£100 contactless limit - are you looking forward to this, or concerned?

Last week the Treasury announced that we would see contactless limits for contactless transactions raised from £45 to £100 some time this year.

It isn’t long since they were only £30, so this is quite a change. What do you make of it?

Are you excited about the idea of living a contactless and cashless life, tapping away for life’s essentials … or does the idea of being able to spend so much with only a tap concern you?

1 Like

I personally think it will be a change for the better, it makes life so much easier being able to use contactless for everyday spending. I am so used to using it now that having to enter a PIN almost feels inconvenient, crazy! It will however mean that people have to be even more astute and careful with their physical cards and you may find RFID blocking sleeves become more popular. I came across one bank giving these out to customers in branch recently which I thought was a nice touch. From a provider point of view the recent uptake of fintech card freezing technology by a significant number of providers will make things safer when it comes to loss/theft of physical cards.

1 Like

I don’t mind the change to the higher limit but hope it doesn’t encourage retailers to go card only and stop accepting cash.

In terms of liability, financial institutions are responsible for losses if the card is lost or stolen but it’s good to be able to freeze cards. Customers will also need to reset their contactless limit one they reach the £300 mark.

I wonder if more banks will provide more granular card controls in apps - Revolut for instance, lets you disable the contactless function on your cards. I hope so.

3 Likes

TBH, it doesn’t affect me at all. My in-store card payments rarely exceed £30, so the old limit was more than enough for me. I don’t mind use the chip & PIN a few times a year for infrequent larger purchases, and the new £100 limit likely isn’t going to be enough for them anyway.

1 Like

Are they upping the SCA limit on contactless payments before you have to chip+pin too? Seems more trouble than its worth if you’ll get rejected and have to pay with chip+pin potentially every other transaction.

Feels like (a little) extra risk for no extra reward (for me anyway). I use Apple Pay 87.5% of the time to avoid having to do a chip+pin to reset the SCA limit.

I assume this is firmly targeted at a certain demographic who can’t/won’t use Apple/Google Pay.

Yes, to £300

Shopping in actual physical places? What is that madness? shies away from windows. Seriously, it’s long overdue, at least we’ve got rid of all the nonsense about folk skimming cards on tubes. Now we really need to see an update to cards themselves, as as dual layer of security would be nice (and isn’t completely out of 2021 tech’s reach either.

4 Likes

This is an interesting possibility now.

Apart from turning it off / on, there is at least a chance that limits can be different for different users now.

In the past, the general limit was low. There was no way to vary it by increasing it - if the merchants would limit the amount you could spend in any case. There was also no reason to lower it when the total was only £30 or £45.

However, now that the general limit is higher at £100, we can start to think of this as a ‘maximum’ instead, and there is at least a case for saying that some users might prefer their cards, for whatever reason, to be lower.

I wonder if this would be of interest or value to you?

What if the limits could be different for different cards - you could have a lower limit for your physical card that could get ‘lost’, but keep the higher limit for the virtual card that is linked to your digital waller, for example.

3 Likes

That’s definitely it with the mooting of cards with integrated fingerprint scanners if the two way verification can somehow take place to ensure that the card is currently being held by the right person with replay mitigation then you can crack it. But with most having a smart phone that’s basically Google/Android pay so physical cards are probably becoming passé. Maybe better for the environment if we just have xPay and cash going forward. I still see a place for cash for a while yet (and physical cards for those without phones). Just need a xPay solution for cash at ATMs, though j suppose cashback works quite well.

I’d like to see cards become optional with accounts virtual being the primary issue method -. Would have preferred to have been optionally issued a card with the Visa switch, instead I got a yellow and a black, both gathering dust :man_facepalming:

It also has a “Reset contactless limit” option, which is very nice imo. A notification telling you you’re getting close with a simple tap to reset is a tidy solution

This is a bit off-topic, but I’m still going to post it here.

I’m a person who’s quite against the use of biometric information in the payment system. There’s three separate concerns and one fact.

