/ Technology

Is contactless security a concern?

My husband isn’t convinced contactless payments are secure, so he’s still using the chip and pin function. But is he right to be concerned?

Having used (and overused) contactless cards for more than five years, I don’t give a second thought to tapping my card while out eating and drinking, getting on the train or bus, or buying groceries.

A family member bought me a card protector a few years ago, but it currently sits in a drawer.

Contactless spending continues to grow, too. According to UK Finance, payments in the UK surged by 31% in 2018, and 20 million transactions take place every day.

They’ve now even overtaken chip and pin payments.

But is my husband right to be concerned, and should I be taking the security risk more seriously?

What are the concerns?

The most talked about type of contactless card fraud is card skimming, when a fraudster uses contactless technology to steal key card details from you while you’re out and about.

What to do if you’re a victim of card fraud

Most of us have seen images online of a shady character who has sidled up to an unsuspecting victim on the train, card reader in hand.

My husband’s concern about this type of fraud isn’t completely unfounded –in a 2015 investigation we found that we were able to easily acquire card details using cheap contactless technology.

In reality, though, contactless fraud only accounted for 3% of total card fraud in 2017. And, according to UK Finance, no contactless fraud has been recorded on cards still in the possession of the original owner – meaning that while contactless card skimming is possible, the risks are very low.

Are you worried about the security of contactless cards? Do you own a protective card defender? What concerns you the most about contactless payments? Does the £30 limit give you peace of mind?

The benefits

So, do the benefits of contactless payments outweigh the risks?

Contactless allows me to spend up to £30 with an instant tap, and I can use it on my bank card or smartphone. On an average day, I tap my card or mobile at least five times without even really noticing.

My oyster card sits unused in a drawer – I switched to paying for my travel directly with my card with an instant tap – and this morning I paid for a packet of mints easily with my card as I rarely carry cash.

I’ll buy my shopping for dinner using contactless too. My husband has now, slightly begrudgingly, started using contactless for small payments.

Do you use contactless payments? Were you once cautious about contactless, but are now a contactless convert? Do you use contactless payment apps, such as Apple Pay or Google Pay, on your smartphone or wearable?

Sensiblebob says:
23 March 2019

All these years of contactless & there’s still paranoia over using it ! It must be seven years this April I have embraced contactless, one could be forgiven for thinking at my age, now 64, I would stay away from it. I raised the issue of remote reading a few years ago with the bank after seeing a presentation on QVC when popping in on an older Lady I must add, where this guy aimed some sort of device hidden in a bag pointed at the victim from four feet away! only £29.95- mugs. The bank tell me impossible. The only time I have seen a card read by a vagabond was on the internet was a couple of years ago, the card was in a bag,it took three or four attempts rolling the device over the bag to get the details. Would have been interesting if it was in a mans pocket. I keep my card in my pocket surrounded by flimsy plastic, rarely in crowds, in the car most or at work. I know they need to put the limit up to £30.01 for petrol stations, the amount of people who can’t remember the pin no these days coz of it!

It’s not so much the contactless card on it’s own but the receipt that gets printed from it. When I have checked the receipt, on some occasions I have seen my full card number and name clearly printed on the receipt, for obvious security reasons this is not helpful.

Geralt says:
25 March 2019

Agreed though this has nothing whatsoever to do with it being a contactless transaction – you would get the same thing i fyou had used your PIN.

I cannot ever remember seeing my full card number printed on a receipt, though many years ago it was common to print all but four numbers. If the full number is being printed, that should be reported.

I suggest adding phone numbers to report missing cards to your mobile phone, especially if you have a contactless card that could be used by anyone that picks up a dropped card. The number can often be found on the back of the card.

I’m surprised that this is not included in the useful advice from Which?

Thanks Hannah.

That’s another good reason to use your phone rather than an actual card for contactless payments, too.

One of the benefits of paying by phone is that it avoids the £30 limit on a contactless cards.

Unfortunately my iPhone 5s is not compatible with Apple Pay, Kate. I will replace it when I can no longer download iOS updates, but in the meantime I need to learn about mobile malware and other security risks.

