Fraud alert over new tap and pay bank cards: Thieves use scanners to steal account details - even when contactless card is in your wallet

Contactless bank cards may be exposing millions of customers to the risk of fraud.

Tests show that thieves armed with scanners can capture the numbers and expiry dates on the cards and use them for online purchases.

Touted as a boon for shoppers making small transactions, the ‘tap and pay’ cards do not need a PIN number.

Instead they have a tiny antenna that links with a till terminal through near-field communication, or NFC.

But a scanner held nearby can pick up this NFC data, according to the consumer group Which?. 

Its researchers tested ten cards – six debit and four credit – and found all of them had the security flaw.

‘Using a reader and free software to decode data, we were able to read the card number and expiry date from all ten,’ Which? reported.

‘Some cards revealed certain details of the last ten transactions, but no cards revealed the CVV security code – the number on the back. 

'We doubted we’d be able to make purchases without the cardholder’s name or CVV code, but we were wrong.

‘We ordered two items – one a £3,000 TV – from a mainstream online shop using “stolen” card details, combined with a false name and address. We’ve alerted the store involved.

‘By touching volunteers’ cards to our card reader, we got enough details to go on an internet spree.’

At least 58million of the cards are in circulation, with total spending reaching £2.32billion last year.