/ Money

Will you be forced to use a contactless card?

Barclays contactless debit card

Banks are apparently forcing so-called ‘contactless’ cards on customers. These let shoppers spend with a simple swipe, but is this actually how we want to squander our money – and are banks downplaying the risks?

From previous Conversations it’s clear that many of you aren’t convinced by a cashless society, but it’s creeping up on us whether we like it or not.

Debit card spending overtook cash for the first time last year, and with contactless technology banks appear to be trying their utmost to speed up the process.

All new cards from Barclays, Virgin Money and the Bank of America will now be ‘contactless’ – this lets us pay for transactions under £15 without the need to enter a pin. Think of the London Underground’s Oyster Cards and you’re half way there – these cards just happen to be wired directly into our bank accounts.

How secure are contactless cards?

The banks secure contactless cards by only allowing a small number of daily transactions, up to £50, before a pin number is requested. However, many customers aren’t convinced, believing that thieves could steal up to 50 quid even though they couldn’t get hold of all the cash in their account.

In retaliation, banks have tried to assure that any money lost to fraudulent activity would be refunded straightaway, but would you be willing to take the risk?

There are already 12 million contactless cards in circulation, and they’re accepted in shops like EAT, Co-operative and Ikea. Both HSBC and the Royal Bank of Scotland are running trials before they decide to follow suit, and Lloyds TSB is also weighing up the pros and cons.

Should we be made to go contactless?

But do we want them, and should banks be forcing them upon us? Which? Conversation commenter Sophie Gilbert isn’t interested in contactless tech:

‘I can safely assert that if my bank decides to compulsorily issue me with such a card I will never use it for purchases under £15, and this is what I’ll tell my bank if someone nicks my card and decides to make a string of purchases under £15.’

But Mark Austin, who heads up the development of contactless technology at Visa, says that the cards are much safer than using cash:

‘When you lose a £10 note, it’s gone. There’s usually no way to get it back. But if you lose a contactless card, you are protected by fraud protection and when you alert your bank they’ll refund any money lost.’

Which? Convo reader Peter Partington is a convert, telling us that he can’t wait: ‘Bring it on! I thought of this idea a few years ago as I hate waiting in long queues at the check out.’

So should we just grin and bear the onslaught of contactless technology, or should we be given a choice? Do you think the banks are playing down the potential security risks of the technology, or are you happy to swipe and pay?

Comments

I don’t want ‘contactless’ either, but I think there is a risk in punching a hole in a card – I believe a retailer has the right to confiscate a card if s/he believes it has been interfered with. A big hole is obvious interference.

Why are the banks pushing this? They, and the payment systems, take a small cut of the value of every transaction from the seller.

Gerry says:
24 October 2014

Why should the retailer worry? They probably won’t even notice. In most cases they won’t even touch the card because you’ll be using a Chip & Spin terminal. Your PIN will still work (and the signature strip will be unchanged) so they’ll still get paid.

Contactless is being pushed by the Surveillance Society. Eliminating cash helps to eliminate privacy and anonymity. It also means that if you step out of line they can restrict or stop you making any purchases at all. A virtual Ball & Chain, remotely enforced and very effective !

Lessismore says:
24 October 2014

When I needed a Bank Guarantee Card many years ago al that Barclays had was a Barclaycard credit card. I was just out of college I did not want a credit card. I was so cross I wrote and told them so.and I did not use it for years. They sent me a joint Oyster and Barclaycard and I never ever ever used the Oyster. I told them I didn’t want it. I wish I could remember how many years it has taken for them to get the point!

Now contactless cards. I don’t want want one of those either. Yes, I’m one of those people who lives or tries to live within my means. I suppose they’ll try and penalise me for that now.

Just remind me again – who is the customer? It’s alright I do know. I definitely am and I am obviously not banking with the right banks.

Gerry says:
24 October 2014

Just move to Lloyds, M&S or one of the others that doesn’t force you to go contactless.

You can also get a nice freebie when you switch (e.g. a £125 gift card from M&S).

The Halifax, Co-Op and First Direct also offer £100 when you switch (don’t know their contactless policies) but dumping Barclays is a no-brainer !

