Think your bank card stops working after you’ve reported it lost or stolen? THINK AGAIN!

An investigation by consumer website moneysavingexpert.com has discovered that customers can still be subject to fraudulent transactions months after reporting lost or stolen cards. The shocking security flaw emerged after MoneySaver Justin Robson discovered his Halifax cards – cancelled by his bank when stolen last November – were used to make a series of fraudulent contactless purchases eight months later.

„The problem is that shops don’t always immediately check with your bank when a payment is made on your card, so cancelled cards may not receive the instruction by the bank to stop working. Contactless cards are particularly at risk of being used after cancellation because you don’t need to enter a PIN each time you use them.”, according to moneysavingexpert.com

There are 92 million contactless cards in the UK, many of which could be vulnerable if lost or stolen – and thousands of people whose contactless cards have been lost or stolen should check statements for fraudulent transactions that may not have been flagged.

„Our investigation highlights a chaotic system in which banks are powerless to prevent cancelled cards being used by fraudsters, and don’t even know when the fraud will end. And while some banks prevent accounts being raided by this type of fraud, others leave it to unsuspecting customers to spot dodgy payments – even though they can start happening months down the line.” says the Moneysavingexprt.com

Industry bodies (The UK Cards Association) say there are no readily available figures for the number of contactless cards lost or stolen every year, but there were 152,727 cases of fraud involving lost or stolen debit and credit cards reported in 2015 and the total number of cards cancelled is likely to be many more.

‘My stolen card was used eight months after cancellation’

Justin, a computer engineer from Cheshire, had his contactless debit and credit cards stolen from the glove box of his BMW when the vehicle was snatched from outside his house in November 2015. He reported the theft to Halifax, which cancelled the cards and issued replacements, and thought no more of it.

However in late July 2016, he spotted payments he hadn’t made coming out of his account: five contactless purchases totalling nearly £30 were made at a retailer 30 miles away in Stoke-on-Trent.

After Justin contacted Halifax, he was told fraudsters were using his cancelled stolen debit card to make contactless purchases – and warned the contactless function on the card could continue to work for an unknown length of time. The bank has also advised him to keep a vigilant eye on his accounts because no one is sure if the card’s contactless function is still working or not.

Halifax has now refunded Justin for the thefts, paid him £6 for the cost of calls he made to the fraud team and £100 for the distress and inconvenience he’d experienced. A spokesperson for the bank told us: „In the unlikely event that contactless transactions have been made on a cancelled lost or stolen card, we will always refund the customer in order to ensure they are not out of pocket.”

Justin says: „I am still confused and concerned to be told I could continue to be vulnerable for an undetermined amount of time.”

How can cards be used after cancellation?

The problem lies in contactless card payments being processed in one of two ways: ‘online’ or ‘offline’.

When payments are processed online (LESS of a fraud risk), the card and payment machine immediately communicates with the customer’s bank to check for sufficient funds in the customer’s bank account. If a card’s been cancelled due to being lost or stolen, this will be flagged immediately and a payment won’t be allowed.

By comparison, a payment which is processed offline (MORE of a fraud risk) is one that’s stored up in a batch by the retailer and then only processed ‘online’ to the bank later on – usually overnight in the case of big retailers, but with smaller stores, it could take a few days.

This allows a thief to buy goods on a stolen card undetected – and because not all banks investigate payments made on a cancelled contactless card, the fraud could happen at any point. Although banks and trade bodies don’t keep statistics, eight months is the longest gap between card loss/theft and fraud we have heard of.

Chip and PIN transactions can sometimes be processed offline too, but it doesn’t present such a big fraud risk on lost or stolen cards because thieves are unlikely to know your PIN.
Two things can bring the fraudster to a halt. One is that the contactless card’s been used the maximum number of times before a PIN is required. The frequency of these PIN checks varies between cards, and banks keep this information secret to avoid their cards being targeted.

Crooks can also be tripped up if they buy goods which trigger a forced online transaction – when it would normally have been offline – and inadvertently alert the bank.

What do security experts say?

Independent cyber security consultant Robert Pritchard says: „Most consumers would not expect a cancelled card to continue to work, and certainly not to continue making debits from their account. Therefore I would expect all banks and card providers to meet the same standards as the best practices identified in MoneySavingExpert.com’s investigation.

„It’s not unreasonable to expect a consumer to check transactions made on the same day as the card was cancelled, but after that the transactions should not be hitting their accounts.

„Given that contactless payments are for relatively small amounts, it would be easy for these transactions to be overlooked, and hence consumers risk losing out to fraud that they have already reported.”

What does the industry say?

All the banks we spoke to admitted their cards could be vulnerable to this type of post-cancellation fraud. That’s because it’s an industry-wide issue with contactless card technology itself.

For example, a spokesperson for M&S Bank told us: „Most contactless cards can be used in an ‘offline’ environment, meaning that merchants can accept contactless payments without contacting the bank to verify whether the card is still valid or the account holds enough funds.”

„It is not possible to differentiate between an offline contactless payment made by the rightful cardholder and one made by someone else.”
A spokesperson for Lloyds Banking Group, which includes Halifax and Bank of Scotland, says: „Most contactless payment terminals are online and most transactions require this in order to be successful, with the exception of some very small contactless transactions.

„It’s rare that a card can continue to be used for any length of time for contactless payments once a customer has cancelled their card.”

Richard Koch, head of policy at trade body the UK Cards Association, says: „Fraud on contactless cards is low. Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket.

„It is essential anyone who loses their card or believes it has been stolen contacts their bank immediately.”

Source: www.moneysavingexpert.com