Having worked in the payments industry I don’t remember ever seeing any data which suggested increased rates of fraud on contactless above the rate on chip and PIN… but plenty of media scaremongering playing to people’s unfounded fears of new tech.
3 things to remember:
1. The limit is there specifically to cap the fraud risk and to not make it worth criminals efforts
2. Even if you are defrauded, tell your bank and you should get it refunded (I’m not 100% sure on this, but ask your bank if you’re concerned
3. If crims want your cash then they’ll be finding more efficient ways of going after it than in £30 chunks! e.g. online banking or ecommerce fraud…

If I were you, I’d be more worried about the potential threat of removing cash completely out of circulation if and when we go to negative interest rates. EU has already begun this process by removing 500 Euro notes…
Negative interest rates incentivises us to remove all our funds from the banks and use cash instead, so banning cash becomes essential to stop runs on the banks and another total collapse…

brooess – Member

1. The limit is there specifically to cap the fraud risk and to not make it worth criminals efforts

I think that if you go round for a while on a busy Circle line train, you could gather enough at £30 a pop to make it worthwhile. Busy enough that it’d be easy to hide/use the device as well.

Brooess, maybe you can answer me a question?
If as a retailer a contactless card is fraudulently used and the card owner notifies the bank does the retailer still get paid?
The credit card companies are really pushing contactless by offering lower transaction fees , I’m just wondering how it benefits the card company.

But RFID skimming is a thing though isn’t it? Or is it?

Reading the RFID stuff from a card is easy. Doing nefarious things with it is hard.

it used to be the case that when you received a new card from the bank you had to call and confirm (via a pin) that you’d received it and were the legitimate owner of if before you could use it
never, ever had to do that.

Maybe just my bank then (coop / smile)

Given coop just managed to send me a new card in the wrongly spelled name, I wouldn’t use them as a bastion of security… :-/

If I were you, I’d be more worried about the potential threat of removing cash completely out of circulation if and when we go to negative interest rates. EU has already begun this process by removing 500 Euro notes…

Apparently they haven’t yet, but are considering it. Not particularly surprised, it’s widely known/suspected round here in Spain that the only people with 500€ notes are corrupt business(wo)men/politicians.

I think it’s best put this way –

If was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they’d all be at it.

Brooess, maybe you can answer me a question?
If as a retailer a contactless card is fraudulently used and the card owner notifies the bank does the retailer still get paid?
The credit card companies are really pushing contactless by offering lower transaction fees , I’m just wondering how it benefits the card company.

I don’t see why the retailer wouldn’t get their cash but I don’t know the rules for sure – check with your Acquirer. I suspect they would have to reimburse the retailer otherwise there’d be limited takeup of contactless.

Contactless benefits the issuing bank because it means consumers will use card instead of cash – they don’t get revenue from a cash transaction, and neither do the acquiring bank.

If was actually was that easy to just do a lap on the tube and skim £££ in £30 chunks from peoples contactless cards, it would of been done, exposed, and fixed by now. If it was that easy, they’d all be at it.

Correct. There are literally millions more contactless transactions per day on TFL than there were just two years ago after cash was banned on the busses, and the big push to contactless by TFL last year. We would quite definitely know if there’d been a big rise in fraud as a result

I wouldn’t be surprised if there’s some clever way you could get done/cloned/skimmed or whatever through contactless, and that real people might have lost actual money. But for me it’s a long way from being enough of a concern that I’d actually take extra steps to secure against it.

that I’d actually take extra steps to secure against it.

Not even a RFID safe wallet?

Not even a RFID safe wallet?

I don’t even have a non-RFID safe wallet, so that kind of investment is far too much for me 😉

We would quite definitely know if there’d been a big rise in fraud as a result

unless it was masked by the massive increase in contactless activity. There may have been a big increase in the amount of fraud, but its percentage of all contactless activity would be shrinking.

I used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.

I won’t have a contact less card for this reason.

He went rather white and made a phone call. They still launched the cards.

was that the reason you used to work for Barclays ?

When I lived in Australia they had contactless a few years before it was common over here and and before PIN codes were mandatory.

I had over AU$6000 dollars stolen from a bank account and the bank reckoned it was from an RFID skim / clone of my card from the contactless that was then used to systematically empty the account.

cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal

You used a new technology to clone another new technology during its presentation? You’ll forgive me if I’m sceptical.

Assuming you did do that, I’d be very interested to know if you still could.

the bank reckoned it was from an RFID skim / clone of my card from the contactless

By “the bank reckoned,” do you mean that some random person working at the bank guessed? Even if that scenario is exactly what happened, I’m at a loss as to how the bank could possibly ascertain that beyond speculation.

milky1980 are your hands registered with the government as lethal weapons? Just wondering…

You used a new technology to clone another new technology during its presentation? You’ll forgive me if I’m sceptical.

I was thinking exactly the same thing.

How did you clone the three digit code off the back of the card onto your phone ?

It’s hardly a very scalable crime as you need an account linked to a card payment machine from a bank, which makes the perpetrator easily traceable.

