve made it possible to go all week without having to fiddle around for change – and they’ve speeded up many of life’s minor inconveniences, from queues to board a bus, to getting served in a busy pub.

The £30 contactless limit means that most day-to-day payments can be achieved with an instant tap, with chip and Pin only necessary for larger purchases or after a certain number of contactless transactions as a precaution (the number varies by provider).

However, that’s not to say your security concerns are without foundation. Indeed, our investigations have highlighted flaws in the past. For example, in 2015, we were able to easily and cheaply acquire contactless-card technology and use it to remotely steal key card details from a contactless card.

Then, in 2016, we asked volunteers to use their contactless cards on the high street, spending between £20 and £30 each time, and to keep shopping until they were asked for a Pin. We did this to find out how much a thief could spend on a contactless card unchecked.

While most banks asked for a Pin, or blocked the card, after three to five transactions, three debit card providers allowed our ‘thieves’ to spend more than £200 through 10 consecutive transactions in just three hours.

Perhaps unsurprisingly then, some people would prefer not to go contactless.

Opt out

Most providers allow customers to opt out, although there’s no obligation for them to do so. Barclaycard, however, doesn’t offer non-contactless cards. So if you’re intent on having a non-contactless card, this leaves you with little choice but to switch provider.

Even so, my view remains that there’s no need to worry unduly about security. All forms of payment come with risks and we all balance these with convenience on a daily basis. Chip and Pin, for example, isn’t perfect (a thief could watch you key in your pin), and before that, we used signatures, which could be forged.

It’s also worth bearing in mind that fraud involving contactless cards and devices represents a mere 1% of overall card fraud, according to Financial Fraud Action UK.

While it’s possible that some fraud involving contactless technology is recorded in more generic fraud categories, a low percentage does make sense when you think about it.

Of course, fraudsters will look to exploit any vulnerabilities in technology that they can to obtain card details, but it’s unlikely that they prize the cards themselves in order to make fraudulent contactless payments. After all, most criminals don’t want your cards in order to buy a coffee and a sandwich.

And as with all card fraud, if a contactless card is stolen and used by the thief, your provider must reimburse you, unless it can prove that you were negligent.

A version of this article originally appeared on inews.co.uk.

What do you think of contactless bank cards? Should providers give you the choice to opt out?

Comments
Pete of Harrow says:
23 December 2017

I always carry and use a London Freedom Pass in my wallet. Having another contactless card creates problems. I don’t know how people cope with having several contactless cards that can be accessed remotely at any time. Much better being in control of your spending.

Contactless is just another unwanted change foisted on us without any attempt at consultation and without our consent, like decimalisation, metrication, changing local government boundaries, the Common Market, and forcing us to “go online”. The authorities never ask us what we think because they know what we will say; NO! Enough is enough!

Err . . . decimalisatioin in 1971 was preceded by extensive consultation, metrication is not universal and does not prevent imperial measurements being shown, local government boundary changes are always subject to two rounds of consultation, we had general elections and several rejected applications before we joined the EEC in 1973 and then a referendum on staying in 1975 [with a high percentage in favour], and no one has been forced to go on-line. Contactless debit and credit cards are not compulsory either – some issuers offer alternatives.

The scale of use of contactless cards demonstrates their popularity and indicates general public consent.

A couple of years ago there was plenty of concern about contactless cards but few people took action: http://www.thisismoney.co.uk/money/saving/article-3214113/Customers-request-not-contactless-debit-card-major-banks-say-one-just-1-200-millions-have.html I remain in favour of having the choice of whether or not to have contactless cards.

Eddieb says:
23 December 2017

A couple of years ago my joint account Santander debit card expired and a new contactless one was issued. I told them that I didn’t want contactless cards so they re-issued the cards as non-contactless. Fine, I thought. Until I noticed that, contrary to normal practice, the new cards had a completely different 16 digit number! When I queried it with Santander, I was told that, to all intents and purposes, I was a new customer!!!!

A slightly dubious way of solving the problem of an unwanted contactless facility: Contactless cards work by getting power from the terminal (there is no power source in the card) via electrical induction- rather like the latest mobile phones can be charged by being placed on an inductive charger. The card contains a wire loop with several turns of very thin wire usually around the edge of the card leading back to the ‘sim’ card for want of a better term- it’s the chip as in chip and pin. The exact position of this loop is not the same in all cards but can usually be seen by shining a very bright light from the back of the card, you can then see the loop as a shadow. A very fine drill say 1mm diameter through this will completely disable the contactless function. The card works without any problem for chip and pin transactions but no longer works for contactless ones. One slight problem: A small number of older cash machines do not recognise the drilled card, but most do. I have done this to several cards as I do not like taking my Oyster card out of my wallet, so this prevents card clash at tube station oyster terminals, as the only functioning contactless card in my wallet is my Oyster card. An appropriate google search will give you more information.

