Equipment That Could Defraud Rail Passengers Costs Less Than £80

PayPal is selling card readers for £79.95 that can take payments from contactless cards, smartphones and smart watches … as well as chip-and-pin transactions.

Great Innovation

This is a great innovation that will no doubt be welcomed by the likes of small businesses and market stall holders, as it allows them to extend their range of payment options to meet customer expectations.

With Convenience Comes Risk

Hand-in-hand with the convenience provided by technological advances come new risks.  Being able to pay by tapping a contactless card on a reader also makes it easier for criminals to exploit this relatively new technology to rip off unsuspecting members of the public.

Last summer in tests carried out by consumer group Which? revealed a security flaw that allowed them to read the card number and expiry date from all 10 contactless cards they tried.

Public Transport

It is now possible to pay for your journey on London’s transport system using a contactless card or Apple Pay.  Many people find this useful, particularly overseas visitors who may not want to organise an Oyster card for a short stay in London or pay the excessive price of paper tickets.

Revenue Protection

Those in charge of running public transport have a duty to try and prevent people fare-dodging, so it is not uncommon for an inspector to ask to see your ticket.  If the ticket is an electronic one, hand-held readers are used to check the passenger has touched in with their contactless card or Apple Pay device.

Fraud Risk for Passengers

It would not be hard for someone to pose as a ticket inspector using a hand-held device – such as the PayPal one or a similar device from another company – to steal the details off contactless bank cards.

Most passengers assume anyone approaching them on a ticket check is genuine, often not bothering to check whether they have the correct – or even any – uniform.  And almost nobody ever thinks to ask for ID.

So, using the same technique as the Which? team employed, a scammer could make their way through a train, tube, bus or tram cloning the card number & expiry date of everyone using a contactless bank card.  And goodness knows what useful data they might retrieve from an Apple Pay device.

Contactless Has a £30 Cap … Right?

Yes.  But it does not apply here.  It is true that you can only run up a total of £30 of transactions using contactless before you have to enter a PIN.  But with just the long card number and expiry date, a fraudster could – for example – add the card to an Amazon account and splash out on a posh £3,000 TV.  Many sites have the added security of requiring the CVV number from the back of the card but Amazon does not seem to have this check – or at least they didn’t on my last 3 purchases.

Protecting Yourself From Fraud

You can protect yourself by being alert to this kind of fraud and checking for ID:

  • Are they really in uniform?  It’s easy to mistake a suit for a uniform – or be confused by a jacket belonging to another company.   An acquaintance who used to work on the tube says he often got approached on Southern’s trains by people thinking he was a Southern staff member – despite the London Underground logo!
  • Ask to see ID.   All rail staff checking tickets are obliged by law to show ID.  Expect to see a clear photo, the name of the company they are working for and a means of identifying the individual – either full name or unique employee number.  Treat anyone who refuses to show ID – or tries to pass off a name badge as ID – as suspicious.  Call the police for assistance.
  • Are they acting in a professional manner?  Watch out for rude or unprofessional behaviour, or if the “staff” member is acting in a threatening manner.  These can all be signs of a scammer.  If in doubt, call the police.
  • Record evidence.  If you are suspicious of someone who approaches you, it is worth recording the incident on your phone.  This may provide the police with vital evidence to help catch the perpetrator.