Could you fall prey to a contactless conman? How thieves can take money from your card as you're walking down the street 

  • Crooks using card reading equipment can swipe money as you walk
  • They can also steal information that they can then use to steal your identity
  • It even possible when contactless cards were in bags and jacket pockets
  • The equipment needed is available for as little as £30 online

A major investigation today exposes the alarming security flaws in contactless cards. 

In controlled tests with experts, Money Mail discovered that criminals can swipe money off these cards as you're walking down the street, sitting in a restaurant or browsing in shops.

ADVERTISEMENT

We discovered that crooks using card reading equipment can also steal information from your card that they can then use to steal your identity. 

Fraud on these new bank cards — which you can use without entering your PIN — is currently rare. And if you do fall victim, your bank will typically refund you the full amount.

Sly swipe: Morgan Rothwell shows how easily he can steal Victoria’s money with a card reader

But our tests found fraudsters only have to get within a few inches of where you keep your wallet to scam you. 

Fraud was even possible when contactless cards were in bags and jacket pockets.

The equipment needed to commit these crimes is available for as little as £30 online. These machines work even when concealed inside a shopping bag — which gives criminals the ability to target victims without them realising.

There is no suggestion these devices are being widely used by crooks. But our findings raise serious safety concerns about the rollout of contactless cards by all major banks.

HOW TO PROTECT YOURSELF 

When using contactless cards the most important thing is to be aware of your surroundings and anything suspicious.

Contactless cards have a circuit around the edge.

Cutting off the top right-hand corner breaks the circuit and stops it sending a signal to a payment machine.

You can still use the card to make Chip and Pin payments, however. 

Beware that cash machines can detect the fault and may swallow the card, so it's not an ideal solution.

Another option is to wrap the card in foil. The metal acts as barrier, blocking the contactless signal emitted by the card. 

However, foil can rip easily and may need to be replaced often.

Some companies have launched special products that will protect your card. 

Defender Note offers A5 pieces of plastic that can be cut to size and placed inside wallets (£7.50, defendernote.co.uk).

Just like the tin foil, it blocks any signals — so the contactless technology won't work unless you take it out. 

You can also buy special wallets that work in the same way (from £35, houseoffraser.co.uk).

ADVERTISEMENT

Almost all new debit and credit cards are now contactless, with 92 million currently in use.

The technology allows you to pay a bill of up to £30 without typing in your PIN at the checkout. You just tap the card against the reader.

One in five card payments in the UK is now contactless, according to the UK Cards Association, and the industry is in discussions about raising the spending limit to £50.

But associated fraud has risen from £516,500 in the first six months of 2015 to £2.9 million in the same period this year. 

That is still low compared to other types of financial crime — but experts fear it could worsen.

Morgan Rothwell, director of fraud prevention firm Defender Note, says: 'If someone stole £500 out of your bank account you'd notice straight away. 

'But many people may not miss £30 until they check their bank statement at the end of the month.

'By then they may just assume they've just forgotten what they bought, and not report it. In the meantime the fraudster could have pocketed thousands of pounds by trawling up and down high streets and train station platforms, targeting hundreds of unsuspecting victims.'

You can request a non-contactless card, but some issuers, such as Barclaycard, will refuse.

To test the safety of the cards we conducted a series of experiments with the help of fraud protection experts.

In the first set, we tested how far away you need to be from a card reader for a contactless card to register.

ADVERTISEMENT

The Assheton Arms gastro-pub in Lancashire agreed to let us borrow its machine. It does not have to be connected to a till by a wire, so allows staff to take card payments from customers sitting at tables. 

The machine has a range of a only few hundred metres so will not work outside the building.

We also tested mobile devices. Many tradesmen such as plumbers, locksmiths, builders and market stalls now use card machines that work wherever you get a mobile signal.

Rowland Hayward, of Silver Fox Wines, who uses a mobile card reader for wine-tasting events in people's homes, allowed us to test his device in Preston.

Any money taken using either of these machines will go directly into the business's bank account. 

There's nothing to stop a criminal setting up a legitimate business and then using it to steal money on the side.

Risk: Our tests found fraudsters only have to get within a few inches of where you keep your wallet to scam you

You would expect almost to have to touch the card against the readers for them to take a payment. 

But in our experiments the machine beeped when the card was around 4in away and the printer started rolling out a receipt. This means a criminal could steal money from you in a shop or cafe without even brushing against you.

In a public place a criminal would be unlikely to get away with such a brazen act. But many people will keep their bags on the floor and jackets on the backs of seats in pubs and restaurants.

We placed the contactless card inside a wallet, a purse and loose in a leather bag to test whether a machine could take a payment through the material. In every case, the card could be read when it was 2in away.

ADVERTISEMENT

The best protection was keeping the card in a woman's purse with a clasp fastener inside a leather bag. 

When we waved the reader over the bag, it could not pick up any signal. So if you leave your bag unattended, you will be vulnerable to fraud unless your contactless card is buried away inside.

If a criminal is using one of the mobile machines, they could steal your cash while you're on a train, walking down the street or at a bus stop — though to get away with it in broad daylight they'd need to conceal the machine.

However, we discovered it could read a card even while hidden inside a material shopping bag or plastic carrier bag. 

The exception was when we conducted the tests with more than one contactless card; the machine just beeped and a message flashed up saying: 'Please present one card only.'

So if you have more than one contactless card in your wallet, you are less at risk because the machine may not know which one to pick.

The other big risk is keeping a card in your pocket. In our tests, we put a contactless card inside the back pocket of some jeans and the card reader only needed to be an inch away to work.