If you have more than one ‘contactless’ card, keep them together in your wallet and they’ll ‘block’ each other.

No need for RFID security wallets.

When two cards are scanned, they both transmit data – the scanner has no way of separating the data it receives.

Test it out for yourself – try waving two cards at the till next time you buy a bar of chocolate (not fags … I don’t wanna be responsible for your death).

Gerry says:
25 October 2014

Yeah, right… Try that on the Underground and it could be a VERY expensive mistake.

If the entry gate reads one card and the exit gate reads the other card, the system will think that you’ve made TWO incomplete journeys.

Your single journey will therefore result in TWO maximum fares !

Yeah I agree – a REALLY bad place to test out a theory !

That’s where a Yorkie Bar comes in (dark of course). The transaction either works or it fails.
Worse case …. maybe you’ll get two Yorkie Bars.

Helen in Cardiff says:
28 October 2014

Hello all
Just thought I’d add my experiences with Natwest to this conversation. starting a year ago when my NatWest visa debit card was replaced. which came contactless. For all the reasons everyone has mentioned above, I rang, complained and said I did not yet believe in the security of the technology. I may change my mind in future but right now I did not want it. No problem said Natwest, we’ll replace it for a normal chip & pin card. Well it took 2 months, three goes and 2 returned cards before they got it right. but get it right they did ….eventually.
rolling forward to last week and my NatWest credit cards came up for renewal, one visa, one mastercard. Interestingly the visa came chip and pin and the mastercard was contactless. yesterday I got back on the phone to NatWest card services, to the complaints team and let rip my annoyance at having to have this conversation again. This time being told that all their cards are now contactless and they “don’t know why” my replacement visa wasn’t contactless. Suspect my previous request not to have contactless visa debit filtered through to the credit card too.
Obviously where there is a will theres a way and my new visa card demonstrates that it can be done. its not impossible to issue without contactless ……..if they want to.
so ive asked to escalate this further through their complaints procedure as im not about to give up this argument just yet. Although I am considering the drill solution mentioned above.
More interesting given the conversations above is the fact that NatWest claim im the only person who has raised this concern with them. I don’t believe that for a minute.

Gerry says:
28 October 2014

By definition, there’s no security with PINless usage, whatever technology it may have !

You don’t need a drill, it’s much easier and neater just to use an A4 hole punch.

@Gerry:

I guess I’ll stick with my contactless cards …. I don’t fancy lugging ‘an A4 hole punch’ around all day ….

simo says:
8 February 2015

Hi felt i had to reply to your post. I used to bank with NatWest but when these cards first came in I raised my concerns with them and asked for it to be removed from my card. I was told and I quote “its a new service and you have no choice” Well I flipped my reply to the casher was I do have a choice I will be back in 10 minits. I then went nextdoor and opened a account with another bank. Walked back in to NatWest. And said right!! I am a customer as for having no choice I don’t think so I would like to close all of my accounts and at that time I had a isa credit card savings account and currant account. If I’m a customer don’t tell me in have no choice! I did complane by email after to there customer service dept but to this day have never had a reply.

Jane Jones says:
31 January 2017

Have had similar experience with Nat West on previous renewal and got a regular card and credit card after complaining that I did not want contactless cards. However on 30-01-2017 my mastercard was due for renewal and came contactless. Nat West apologised but said there was nothing they could do – I requested they raise a formal complaint in the belief that if enough customers complained, they may change their rules. Customer Service agreed to do this and today I have received an e-mail saying my complaint is resolved but there is no reference to my actual complaint nor assurance that I will receive a regular credit card. I’m not happy – indeed very annoyed as I feel I’m being forced to find another provider despite being a customer for many many years.

Gerry says:
1 November 2014

BBC reports a security flaw with Visa contactless cards that allows unlimited withdrawal amounts if made in a foreign currency.

http://www.bbc.co.uk/news/business-29861514

Yet another reason not to go contactless !

I just received a new Halifax Mastercard and was dismayed to see it was contactless as there had been nothing indicated to me up to this point to say that it would be contactless.

I have phoned and requested a non-contactless card and they told me this could not be done.