  1. It’s impossible to change biometric information. Once they are leaked or stolen, you are doomed for a life time. There’s no way to change them, at least not without inflicting significant physical damage to your body. It’s also fairly easy to get hold of those biometric information, the criminals only need to put a fake scanner on top of the legitimate scanner on the POS or cash machines and waiting for the customers to use them.

  2. Wider use of biometric information in payment system will increase the risk of criminals physically harm the robbery victims to get hold of the information needed to make a payment. Currently in a robbery they only need to get the card and ask for the PIN. Even without the correct PIN they can still make contactless payments, so there’s no incentive for them to cut off victims’ fingers or eyeballs in a robbery.

  3. Privacy reasons. It’s fine to process biometric information locally on device and only storing an irreversible digital fingerprint of the biometric information, but it will raise significant privacy concerns if the information is to be transferred via network and processed on a remote system, or if it’s stored in an reversible format on device (which means stolen device = stolen biometric information).

And, the fact: chip & PIN is already a very secure multi-factor authentication (MFA) system. The chip on the card is something you have, and the PIN is something you know.

This is significantly safer than the most widely used username+password authentication system on the Internet. In fact, it’s also a lot safer than the most common types of MFAs used on the Internet, such as SMS, TOTP and push notification. A carefully crafted phishing site can bypass all those forms of MFAs, but they can’t bypass the chip & PIN MFA system. The only equivalent security level achieved on the Internet and widely adapted by mainstream web browsers is U2F, which uses a small USB and/or NFC device that’s nearly impossible to clone and the system is also resilient to phishing.

Adding an additional authentication method on top of the already very secure system is unnecessary, and may make the whole system worse if the new method is substandard or has many associated unresolvable issues.

Oh, BTW, there’s absolutely no need for those RFID shielded wallets. The banking system has their own solution for the possible contactless card skimming problem. Each payment machine has an unique serial number, and only a registered payment machine can connect to the banking network and take contactless payments. If a machine is being used fraudulently, the bank can revert all recent transactions on that machine, and can also prosecute the owner if they deliberately use or allow other people to use the machine to commit a crime. Therefore it’s a theoretically possible crime, but there hasn’t been any real world case.

2 Likes

It’s also worth remembering that the latest security measures are almost certainly secret and being implemented as and when ready. A scam that works one day may fail on the next.

Hello @Roman .

Forgive me, but I think some of your observations about biometric data are a little too generalised. You raise the same concerns as many people but sometimes the conclusions you have been drawn to are based on false assumptions and unrealistic “what ifs”. Each of us has both relatively secure biometric data and insecure publicly available biometric data and the risks are often overhyped because people refer to tests under laboratory conditions and not IRL scenarios.

Your public biometric data is your (entire) face and your gait. This data is captured in low resolution every day and has very few security related applications, in fact, it’s more use to the advertising industry (Minority Report?). However, I do recommend to my friends that they do not use FaceID (its design is flawed) and stick with old-fashioned fingerprint ID on their devices. Gait can be used to corroborate an identity but it cannot be used to match an identity on its own.

High resolution biometric data would include your fingerprint and iris. It’s very difficult to capture these at high resolution IRL without your knowledge. You have eight fingers and two thumbs and should only register one finger (and maybe a thumb) on devices you own. Fingerprint data cannot leak from an unrooted device but even if it did, you have more fingers and thumbs you can swap for your identity.

Your voice can be both low- and high-resolution data capture and so it has few security applications at the moment except for low-risk scenarios such as placing an order via your Amazon Echo. I would disagree with the banks about the way it is used to identify people using telephone banking - it should be used to corroborate ID not match it. It’s current use by certain banks is more about convenience than tight security. Yes, avoid it if you can.

Other biometric data with potential real-world applications, but also very difficult to capture, include your blood pulse and brainwaves.

Many banks now used extremely sophisticated anti-fraud AI that is hugely effective in combating card fraud. It would be pointless for criminals to force victims into giving their biometric data. The problem is that too few banks use it or are prepared to invest in good AI meaning fraudulent use figures appear to be getting worse as the use of contactless cards increase. The situation will resolve itself in good time.