We got the same result when the card was placed inside the pocket of a jacket. Even when the card was in a wallet inside a pocket, it could be read without the machine touching the material. 

ADVERTISEMENT
You can request a non-contactless card, but some issuers, such as Barclaycard, will refuse

This was one of the most concerning results because it shows you are vulnerable in crowded places.

Martyn James, formerly of the Financial Ombudsman Service, says: 'This shows that you should never carry your card loose in a jacket, or keep your wallet in the back pocket of your trousers.

'A fraudster could bump up against you or rifle through the cloakroom and you'd be robbed of up to £30 without even realising.'

Industry experts say it would be hard to get away with this type of fraud because every machine is registered to a business. 

A fraudster could bump up against you or rifle through the cloakroom and you'd be robbed of up to £30 without even realising 

Companies undergo strict checks, providing proof of identity and address, including photos of their premises.

Banks also watch for suspicious transactions — for example, if a business that usually takes five payments a day suddenly takes 50, a red flag would be raised.

Currently, if you are the victim of contactless theft, your losses are limited. Card machines can take only £30 a time. Even if crooks repeatedly try to swipe your card, the machine will ask for a Pin after around ten attempts, so you're unlikely to lose more than £300.

You are at much greater risk if they get hold of your personal details.

ADVERTISEMENT

Once in possession of your name, card number and expiry date, a crook with the right equipment has enough to commit identity fraud in shops and online.

We conducted our second set of tests with Kevin Loveman, of payments firm Universal Smart Cards, at a retail park in Borehamwood, Hertfordshire.

Kevin says it's possible to buy card-reading machines — known in the industry as RFID or NFC readers — for just £30 on Amazon or eBay. These are not intended for criminal use as some are also used to scan concert tickets.

Kevin demonstrated how a card reader the size of a smartphone could be concealed in the palm of his hand.

It had to be attached to a laptop by a wire — but this could be threaded through jacket sleeves to a computer in a backpack.

A crook can even turn off the bleeping sound made by the machine when it scans a card.

As with standard card readers, the machine needed only to be within four inches of a contactless card to work.

We tested the machine with the card in a wallet, purse, bag and a pocket, and it read perfectly every time. The only exception was when the purse was inside a bag.

When we put two contactless cards inside a wallet it recorded the details of either one or both of them.

Kevin says crooks have started using smartphones to scan cards as they are less conspicuous.

We downloaded a free card-reading app on to a smartphone. It was unreliable and didn't work every time.

ADVERTISEMENT

When it was successful it needed to be within an inch of the card to record the long number on the front and the expiry date.

Other apps claim they can capture additional data, such as the last ten transactions on the card and even how many more times the PIN can be entered before the card is blocked.

Justin Modray, director of Candid Financial Advice, says: 'Once a fraudster has this sort of information they are incredibly dangerous.

'Even if they don't go on to make purchases using your card, they can sell your details online to other criminals with ulterior motives.'

Criminals can also use the data they gather to make a clone of your card.

Our investigation found card-reading kits were on offer for just $200 on the 'dark web' — a hidden part of the internet used by criminals.

For this sum, a crook receives a card-reader that can scan up to 15 contactless cards at once, plus a pack of blank cards to transfer the details on to.

Even if they don't go on to make purchases using your card, they can sell your details online to other criminals with ulterior motives 

Under the advertisement, visitors to the site had written comments such as 'Let the shopping begin. Whoop' and 'Xmas shopping done haha'.

On the dark web criminals can also buy printers that make blank cards look just like normal ones given out by banks.

ADVERTISEMENT

Most online retailers ask for the three-digit security number on the back of your card — known as the card verification value (CVV) number. This cannot be picked up by a card-reader.

But you would not need this to spend with the card in a shop.

Richard Koch, head of policy at The UK Cards Association, says: 'We are aware of examples where card information has been harvested in laboratory tests, but there has never been a verified real-world case of these types of fraud.

'Contactless cards are very safe and anyone who is a victim of fraud will get their money back.'

v.bischoff@dailymail.co.uk

 

Most Read News

'You've erased my girl from history': Mothers' fury after photo firm offers to DELETE disabled...

Is this Britain's most bitter neighbour dispute? Father-of-five who was jailed and handed £475,000...

Moment 300 children storm shopping centre, causing mayhem by charging through mall, screaming and...

Shocked doctor discovers 30-YEAR build-up of smegma under the foreskin of married man who was...

RICHARD EDEN: ​The very telling reason why Harry and Meghan should now seek forgiveness from...

October 7 terrorist's shocking video testimony is revealed by Israel as he describes sexually...

Primary school 'on lockdown' as armed police descend - with parents told to take students to main...

Georgia Harrison bravely condemns Stephen Bear's 'awful crime' outside court - as shamed reality...

Man is arrested over death of Gogglebox and CBB star George Gilbey: Police detain man in his 40s on...

Fury as photo of Hamas victim Shani Louk's naked and mutilated body being paraded by terrorists wins...

Stephen Bear protests his innocence at revenge porn confiscation hearing in women's loafers: Ex...

'It's a great sadness that I cannot be with you all': Charles vows to continue serving 'with my...

Sam Bankman-Fried sentencing: FTX fraudster vows to appeal his prison sentences after he is jailed...

Gogglebox star George Gilbey fell 80ft to his death 'after tumbling through skylight while working...

Major incident declared as three inmates and three staff at HMP Lewes are rushed to hospital after...

Storm Nelson sparks getaway chaos: Millions thrown into Easter holiday hell as 80mph winds cancel...