Roger Webber says:
24 March 2019

I started off using contactless with my debit card despite my 78 years and found it so useful that I was pleased when my credit card was also made contactless. This meant that I could pay for petrol and other small items this way when abroad which was a great boon. With its £30 limit the security risks are greatly over-exaggerated.

Ron says:
19 May 2019

And if the card is repeatedly used by the thief …unless there is a lock-out?

Once your card is stolen, until you notice, it can be used without any security checks.
It’s not difficult to enter a 4 digit pin. If you couldn’t use a card without a pin there would be less desire to steal cards.
I can’t believe that contactless is as safe as chip & pin. They say contactless only accounts for a very small percentage of card fraud but is that amount of fraud easily preventable?
Why are banks pushing this insecure method?

Here is some information about the safety of contactless cards, from Which: https://www.which.co.uk/money/banking/banking-security-and-new-ways-to-pay/new-ways-to-pay/contactless-cards-ah1q15s797hb#headline_5 If you don’t want to take the risk you can ask your bank for a non-contactless card or switch banks if they refuse.

Onlooker says that “Once your card is stolen, until you notice, it can be used without any security checks”. Well, the same applies to notes in your wallet. We have a personal duty to keep our payment resources safe and secure and not expose them to the risk of theft. The casual way in which people keep their debit card and their money in their back pocket or shirt pocket, or on open display in a handbag which they put on the floor, amazes me. It’s virtually leading people into temptation.

A problem with contactless cards and the ease and frequency of use is that they are more likely to be kept handy and therefore more likely to be prone to theft.

On the other hand, a contactless card can be put away immediately after use. I’ve seen checkout operators have to remind customers that they have left their card in the reader after entering their PIN, no doubt distracted by packing their groceries.

That is true.

There are risks in all payment transactions and we have to stay alert.

I had assumed there was a digital interlock between the chip-&-PIN device and the cash register that prevented the issue of a till receipt until the card had been removed.

What annoys me at tills is the way in which the checkout operator pulls the card out of the device rubs it on their sleeve and shoves it in again. If I want a contaminated card I would prefer to make my own arrangements! The state of the devices in some of the shops with high throughput suggests to me that it is the terminals that need a refresh; my card works perfectly everywhere else. [Stand back. Off-topic risk approaching.]

You are right, and the need for the checkout operator to complete the process means that the customer is reminded to remove their card, which seems sensible.

John Ward says: Today 09:02

What annoys me at tills is the way in which the checkout operator pulls the card out of the device rubs it on their sleeve and shoves it in again

It’s infuriating, and they dislike it when I tell them not to do it, since rubbing a chip could easily induce a static charge which will fry the thing and render the card useless – a sort of self-fulfilling prophecy. I’ve now learnt never to allow a checkout operator to touch any of our cards – ever.

I’ll tap for small amounts when the cash runs out before the end of the month, but there’s no way I would ever use my ‘phone for banking or paying. Paying small amounts by card will inevitably push prices up (Or push small businesses out of business) and mobiles are just so hackable it’s really quite frightening. Don’t forget, anything in the digital threshold is fundamentally insecure, so it has to be secured with code that doesn’t affect the program it’s securing. Hackers are not unaware of this fact.

JJMMWG DuPree, what evidence do you have that Apple Pay is “just so hackable it’s really quite frightening“. This sounds like a misleading and misinformed comment that is based on a misguided belief and no technical of the subject. Just because you don’t understand the technology behind something or you have read that other technologies are vulnerable, it doesn’t mean that it is “hackable“.

Another reason to use contactless instead of chip and PIN is that two-factor-authenticated contactless (e.g. Apple Pay and Google Pay) use a fingerprint, face recognition or PIN on your own device instead of entering a PIN on someone else’s device which is touched by thousands of other customers’ grubby hands. Everyone touching the same keypad is an easy way to spread germs, not least when one observes the general public’s poor hygiene, for example the number of people who use public loos and leave without washing their hands. Even people with good intentions, such as those cover their mouth with their hand when sneezing or coughing, subsequently touch keypads with their infected hands. Using Apple Pay and Google Pay avoids physical contact with germ-ridden keypads.