Security 101 - no security expert would ever endorse a system that networks biometric data. Not only is it an idiotic way to expose data unnecessarily, there is no application that cannot use localised onboard processing. Only the output, usually an asymmetric one-time, time limited hash or token, is passed across the network.

Finally, if you would like to test the hypothesis about RFID wallets then I invite you to visit Ukraine which has the world highest incidence of RFID sniffing. OCG’s there have no problems using the data to generate huge incomes. (BTW, I have visited Ukraine many times and the ordinary folk there are very welcoming and friendly and will point out the OCG’s for you. The food, wine and vodka are great!).

1 Like

And the use of these data doesn’t raise much concerns because it’s can be stored offline (such as a photo on a passport, or from someone’s memory), and a real person will look at the data and make the decisions. A person can easily spot a mask wore by an impersonator, and they can keep the photo in their memory without any risk of leaking it. The same can’t be said for a computer or smartphone. This is exactly why the face recognition cameras being tested by some police forces is a controversial issue and so many people were/are protesting against their use.
Further, even you have a very high resolution photo of someone else, you still cannot make a face mask, paint or whatever else to impersonate that person in the photo and pass the checks performed by another person. But with the fingerprint data stored in a smartphone, I’m pretty sure a hacker can make something to pass the checks performed by the same phone.

Most of the time the same fingerprint to unlock the phone is left right on top of the screen of the same phone, so I wouldn’t say it’s any better than the face ID. IMHO both of them are pretty much equally insecure.

It’s difficult at the moment only because they aren’t widely used. Imagine how easy would it be for a criminal to capture the data without raising suspicions in a world that you have to scan your fingerprint or iris multiple times a day for various things - entering an office building, making a card payment, unlocking your car, etc.?

Is it possible that someone may run out of “spare” fingers in their lifetime? Surely it is, and they definitely can’t grow more fingers if all of them are leaked.
I also highly doubt about the assumption of “Fingerprint data cannot leak from an unrooted device”. There’s some known exploits that can help a hacker gain access to those highly secured data on the older devices, and I can assure you there will be more in the future, for the newer devices.

For the same reason above, this is only true if they aren’t regularly used in daily life.

I disagree. Criminals don’t care if the banks are using sophisticated anti-fraud technologies, they only care whether they can make a quick profit and perfectly not getting caught easily. As long as the banks allow average people to use their cards in stores, criminals will be able to do the same - with stolen cards. All those anti-fraud things are irrelevant, because criminals are using the same card in the same way as everyone else. Right now they can make contactless payments without the PIN, so they don’t need to bother the victims. If the PIN is required to use the card, criminals can extract it from the owner - either by watching the keypad when the card is being used before stealing it, or forcing the victim to disclose the PIN during a robbery. It’s really not hard to imagine what will they do if they need a finger to make the payment.

It’s not about what’s being transferred over the network, is about what’s being stored. The service provider, be it a bank or an office building manager, will have to store your biometric information in their system first. A bank may securely encrypting your data and restrict the access to such a system, but the same can’t be said about an office building manager or a smartphone. Once the data is leaked, it will never expire and there’s virtually no way for a person to change it. This is a much bigger concern than the one-time irreversible data derived from the biometric data and transferred over the network.

TBH, that’s the failure of their banking system and police, and adding extra layers of security features alone won’t fix it.
However, I have to say that a RFID shielded wallet is still not needed for a British visitor with UK issued cards. The high contactless crime rate in a foreign country will be annoying, but the UK visitors don’t need to suffer the financial consequences. That’s because the UK based card issuer needs to obey the British laws and regulations, and will have to refund the customer unless they can prove the customer violated the banking agreement or broke the law. The fact that the contactless payments were made outside the country is irrelevant, it’s no difference than a fraudulent online purchase made on a foreign website.
Of course, one can always opt for such a wallet, and it may save them some time and effort from having to deal with the banks after they return home.