However, they did also tell me that the first time the card is used contactlessly, it will required the PIN number to be entered, and that if that has not been done then the card has not been activated for contactless PIN-less use.

I don’t think I have read than anywhere else on this thread or elsewhere. It is true that it says this in the literature.

He also claimed that until the contactless is activated, it cannot be skimmed either.

Comments?

Jon wrote: “….. (Halifax). did also tell me that the first time the card is used contactlessly, it will required the PIN number to be entered, and that if that has not been done then the card has not been activated for contactless PIN-less use.”.

Well ….. not exactly. According to their website:
“For extra security when receiving your card you will need to perform a Chip & PIN transaction before you can use the contactless feature.”

Subtle difference? The website seems to suggest that the contactless feature is activated by a CHIP & PIN transaction.
So, it’s ok if you never use the new card at all!
But the first CHIP & PIN transactions enables the contactless.

Even muddier water in other banks.

NatWest:
“When you make your first contactless transaction you may be asked to validate your card by entering your PIN. From time to time, you’ll be asked to enter your PIN to ensure you are the genuine card holder”.

TSB:
” …. protected by extra security features such as requiring you to activate and occasionally verify the card with your PIN number”.

Anyone offer any real world experience of this first transaction thingy?

I have a Coop one didnt ask for PIN first time, used it about 12 times with PIN requested once.
Testing it on a “friendly” cardreader I couldnt get it to detect the card until it actually touched the reader.

M.L.Johnson says:
17 February 2016

My Halifax contactless card had just been used for the first time accidentally as it was in the same wallet as my Oyster Freedom Pass and the first I knew about it was when a fare charge was shown when I checked my statement. Obviously then no PIN is required for first time use and activation. I shall be forthwith asking for a non-contactless card.

June Robinson says:
13 November 2014

What a ridiculous idea, who ever invented contactless cards, I just can’t believe it. Anyone getting hold of your card could use it over and over again on transactions of £20 and under. The world is going mad. I definitely do not want one of these. Security has gone out of the window.

Apparently a contactless card will sometimes require entry of a PIN, so hopefully repeated use would be detected.

I’m surprised that we have not come up with something better than chip & pin cards. If someone learns your PIN and manages to get hold of your card, they could withdraw several hundred pounds a day until you realised that your card was missing.

One of these days we might come up with a simple but secure way of making payments.

Gerry says:
13 November 2014

Trying to enter a PIN on a bus or at a train gate could be interesting !

Presumably PAYG travel is exempt from the ‘occasional PIN’ requirement.

If not, you could easily be stranded, e.g. London buses don’t accept cash.

It’s all good for the £20 limit in the UK however it’s a fraudsters dream as once stolen and shipped abroad the contactless transaction value is unlimited…it’s somewhat worrying this is not advised to people who are being forced to take this unwanted feature, BBC News story from earlier this month has full details –

http://www.bbc.co.uk/news/business-29861514

Rob

There’s an odd thing about these reports of massive security loopholes that are childsplay to get away with.

They are never exploited.
Where are all the follow-up stories of contactless card-holders being fleeced for 999,999 Euros or US$?

If I were a bit younger and a lot less honest, I’d be on to a loophole like this in a flash.

But no, there are no such reports.
Why?

Gerry says:
23 November 2014

I don’t know whether any flaws have been exploited, but the banks would keep very, very quiet if anything did happen.

So Absence of Evidence is NOT Evidence of Absence.

The biggest security flaw is that, by design, no PIN or signature is required to make a contactless transaction.

Steve in Essex says:
23 November 2014

A large part of the reason that these security loopholes are not exploited is that they are reported to the software author (in this case Visa) a week or 2 before being given to the press. Sometimes longer.

The most worrying bit for me was
“”With just a mobile phone we created a point-of-sale terminal that could read a card through a wallet,” said Martin Emms, lead researcher on the project.”

So much for needing contact with a terminal to make a payment

Gerry: “… but the banks would keep very, very quiet if anything did happen … So Absence of Evidence is NOT Evidence of Absence …”.
Well yea, no business advertises it’s failures but I cannot imagine their Twitter generation customers keeping quiet.
In this connected age, SMOKE = FIRE.

