Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Contactless payment card theft: How is the data stolen – and what can I do to protect myself?

Which? has warned thieves can remotely steal data from contactless cards

James Rush
Thursday 23 July 2015 16:54 BST
A security flaw may allow thieves to steal information from contactless payments cards, consumer group Which? has warned
A security flaw may allow thieves to steal information from contactless payments cards, consumer group Which? has warned (Wavebreak Media LTD/Wavebreak Media Ltd./Corbis)

A security flaw could allow thieves to steal information from contactless payments cards of millions of people, allowing them to buy items costing thousands of pounds.

Card-reading technology, which was acquired "easily and cheaply" online by consumer group Which?, allowed researchers to remotely "steal" enough data from the cards to make purchases – including that of a £3,000 television.

The group has said six debit cards and four credit cards were tested in the study, and all of them revealed some data.

But is everybody who uses contactless payments at risk – and what should they do if their data is stolen?

Who could be affected by this?

A total of 58 million contactless cards are currently in circulation across the UK, according to Which?, although the group does say statistics are not available for the number of thefts committed by contactless card readers.

The researchers did say though that all of the cards they tested revealed some information.

The UK Cards Association, the card payments industry's trade body, has pointed out however that last year, the total loss from contactless fraud was £153,000, compared to £2.32bn total spending – the equivalent of 0.7p in every £100 spent.

How is the data stolen?

Your account information is contained on a chip held within your contactless card, which is transferred to a card-reading terminal when the two come into close contact.

The team at Which? said they were able to obtain card-reading technology from "a mainstream website" to allow them to steal information.

A spokesman said: "Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards."

Would thieves not need more information in order to buy items?

Making purchases online and over the phone usually requires not only the card number and expiry date, but also the name of the cardholder and the card's security, or CVV, code.

While the team did not expect to be able to make purchases without these details, they were proved wrong.

The spokesman said: "We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

"We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.

"We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address."

Aren't contactless card payments limited to £20?

Yes, although the limit will in fact be increased to £30 in September. Regardless, this limit is for contactless payments only. Having obtained the card details, the team were able to shop online, and so the transaction limit was bypassed.

The Which? spokesman said: "By touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless."

What can I do to protect myself?

The UK Cards Association has said this is not a new issue, and indeed there has been advice circulated for a number of years on how cardholders may be able to stop their details from being stolen.

Metal cases are available to buy which claim to protect cards from such readers, while Which? said in their tests they found wrapping a card in foil prevented details from being taken by their reader.

In December last year meanwhile, The Independent reported how new jeans had been endorsed by computer security firm Norton after they were launched to keep "digital pickpockets" at bay.

The jeans, along with a blazer, contain pockets with fabric that blocks the waves criminals use to steal the data.

What should I do if my details are stolen?

The UK Cards Association has said consumers are "fully protected against any fraud losses on contactless cards and will never be left out of pocket".

A spokesman said: "If you think your data has been stolen then contact your bank or card company straight away and report it.

"Essentially, if there is fraud on your account you will get your money back."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in