I used to work for barclays at the time they introduced this tech to their cards. At the launch have meeting I told the presentation guy it was too easy to clone the card and spend money without you knowing. He said it was secure so I asked him for u is card and cloned it within a few minutes using my new NFC phone then used it to pay for stuff on the demo terminal. He went rather white and made a phone call. They still launched the cards.

I won’t have a contact less card for this reason.

Would you mind telling us what year this was? We can easily check when Barclays launched contactless. And also, maybe you could tell us what phone it was and we can do a little research to see if NFC was available on that handset model at that time…

There have been a lot of media scare stories about contactless over the years, but funnily enough there’s been very few anecdotes or data since the massive increase in transactions seen from 2014 onwards which sugggests any increase in rates of fraud… with a massive increase in use, you’d expect a commensurate increase in fraud, if fraud was in fact an issue…

Barclays launched contactless cards in March 2009.

Fist android phone with NFC launched in 2010 🙂

Next you’ll be telling me that Barclays PingIt doesn’t have any flaws…

Next you’ll be telling me that Barclays PingIt doesn’t have any flaws…

Next you’ll be telling us that cash is 100% safe from criminals 🙂

The point is that there’s no evidence so far that Contactless fraud rates are significantly higher than Chip and PIN, not that it’s flawless… Of course there’s a risk, that’s why the £30 limit was set. But the calculation was that the extra gain for the banks in revenues from additional card transactions which were previously made with cash would be greater than the costs of any fraud…

Simple solution to this problem, carry more than one contactless card. Tried a few times to pay with my wallet without removing a card, simply doesn’t work. So unless they take out my wallet, extract a card, and then skim it; it’s not going to happen (and I think I that point I might notice).

I dont have contactless payment
The luddite fix is foolproof

Latest issues of my debit and credit cards have all been contactless without me requesting it.
So you may be getting one anyway.

As I understand it RFID scanning and cloning is pretty trivial. What milky describes sounds technically feasible.

How did you clone the three digit code off the back of the card onto your phone ?

Why would he need that? You don’t need any codes for contactless payments – that’s kind of the point.

So, who’s offering the merchant services to these terminals? I can’t believe the merchant account would be kept open for long with lots of contested contactless payments and no payments verified by chip and pin.

The whole thing sounds very unlikely to me.

We now have to pay the credit card people some money and fill in a form saying we won’t be naughty so everyone can rest easy.

I don’t know about card and RFID but I stayed in a hotel in Oslo that used NFC keycards for the rooms. I used my Nexus 5 to see if I could read a card and it worked. I then set it to delete and managed to wipe a colleagues card that he put in his back pocket. Did it a few times and he was back and forward to reception to get his ‘faulty’ card replaced. Minutes of fun. Not beyond belief that I could have copied rather than wiped I guess.

How did you clone the three digit code off the back of the card onto your phone ?
Why would he need that? You don’t need any codes for contactless payments – that’s kind of the point.

Fair enough, I misunderstood and thought he claimed to use the cloned card details to put a sale through manually on the terminal.

Doesn’t matter either way, I still don’t believe it happened 🙂

So, who’s offering the merchant services to these terminals?

That’s the tricky bit, but given how prevalent Chip&Pin fraud is then there must be some nefarious ways around it. I’m guessing they get set up as merchants, do a bunch of fraudulent activity then scarper? Not sure how they avoid a very obvious paper trail?

Doesn’t matter either way, I still don’t believe it happened

It’s technically very feasible – read RFID data from card onto your device, then present that same RFID data. That part isn’t tricky, it’s the merchant bit that is.

If I were one of these guys on the tube I’d set myself as a pop-up coffee stand then skim people on the tube for a relatively small amount. Even folk who check their accounts carefully are unlikely to pick up on a sub £5 transaction at a cafe.

It’s technically very feasible – read RFID data from card onto your device, then present that same RFID data. That part isn’t tricky

It is when the phone tech wasn’t available until the following year.

Apart from the lack of a time machine, I’m sure it’s a simple task.

And I’m pretty sure you need Host Card Emulation as well as NFC to be able to read/re-present secure credentials without using a hardware based secure element (SIM or phone). Post-2012 for HCE availability.

So… what was this magic phone you had in 2010 that had a feature that hadn’t been invented yet?

Essentially, the banks accept there will be fraud, but if a merchant presents transactions that get flagged by customer as fraudulent in any significant number, I don’t think the bank would actually pay up.

Would have been around he end of 2007 as I quit in the beginning of 2008 (refused to sell credit cards and stuff to people who couldn’t afford it etc anymore). As for the phone, it was a company supplied no-name thing with various attachments for stuff, the reader was an attachment used for reading the new cards. More a small computer than a phone really. Could also read the login cards use for signing into the till/POD machines. I just used the read/write thing on it to clone his card.

Hmm, reading this it appears the hack to make something with much better range is fairy simple, so I certainly wouldn’t rely on lack of range for security – though of course you do then have the mentioned issue of multiple responses confusing the device.

wrecker – Member
that I’d actually take extra steps to secure against it.

Not even a RFID safe wallet?
What’s the point? You then have to fanny around taking the card out of the wallet every time you want to use it, in which case you may as well just stick it in the slot.
I just use my phone now anyway, that can’t be spoofed by anything.