Contactless cards and ‘digital pickpocketing’
Many of you will have seen the recent articles in the press of people reportedly using contactless card readers to ‘digitally pickpocket’ unsuspecting victims. In this blog I look at the legal position if you find yourself a victim of such an attack.
I should start by saying that there is still some debate over whether a card reader could read a card through clothing and a wallet. There are also doubts from some quarters that thieves could lay their hands on an active card reader because they would need to through a series of security checks and then be registered with an acquiring bank before the card reader is activated. However, thieves are enterprising individuals and I have little doubt that ‘digital pickpocketing’ will become ‘a thing’ in the very near future (if it isn’t already).
So, what is the legal position?
As you may know, if you spot a suspicious transaction on your account then the usual procedure is to notify your card issuer. If that does not resolve matters then you escalate the complaint and, ultimately, would refer the matter to the Financial Ombudsman Service (FOS) or to court.
The Issuer, FOS and the courts will seek to evaluate the cardholder’s complaint – effectively to assess whether, on balance of probabilities, it is likely that the transaction was fraudulent. This will involve the cardholder having to supply evidence to demonstrate that he/she couldn’t possibly have been responsible for the transaction (easier said than done, however). If that evidence is not available then the cardholder is unlikely to be reimbursed.
Cardholders owe a duty to the Issuer to take reasonable steps to guard against fraud or theft of their card. It was ever thus, so contactless cards don’t change the legal position. However, before the advent of contactless cards, many fraudulent transactions arose from acts of negligence e.g. cardholders revealing/not safeguarding their PIN, and/or leaving their card unsupervised. Where the loss arises from an act of negligence by the cardholder then it is quite right that the cardholder is not reimbursed. But can a failure to protect a contactless card against the acts depicted in the article above amount to negligence? No, not in my view. Cardholders have had contactless cards thrust upon them by their Issuers. If the technology devised by the Issuers does not safeguard against such attacks then that is a failing of the Issuer and amounts to a breach of the duty it owes to its cardholders. Accordingly, it seems to me quite proper that the Issuers should bear the risk/loss.
Though, on a practical level, it will be difficult for the cardholder to provide any evidence to suggest that he/she was not responsible for the fraudulent transaction by a ‘digital pickpocket’, I expect that if a large percentage of transactions through a particular terminal (such as that shown in the picture above) are disputed by cardholders then Issuers will have no realistic alternative but to do the decent thing and to promptly reimburse their cardholders.
However, as evidence is key, and that evidence will not always be available to cardholders, to guard against the risk of loss (and the hassle of having to argue their case with their Issuer) I would suggest that cardholders invest in a shielded wallet; they’re inexpensive and are widely available.