Steve in Essex: “… With just a mobile phone we created a point-of-sale terminal …”.
The researchers said it was a ‘front-end’ security flaw – which I assumed meant the transaction was not actually sent to VISA for ‘back-end’ processing (ie hitting accounts).
So when their smart-phone ‘PoS terminal’ displayed 999,999 Euros “approved”, I don’t think they had actually taken 999,999 Euros from their account.

Gerry says:
23 November 2014

Why can’t the contactless facility be enabled or disabled by the user, as and when required? That would keep all parties happy.

The obvious way would be for the on/off facility to be changeable via commands entered via ATMs and in-store terminals. There seems to be a rudimentary implementation of this already, because a PIN transaction has to be made before the contactless facility is enabled. It should therefore be quite straightforward to add the equivalent ‘Disable’ facility.

I refuse to have a contactless card because it would be useful only if it eliminated the need to purchase a different card for every town and city (e.g. London) that has made it prohibitively expensive or impossible to use cash on public transport. However, if contactless cards were switchable then I might well relent. Ideally there would be a keypad on the card to achieve this, but ATMs and in-store terminals would suffice in the meantime.

Gerry: “…Why can’t the contactless facility be enabled or disabled by the user … Ideally there would be a keypad on the card to achieve this …”.

Somewhere in the rusty depths of my aging memory …. smartphones will soon be doing this for you.

There’s ApplePay (already on iPhone 6?) and I think Android has something similar.

We won’t need cards, it’ll all be built-in to our phones.
I’d be surprised if you couldn’t disable it as required.
Also be surprised if it’s 100% secure ………..

Anyone out there already using this?

I posted here in april last year saying HSBC were happy to replace a contactless card with a non-contactless one. I have just received a new card and it was contactless – however, this time they were more reluctant to allow me a non-contactless one.

They did relent in the end and I should be receiving my new car shortly – that may have been down to the fact that I calmly stated I considered it a big enough security hole that I would consider taking my banking elsewhere.
A simple observation of “if I drop my current card, no one can use it. If I drop a contactless one, someone can … and unlike dropping cash, they can use it multiple times”

The lady at the end of the phone had no explanation as to why the banks were pushing forward with a technology that has such an obvious security flaw in it.

I have said that I will stay with them all the while I can have a non-contactless card – as soon as I can’t, I will find somewhere else.
Could be a niche in the market somewhere for one of the smaller banks to step up and allow non-contactless for those of us who don’t want it.

Neil: I wouldn’t trust them if I were you!

Just to keep you quiet, they could so easily send you a contactless card without the little logo on it.

I’d still carry it in a shielded wallet and I’d tap it on a reader next time I’m getting my Yorkie-bar fix.

I read about the “A4 hole-punch” method of disabling the egregious contactless idiocy, and was highly skeptical because the last thing I wanted to do was to invalidate the card or create suspicion.

However, I have now done the deed (in the manner described above) on each my three cards, and there has been *no problem in using any the cards* either in a chip and pin device or an ATM. Clearly there would be no issue online.

I have also verified that the contactless nonsense no longer works for any of the trio of cards. I did this in Lidl with a small purchase so there was no risk of, say, double-charging.

So I vouch for the holepunch method and will simply use this in future instead of moaning to all and sundry (although I will clearly still do this about numerous other issues, including, but by no means limited to, financial services). If done correctly, it will not impinge on the embossed PAN, the signature strip, any logo, the Chip or the magnetic strip, so it is entirely safe.

Gerry says:
27 November 2014

Glad it worked for you !

This simple and effective workaround can instantly defeat the unwanted and insecure PINless facility that the banksters are trying to foist on us.

Maybe the banks should allow a way for this to be done legitimately – perhaps a break-away piece of the card that disables the contactless functionality.

Bit of a cross-post here, I’m afraid.

I was on the ‘Supermarket Campylobacter in chicken results’ conversation regarding the fact that 12% of Asda’s chicken was sold in contaminated packaging
This means you’ll get campylobacter all over your hands, trolley and other shopping – then contaminate the checkout moving belt and the Chip & PIN keypad!