I love my contactless card.
Fraud happens, before card readers were mobile, my debit card numbers were copied in a restaurant.
The bank refunded me.
Some kind person transferred their credit card debt to my credit card (just as I was going abroad, which was a pain as my card got cancelled), but,
The bank refunded me.
I check my bank statement weekly on line, I love having that facility, so if there is a problem I can deal with it quickly.
However, if people do not want to use contactless, then they should have the choice, like my dad, who at 92, has never even owned a cheque book and only pays by cash. Lol.
Though I have had to ‘risk’ my DC or CC on line occasionally for him!

Chip’n’Pin cards are classed as 2-factor security; something you own (the card) and something you know(the PIN).
Contactless cards are 1-factor security; something you own (the card).
Lose/steal the Contactless card, and it can be used on a contactless payment device without your approval or knowledge.
Lose/steal the Chip’n’Pin card, and it cant be used on a PIN or contactless payment device without your knowledge or approval.
Always keep in mind that the Banks are about profit and want to keep electronic payment costs as low as possible, as well as making any un-authorised usage to be at your expense and responsibility. And don’t believe a word of their PR about low fraud rates with Contactless; its in the Banks interests to say that, not your interests.

I’m now quite happy using my contactless debit card.

It is a useful time-saving device and is especially useful on buses and trains.

At a local security fair, I was given a free (if slightly bulky) radio frequency shield for it, which I may try out soon.

However, I do agree that folk who don’t want to have one should not be forced into having one.

Harry Rose, Which? Money Editor states above: “Personally, I love my contactless cards…They’ve made it possible to go all week without having to fiddle around for change”.

Excuse me Mr Rose, I think you’ll find that chip-and-pin cards have for years enabled us to go all week without having to fiddle around for change. It’s not a perk exclusive to contactless!

Shugg says:
24 December 2017

Never use them. Despite instructing my card providers not to issue contactless ones, every time a new one is needed it is contactless. My understanding is, however, that the first time it is used that way you need to enter a PIN. If I never activate it, it will remain dormant.

Shugg,
You may be mistaken about contactless “only” being activated by a contactless payment.
I believe ANY first use with the PIN will activate contactless.
(Otherwise how would it activate ??)

FYI
I dropped a contactless card (my fault) – and within 15 minutes it had been used twice fraudulently.
The 3 phone calls to the Card provider included the inevitable cross-examination.
No complaint there – but the 20-something minutes massively outweighed the claimed time saving of 2 to 3 seconds.

PIN would NOT have resulted in such a quick theft.

You are very unlucky, Jules. I lost my wallet containing two contactless cards and lost nothing. In a crowded shop I feel safer using a contactless card because it can be put away immediately and there is no chance that someone could see me entering my PIN and grab the card from the machine and then use the card to obtain much larger amounts than the contactless limit.

I did have the numbers to report card theft in my phone, but my recent experience has made me realise that there is usually no point in carrying more than one card and to keep a regular check that I still have my wallet.

Patrick Taylor says:
24 December 2017

“As well as being editor on Which? Money, I write a column for inews.co.uk, where readers can email me questions about money and personal finance.”

I must admit to being somewhat surprised that Which? staff are also being paid[?] by companies. Or is it a matter of free advice? free column for Inews? . I am uncomfortable with the idea but I am not absolutely sure why.

I had a similar reaction, Patrick.

Hi Patrick and John. Good points and I understand your concerns, this is quite simply a piece of regular press work that is arranged via the press team at Which? – it’s not paid for, it’s a fairly recent feature where Harry answers a big money question. We could publish every single one on Which? Convo, but they’re often issues that we’ve already discussed or are well known to Which? Audiences. We thought this article on contactless cards hadn’t been discussed for a while on Convo and it’s interesting that it’s not that easy to opt out of these cards. Thanks and Merry Christmas!

What Lauren says is exactly right. And just to add, as a charity, it is our duty to get our advice out to all consumers, not just our members or those who know how to find us. Sharing free helpful advice to consumers’ problems in a major paper is a good way to reach them, and to ensure that Which? can truly help all consumers, far and wide in the UK.

With a Contactless card you have enable it’s Contactless ability with your pin and even then you retain the option to use your Pin instead (I’m always asked before the machine is set for Contactless). If a Contactless payment is taken by mistake or dishonestly, it’s the bank that accepts the loss and the big plus must be that you’ve still got your card safely in your possession to continue using.
I believe expecting banks (I hate them!) to produce two versions of the same card is financially unrealistic if we want to keep banking costs to the minimum and largely free for Current accounts.
At the extreme end, I have a friend whom insists on using a cash point in a petrol station so he can pay in cash for his petrol, claiming it’s so he knows what he’s spending. He never uses his debit card to pay for anything.
We need, with care of course, to move forward and accept some changes as cash is undoubtedly on the way out. Personally, I’m also now considering using Apple Pay which I understand is more secure.