I seem to remember that Douglas Adams warned of the risks of a lack of telephone sanitisers. 🙂

Hi Hannah @hwalsh – Though I have now used a contactless credit card for a few years, it annoys me that some banks will not provide their customers with non-contactless cards. I appreciate that customers are have protection from losing large sums but when a significant number of people do not trust contactless cards it seems wrong that the banks should force them on customers who may have used chip & PIN for years but might not feel confident to use contactless cards. I wonder if you or Which? have any views on this practice.

I found this summary on the Which? website, Hannah: https://www.which.co.uk/money/banking/banking-security-and-new-ways-to-pay/new-ways-to-pay/contactless-cards-ah1q15s797hb#headline_9

It disappoints me that some banks will not provide non-contactless cards, especially credit cards. One contributor mentioned Tesco, which only provides contactless cards.

You should be asked to use your contactless PIN code from time to time so that your card provider knows it is still in your hands, as you do before using a new card for the first time. Frequent use of a contactless card may cause you to forget your PIN for purchases exceeding the £30 limit or being requested to insert it.

I usually have to use my PIN each time I go to the supermarket these days, so there is not much chance of me forgetting it. 🙁 I presume that the reason I am not asked for it very often is because I’m using it regularly for payments over £30.

I do most of my shopping online these days but always use my credit card and mostly use my contactless debit card when shopping for bits and bobs under £30 locally.

Today I had to travel into the nearest town for an eye test as the dreaded driving licence renewal form has arrived so I did a bit of shopping whilst there. One item was over £30 but I had to stop and think before entering the PIN.

PS: I’m good for another 3 years 🙂

I have set the PINs for my cards to be numbers I can remember easily. I cannot remember how I did this with the credit cards because I’ve had them so long. Good to hear that your eyes have passed the test, Beryl.

I disagree that card issuers need to issue non-contactless cards to those who want them. It should be as simple as a security option that customers can turn on and off themselves. For example, Revolut allows its customers to turn on and off the following payment types on their cards:

– Swipe payments (used for fraud so can always be turned off except when travelling in the US)
– Contactless payments (customers who don’t want it can keep it turned off all the time)
– ATM withdrawals (similar security to chip & PIN so can be left on most of the time)
– Online transactions (can be turned off most of the time)

It astounds me how few card issuers give the functionality to configure these options themselves.

I presume that changing the settings requires use of a smartphone or computer. Maybe that’s not an easy option for everyone but choosing a contactless or non-contactless card covers both requirements.

Yes, with Revolut, everything, including contacting customer services, is via a smartphone app. But that’s irrelevant. For card issuers that provide telephone or branch-based customer service, there is no reason that such options couldn’t be changed by other means.

Thank you, but I think I will carry on telling banks to replace contactless cards with non-contactless. One contactless card is enough for me.

> We have to opt-out to stop receiving marketing calls (from companies that play by the rules).
> As customers, many companies require us to opt-out of marketing (sometimes this has to be done again when you renew a contact, even if you have made it very clear that you don’t want marketing.
> Most card providers are issuing contactless cards by default, so if we don’t want one we have to request a non-contactless card, though some companies don’t allow this.

As far as I’m concerned, the customer should be in control unless there is a good reason otherwise.

Plasticman says:
26 March 2019

Surely Banks indemnify you if your card is stolen or digital data swiped so where’s the risk. Also there is a set number of usages after which you must enter your PIN at a terminal thereby limiting the number of times a nasty crook could use your card anyway. As one above states it is just that you don’t realise you have been revalidating the card

Exactly, Plasticman. Card issuers want people to use contactless so much that they are happy to underwrite the risk of fraudulent transactions. As I questioned above, why are card holders worrying about a risk that is not theirs? It’s misinformed paranoia by people who want to sound clever by identifying a risk to themselves, whereas the truth is that they are misinformed technophobes.