I realised this was yet another reason to welcome contactless payments.

QUOTE:
I’m afraid you’d be too embarrassed to shop with me …..
I carry a pack of wipes to clean the trolley handle.
I have disposable gloves in my pocket but normally use the (free) plastic bags from the veg section as makeshift gloves.
I use the hand wipes back at the car.
As for when I get home, unpacking the shopping, you don’t even wanna know !!!

PS Now I’ll not be able to resist wiping the keypad ….. wish they’d increase the contactless limit !
END-QUOTE

Vicky says:
11 February 2015

My husband found a contactless card on the ground a couple of days ago. He phoned the bank to let them know then cut up the card. If he had been less honest I suppose he could have bought us a couple of bottles of wine for dinner.

That’s very honest of your husband, Vicky – A couple of bottles of wine for dinner? Sound’s more like a party! 😮

I found my niece’s card beside the passenger seat of my car recently. She had assumed that she had dropped it or had it stolen.

I don’t routinely check that I have my contactless debit card and might not know it is missing until I next wanted to use it.

Mishka says:
15 February 2015

Hi, could anybody please tell me, where exactly A4 punch hole should be made and could there be a problem as I am ruining the card deliberately though to protect myself as obviously Banks are not doing it. Thanks

Hi Mishka, I’m confused as to why you’d need to know where hole punches should be used on A4 -This is a conversation about contactless cards. However, I’d be more than happy to help, if you could please elaborate…

I presume that Mishka would like to disable to contactless operation, yet allow the card to be used in other ways.

We should be invited to opt-in to using a contactless card rather than having them thrust upon us. What the companies are doing generates resentment.

Ah yeah, just read more of the comments in the thread..Thanks for highlighting, wavechange. It’s not something that Which? can comment about, I’m afraid..

Mishka says:
16 February 2015

Hi Andrew, thanks for your reply. You didn’t understand . I was talking about visa debit card, but used expression “A 4 punch hole ” as I read it somewhere , and that probably has something to do with the size of the acctual hole.
Problem solved. The hole should be made on right hand side bottom just underneath letters VISA , that will break the wire and disable the card to be contactless.
Still I will not do it as Santander offered to replace contactless for normal card but with different PIN.
Happy.
Anyway thanks to everybody. 🙂 s.

Hi Mishka, I’m glad to hear that everything was sorted out in the end 🙂 Apologies again for the confusion.

Mishka says:
17 February 2015

Hi Andrew, you are gentleman, no need to apologise and you are very welcome, regards.

Craig says:
11 March 2015

I’m with RBS. They sent me a contactless replacement card with asking or me requesting one a few years ago. When I went in and told them I didn’t want it, they told me I can’t order a normal chip and pin. A few months later lost the card and had to order a new one, where I was told that I could order the standard chip and pin (which I got). For some reason it stopped working. Ordered a new one where I was asked would I like the contactless, I said no, so they sent me it the contactless anyway. When ever I try to order a normal chip and pin now I get told that I can only order the card they last sent me (contactless). Is there a way where we as customers can force the banks to give us the cards we prefer. PS, Banks will only repay money that is spent using contactless if you can prove that you haven’t spent it. Can’t do that, thats money out of your pocket.

Gerry says:
11 March 2015

Ask RBS for a deadlock letter stating that they refuse to issue you with a non-contactless card, and then submit a complaint to the Financial Ombudsman. If their consumer helpline passes the complaint on to one of their adjudicators for further investigation, the bank has to pay a fee of £550 regardless of the outcome. If all aggrieved customers did this, the banks would soon decide that it was cheaper to keep offering non-contactless cards !

In the meantime, convert your card by using a hole punch as described above and you’ll no longer have to worry about data theft and unauthorised transactions.

I’m thinking of buying a wallet that is shielded from RFID readers.

Being a ‘bit’ pedantic, I’d like to be able to test the effectiveness of the wallet.

I don’t really want to use a shop’s Point of Sale terminal for the testing – I not thick skinned enough for that!

Is there a simple (ie cheap) gadget that I could use at home to test the shielding?

Gerry says:
14 March 2015

It would be pointless to test a wallet at home: what criteria would you use?

