Contactless cards have probably been in your wallet for a few years now and they’re mighty convenient for paying for stuff up to the £30 limit. Recently, though, that safety net has been shown to be less than perfect, so although the chance of your cards being exploited is relatively low, it’s still worth protecting them and watching out for strange-looking payment terminals.
Can contactless cards be hacked?
As you might have seen in the news, researchers have proven that it’s possible to bypass the £30 limit for contactless payments and make transactions of over £100. The can be done even if they’re not in possession of the card, either by getting close to the victim’s card or by putting something between the card and the payment terminal – a ‘man-in-the-middle’ attack, similar to devices that criminals put in cash machines to read your card’s details while you withdraw cash.
What’s more worrying is that the hack is possible because of the way Visa’s contactless system is designed and Visa has already said it has no plans to change anything to fix it.
But it is certainly a problem if you lose your contactless card or it’s stolen from you, as someone could potentially take a lot of money from your bank account without knowing your card PIN.
The researchers from Positive Technologies were able to take payments from five UK bank cards without detection, demonstrating that the threat is real.
A Visa spokesperson said, “Variations of staged fraud schemes have been studied for nearly 10 years. In that time there have been no reports of such fraud. Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world. Visa’s multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of one percent.“
How you can protect your contactless cards
There are a few common-sense things you can do to mitigate the risks of being scammed in this way.
First, report to your bank as soon as you realise your card is lost or stolen so no-one can use it to make any purchases.
Second, check with your bank or in your online banking app to see if you can get a notification whenever a payment is made on your card, and do this for each card and bank you use. This way you’ll know straight away if a payment has been made you didn’t authorise.
Also be on the lookout for any strange-looking payment terminals which could have been modified – if in doubt, don’t use contactless and instead use the chip-and-PIN method to pay if that’s possible.
Finally, if you’re worried about a thief wandering around with their own payment terminal trying to scan your cards at close proximity, consider buying an RFID blocking wallet or purse for your cards. These offer extra protection – usually with an aluminium case – which blocks the radio signal between the terminal and your card, so it can’t be read at any distance.
If you’d prefer to keep your existing wallet, you can buy RFID blocking cards which do a similar job, and they’re cheaper, too.
Unfortunately, that’s about all you can do: the onus is on banks to improve their fraud detection systems – which don’t simply watch for multiple £30 transactions – and for retailers and merchants to check and ensure their payment terminals are safe for customers to use.
There are lots of other scams to be aware of, as once you are, you’ll spot them before any harm is done.