I have no paranoia about using contactless, my cards are held in a wallet with ‘skimming’ protection, however I use my phone for virtually all contactless payments. As google pay encrypts my card details and provides the merchant with a different card number, that is a safer way than using the card itself. Plus I have a record of all purchases on the phone. No brainer

For those with a nice wallet or purse who are concerned but reluctant to buy a new wallet with skimming protection, it is possible to buy A4 sized sheets of very fine steel mesh. This feels like a an organza, can be cut with ordinary domestic scissors and slipped inside the wallet or purse between the cards and the external surface. (Incidentally, I have a keyless entry car and if my lined wallet is between the keys and the car, I can’t open the car door even when standing right beside it.)

Nelson Edwards says:
19 May 2019

Having just had a presentation by my bank on scams, contactless cards, and general security, I was pleasantly surprised to find that the back would indemnify me for any loss if the contactless card was misused/ stolen. Have you found anything different?

I haven’t.

A friend of mine lost her card and it was then used by someone else for a bit. Her bank did eventually refund her for the purchases that this other person had made.

Obviously, any lost or stolen card should be reported as soon as possible.

I suggest storing the numbers to report lost or stolen cards in your phone so that loss can be reported as soon as possible.

I’ve long had a list of all our cards stored on iCloud and linked to each device.

I hope nobody hacks your iCloud account.

I use my debit card for online purchases so often I find I’ve memorised the numbers.

Contactless limit to jump to £100 in October: is it safe from fraud? https://www.which.co.uk/news/2021/09/contactless-limit-to-jump-to-100-in-october-is-it-safe/

I thought this had happened last year (I remember an earlier discussion) but when I bought parts to service my car I learned that the £45 limit was still in place.

Perhaps the customers of banks and card providers should have the courtesy to let their customers decide what contactless limit they are happy with.

People can impose a lower limit on themselves but I think it is reasonable for banks and card providers to set limits and for such limits to be consistent. The extra administration involved in negotiating a separate limit for each customer would not be justified in my opinion. Payment using chip and pin remains available surely.

The risk is if someone takes and uses your card and uses it, John, as explained in the article. That could be theft or a card being ‘borrowed’ by a family member or someone else in a shared house. As soon as you use your PIN the first time a contactless card will be activated.

The contactless limit was raised to £30, then £45 and will now rise to £100. I believe that customers deserve to be allowed to set a limit to match their needs.

You can decline a contactless card and thus avoid the particular risk through theft. But contactless fraud seems very low.
The change in regulation to allow the limit to be increased happened some time ago with an implementation date of 15th October.

Having a £100 limit for contactless is a good reminder that you are not eligible for Section 75 protection, if things go wrong with your purchase.

If you can just “tap and go”, in most cases your sole remedy is with the retailer. If you have to input your PIN, then in most cases you have Section 75 protection, which will cover you if the:

– product or service s faulty,

– the company breaks their contract,

– the company does not deliver.

We could argue about the limit until the cows come home, but having a higher contactless limit does not make the security any worse or better. It’s only a cap on the value of a single transaction, not a limit on the number of times a thief can use your card to make any number of contactless payments.

There is supposed to be a limit on the amount that a cardholder could lose and according to the Which? article:

“However, the jump in the limit could put consumers at an increased risk of fraud if the card is stolen, as criminals may be able to spend up to £300 without facing a security check.”

Malcolm wrote: “You can decline a contactless card and thus avoid the particular risk through theft.” I declined a contactless debit card and one of my credit cards, but whether this is possible depends on the bank. https://www.which.co.uk/money/banking/banking-security-and-new-ways-to-pay/ways-to-pay/contactless-cards-ah1q15s797hb

One of my concerns is that banks will refund most or all money lost if a card is stolen, so there is the possibility that we could be compensating people who have been careless. 🙁

It’s a big jump from £45 to £100. I wonder if they know inflation is going to go through the roof and are preparing us for it?

It is a big jump, Phil, and according to the FCA it was only last year when the contactless limit was raised from £30 to £45: https://www.fca.org.uk/news/press-releases/fca-confirms-increase-thresholds-contactless-payments