Offline Contactless Transactions Being Authorised After Card Has Been Cancelled


(Alex Sherwood) #1

I’ve just come across this article from Money Saving Expert -

It basically explains that it’s still possible to make contactless transactions after a card has been cancelled, if the terminal is offline.

Since I assume that Monzo’s freeze card functionality only works when the transaction is made online, I’d be interested to hear how Monzo currently deal with these transactions & (if that process could be improved), their plans for the future.

There are differences between how banks, building societies and credit card companies deal with such fraud; some take proactive steps to warn customers or block payments from debiting their accounts, others make it the customer’s responsibility to spot the fraud.

One legacy bank’s approach, that’s mentioned in the story, certainly doesn’t seem ideal -

"There was a customer recently who, eight months later, found out that his card was still being used.

"He phoned up the bank, which said the card could continue to be used until the expiry date on the card and that he should carry on checking his statements and let the bank know.


Edit

I’ve just seen this on Twitter but as I mentioned, I don’t think the in-app functionality actually solves the issue so it would be good to hear some more detail on this.


Disputes and chargebacks
#2

funny…I was reading the very same article while you were posting this :grin:


#3

http://www.moneysavingexpert.com/news/cards/2016/09/card-lost-or-stolen-beware---you-could-be-the-victim-of-contactless-fraud-months-after-youve-cancelled-it has an interesting table of how different banks treat this issue differently


(Rika Raybould) #4

Well the issue is really solved by the Monzo prepaid card pushing just about everything online in the first place. TfL being the only major place it works without live authorisation but they have their own card blacklists pushed to gates until the card’s expiry date if a delayed payment fails.


(Alex Sherwood) #5

Everything that can be pushed online yes but there’s at least one other example of offline only transactions that I can think of (purchases on planes) & I’m pretty sure that there’s more too.


(Rika Raybould) #6

Very true, I can only speak for the specific case of TfL where somebody must pay TfL for the travel charges but the bank could take that fraud hit because it is limited to maybe three days of travel in the worst case.

I too would love to know how exposure to this could be limited with regards to areas such as in-flight purchases. A determined fraudster probably knows not to even attempt to use it online in a way where a card killing issuer script could be downloaded and run.

In my opinion, after whatever the MasterCard time limit for presentment of these kinds of purchases is, they should not be even shown to a user and should instead end up on the desk of whoever is managing fraud within the bank. While it is possible that a customer may be attempting to defraud the bank by canceling a card but still using the old one offline (why I believe most banks do this), I would like my bank to have a little more trust in their users than that.


#7

and of course the potential for manual processing frauds in shop in US and third world countries with the carbon paper slips


(Rika Raybould) #8

As far as I’m aware, those are considered legacy by the payment networks and using them makes the merchant liable for any fraud committed with them. This gives merchants incentive to always be using the latest terminal technologies. This is what has recently happened in the US with the move from magstripe to EMV chip. Merchants who stayed with magstripe became liable for fraud committed if the issuer also supports EMV. (This is the basis of several ongoing lawsuits and has lots of workarounds but that’s another story entirely.)

There are industries that have exceptions to some of these rules though, low value transport (TfL for example) and in-flight purchases are allowed to be authorised offline, even if the issuer wishes otherwise. Even if Monzo can work around the main issue of this thread by pushing purchases online, these exceptions do remain.

TfL have their limitation of damage by being low value and gate blacklists but I do have to wonder about the in-flight purchases. What will Monzo’s policy be on that kind of fraud and what considerations are there in even writing that policy?

In any case, surely in such a tracked industry as air travel, committing fraud in the air is a bad idea!


#9

thanks @RichardR for the clarification on legacy manual processing of card transactions


(Daniel Chatfield) #10

I can share a bit of detail around what we plan to do about this.

We are unable to stop all types of payments coming through on a card after we’ve blocked it in our systems. I imagine our final solution (disclaimer: not sure when this will be ready) will involve those charges being diverted to a “fraud” account so you don’t see them and they don’t impact your balance.

In all honesty, I don’t know when we will be able to build the “final” solution - something we should be able to do though is whenever we get a charge on a card that has been marked as lost or stolen we should be able to proactively reach out to the customer to help resolve this rather than wait for you to come to us. Monzo customers would have the added benefit that they are likely to see these charges anyway thanks to the realtime notifications.

Additionally, our cards will prefer to go online - if they do this then we can send a script that blocks the card, preventing it from being used subsequently offline.


Freezing card & Contactless Transactions
Transaction processing time