OK, your gadget at home might fail to read it, but if it turns out that it would still work at a PoS terminal you’d be blissfully unaware and hence no better off. The only way is to test it for real: e.g. just use a self-service or self-scan till at Tesco. If the card still works contactlessly then your wallet is useless, and if it doesn’t work then you just take the card out of the wallet and try again. Alternatively, insert it into the reader and enter the PIN. Either way, no-one will notice and the sky won’t fall in.

But what are you trying to shield it from? A shielded wallet will be utterly useless if you the card is lost or stolen: the finder can still go on a spree at your expense. Similarly, if you’re squashed up against a fraudster on a crowded train, you can’t be sure that your screened wallet will offer sufficient protection against a suitably powerful portable reader. It’s like trying to test earplugs – if an H-bomb goes off you might still get woken up…

If your bank arrogantly refuses to issue an ordinary card, just change banks or convert your card to non-contactless by severing the aerial wires. This can usually be achieved very easily by using a paper punch to make a hole on the centre line of the card, immediately above the last digit of the long number.

First Direct replaced my “contactless” card, after much griping on my part. They had a small stock of standard cards (from which I was issued one), but after it expires, they couldn’t guarantee anything, etc. etc. – fair enough.

*

Halifax promised me a replacement card, when I baulked at the “contactless” one I had been sent (without discussion – silly of me, in retrospect). It never arrived.

Halifax now tell me that – because I’d used the “contactless” one, it was now utterly impossible to give me a standard card. Just not possible. Offends the laws of nature, apparently.

I’ll give them a month, then let them know they can exchange it, I can cancel and then re-apply for a new card, or if they still _insist_ that I have a “contactless” card, I will not be troubling them with my banking requirements.

*

I don’t like them, I don’t want it. And I’m the customer, for as long as they understand that. Blast these banks and technology firms with their “this is good for you, so you WILL take it, you stupid consumer” attitude.

A lot of people are getting increasingly fed up with the dictatorial policies of the banks and other major companies. Having closed branches in so many localities from where we could draw cash we are now dependent on a bit of plastic to get hold of some folding money and to pay for everyday things. Banks take the view that they are not actually obliged to issue debit cards to their customers – it is a privilege granted in return for us trusting them with our accounts! – and they can withdraw them [by electronic cancellation] at any time. So effectively the banks can force us to have contactless cards because they will refuse to issue the alternative. Switching banks will be futile in the long run because all banks will fall into line. I don’t know how we stand up to this commercial behaviour; I certainly believe there should be a positive opt-in requirement before anything can be forced upon us that we feel diminishes our rights.

Personally I don’t have any objection to contactless cards, and I haven’t even checked to see which of my cards are contactless, but I would uphold the right of people to reject them if they so choose. What happened to ‘ethical banking’?

Thomas Perkins says:
23 March 2015

I have recently switched my bank account to Tesco Bank and have been issued a contactless card. I do not want this and would like to be able to opt-out. Don’t know if I can. I don’t trust it as I worry that if the card was lost anyone could spend my money. Also I believe you can spend £20 not £15 in contactless transaction. At least that’s what it seems to be in Morrisons where I work with the new card readers just installed. I think this is too much. If they’re going to do it the maximum spend should be £5 and it should ask for a PIN every 5 transactions or something.

My main worry, even more than this, is that someone can stand behind you and read your card details in your pocket with a card reading device. I saw a program where this was demonstrated on TV when contactless was first introduced.

Worst of all, its hardly any quicker! In Morrisons at least, by the time the cashier has selected the card payment on the till and the customer has found the spot where it will read you just as well put it in the machine and enter your PIN.

I for one will never be using the contactless option on my card and if it ever comes to one of my credit cards I would probably close the account and find another provider – as it goes there’s hardly ever any money in my bank account so it almost doesn’t matter on that card.

Sue says:
2 April 2015

My Debit Card is due for renewal in July so I rang the Halifax and requested a non-contactless card to be sent, they are replacing my existing card immediately with non-contactless which registers me on the opt-out list and future cards will also be opted out. It might be an idea for anyone worried about contactless cards to deal with it before their new card is due to be issued.