Linda Whitton says:
13 January 2018

There is obligation to have no obligation to have PIN numbers or contactless cards. It is bullying by the banks to make us bend to their will. I have seen a blind lady attempting to pay by chip and PIN and could tell what numbers she was putting into the machine from 6 places away in the queue. Equally my husband paid for goods without getting his contactless card out of a metal wallet We now have chip and sign cards; no PIN and no contacless.

Have never used mine, wouldn’t use it and if any attempt was made to make me would cancel the purchase. The whole thing appears wide open to fraud and misuse.

Although I use a contactless credit card, I feel strongly that the customer should be given the choice of whether or not they want one.

I understand the concerns about contactless cards, so why has the Oyster card been accepted, since it’s just a contactless card.

Tarian says:
13 September 2018

The difference is that with Oyster, the owner can limit the maximum loss.
e.g. I never add more than £10 – and only when there’s less than £5 – or before a journey.

Much more can be lost with contactless Debit/Credit Cards.
I dropped a contactless Credit Card – and within 15 minutes two debits had been made totalling (IIRC) ~ £ 45.
Other people have reported 3, 4 or 5 transactions before a PIN is demanded.

Saving 3 seconds each time is not worth the 10, 20, maybe 30 minutes calling the bank.
Contactless is like opening one’s wallet and saying “take the money”.

I agree with one thing. Banks should not run two types of cards. Ditch unsafe contactless !

I think a length of elastic could be a useful accessory with one end attached to the card and the other end to a belt or garment.

Thanks Tarian. I would support users setting a limit on the maximum loss on a contactless card. The banks should be issuing them on request and not by default.

That’s a good idea, but any limit would have to be high enough not to prevent the cardholder from making reasonable use of the contactless facility. For me a £20 limit would be OK but in the wrong hands that could still lead to £100 of illegal expenditure if the PIN command didn’t appear until the fifth attempt.

There are some very different ideas about contactless cards, so why not put customers in control? In my view the customer should decide whether or not they want a contactless card and if so, what limits they wish to specify. I would be happy with a limit of £50 per day, on the basis that I could continue to use the card with a PIN if necessary.

John, I tried elastic on a £20 note but it got stuck in the till.

I don’t have a contactless card and have not found the need for one – yet. No doubt, as a late user of a smart phone, I’ll wonder how I managed without one. I just don’t generally seem to be in situations where either cash or a credit card aren’t OK. I like the idea of having to verify a transaction with my PIN, something a thief would struggle with.

When my debit card was renewed recently the new one had the contactless symbol. I would have preferred to have a choice and have not yet used it in contactless mode. Like Malcolm, I shall continue to use my PIN to verify transactions. It takes but a couple of seconds.

As someone else pointed out, using the PIN for the first time activates the contactless facility, so that someone else who finds or steals a card could make use of this even if the user does not intend to.

Sheila says:
14 January 2018

Last year my bank sent me a contactless card through the post, I did not want the card and so went to the bank and asked for non contactless card. Santander were happy to comply agreeing that it’s my money and I have the right to choose. Shortly afterwards, I received my new card. I believe that everyone should have the right to choose, if your bank don’t respect you to have that right; change provider !

MATTIE ILES says:
31 August 2018

The reason why I hate contactless cards is because
1) Criminals can use a small
hand-held skimming device and get all your details and
2) If you lose your debit card, the person who found it can spend £30 per day without having to know the P.I.N. I don’t know about anybody else, but I personally cannot afford to give away £30 per day. It’s a hell of a lot of money. Contactless is an extremely bad idea.

You can use your contactless cards more than once in a day, Mattie. I suspect that repeated transactions in a day will trigger the requirement to use the PIN, but how much is possible to spend before then may depend on the bank. It’s important to report theft or loss immediately. I lost my contactless credit card recently and fortunately no-one had used it when I found that it was missing.

On the other hand, if you allow someone to see you entering your PIN for a chip & PIN transaction and your card is stolen you could land up losing rather larger amounts of money.

It’s worth having the numbers to report stolen/lost cards in your phone.

Tim Sawyer says:
30 November 2018

When received my new bank card from HSBC, a good while ago, it was contactless. Hadn’t requested one. Due to health conditions (epileptic seizures without warning, as well as short term memory loss) didn’t want contactless. Feel more comfortable with having to enter PIN for EVERY transaction I do with my card. Went into bank to explain, and they were quite happy to change card back to one where I had to enter PIN number for anything done with the card. There’s the £30 limit per transaction using contactless. But would that stop a thief from going around from shop to shop buying things – so long as the price per transaction didn’t exceed that £30 limit??