There has been a bit of a hullabaloo on the social networks recently about contactless payment cards. It’s the usual sensationalist story intended to catch your interest and make you foam at the mouth, where the usual faceless legions of criminals are apparently wandering around with merchant terminals, bumping into you on the train and taking a contactless payment without even a how-do-you-do.
Normally I wouldn’t get involved, but I’ve also noticed that some people are wading into the argument and posting links to a debunking site claiming that it isn’t something to worry about [1]. However, that’s not entirely true.
Knowledge is after all power, so if reading this makes you a little more informed, then hopefully you’ll make better decisions and maybe even live happily ever after. Awwww!
So, the facts:
Uno: “your transactions are guaranteed against fraud”. Whilst true, noticing the fraud and providing the burden of proof still falls to you. Then even once detected, it will often take weeks to get your money back [2]. Additionally, contactless payments are often processed offline, so that a stolen card can still be used for weeks’ after it has been reported to the bank [3]. I don’t know about you, but I probably wouldn’t notice an isolated transaction for £20, and even if I did, would I spend hours on the phone to the bank, followed by filling in claim forms? Probably not. So like many things in life, prevention is definitely much better than cure.
Dos: “contactless cards only work at short distances”. Whilst this is true for the merchant terminals (intentionally so, otherwise anyone standing at the same bar could be accidentally paying for your drinks. Heaven forbid), it isn’t true for a custom piece of hardware [4]. Using the right equipment, your contactless card can be accessed by someone standing well away from you, and you would never know. Makes sense though, after all it is contactless by design, no?
Tres: “contactless card transactions can only be made by authorised merchants”. This bit is true, and what’s more, to be an authorised merchant you need to jump through a collection of hoops to prove your identity. However, that isn’t the whole story. The information available to someone accessing your contactless card includes the long card number (which the card industry refers to as the PAN) and the expiry date. Both of which can be obtained without making a contactless payment [5]. These are the self-same details that the bank considers sensitive, and encourages you to protect so that you don’t become the victim of fraud [6]. However, the bank themselves have put them on your payment card, so that anyone in the same room can read them without you ever knowing. Doesn’t make a lot of sense does it?
So in summary, if you think that it would be fine to print your card details on a T-Shirt and wander around, then you have nothing (new) to worry about. For everyone else, I would recommend keeping all your contactless cards (yes, your Oyster card and building access tokens too) in something designed to protect them from unauthorised access.
References
- http://www.thatsnonsense.com/can-criminals-press-a-contactless-pos-device-to-your-wallet/
- http://www.bbc.co.uk/programmes/articles/1KD40dVs0FmtnRv4ByszLr8/bank-fraud-easy-to-be-a-victim-hard-to-get-your-money-back
- http://www.theguardian.com/money/2015/dec/19/contactless-payments-card-fraud-after-cancellation-bank-account
- http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/10416659/Engineers-claim-to-prove-risks-of-contactless-bank-cards.html
- http://www.which.co.uk/news/2015/07/which-reveals-contactless-card-flaw-409322/
- https://www.lloydsbank.com/credit-cards/internet-fraud-protection.asp