Transactions without PIN entry with the contactless function of a stolen credit card

Category Abuse and fraud | Source Annual Report 2019/18

The customer’s wallet with various identity cards and bank cards was stolen while abroad. Since she had not used one of the credit cards that had been stolen for a long time, she forgot to block it. When she then received the bill for this card, she discovered that the unknown perpetrators had made a great many transactions using the contactless function below the minimum amount required to enter a PIN code. She was prepared to bear part of the damage herself because of the failure to block the card, but was surprised that no security measures had prevented such misuse of the card. The credit card issuer initially refused to participate in any damage, but eventually compensated the client in full.

In the past, the security of the so-called contactless function of credit and bank cards has been critically questioned in the press time and again. The function allows transactions to be made with such cards by simply holding them in the immediate vicinity of an acceptance device. It is not necessary to enter a PIN code for transactions up to a certain maximum amount, in Switzerland usually up to CHF 40. If such a card falls into the wrong hands, it is therefore also possible for an unauthorized person to use it up to the maximum amount without entering a PIN code. During discussions with industry representatives, the Ombudsman was assured that algorithms would be used to prevent misuse. For obvious reasons, no information was provided on the details of these security measures.
In the present case, the customer stated that her stolen card had been used in a way which indicated an abuse of the possibility to pay for goods and services up to a certain maximum amount without entering a code. Within a few days, over 200 transactions totalling almost CHF 2,000 were made with the card, which had not been used by the customer for a long time, exclusively by means of the contactless function without entering a code. The card was used up to seven times for transactions between EUR 0.40 and 25 at the same merchants, in some cases on the same day. When using her other cards, the customer had made the experience that the PIN was sometimes requested for such use, although the maximum amount for a PIN-free payment was not reached. In the present case, it was not apparent that any security measures were in place which could have prevented the misuse and the bank was not prepared to participate in the loss incurred.

The customer was aware that she bore a considerable share of the responsibility in connection with the misuse of her card by the unknown perpetrators, as she had forgotten the card and had therefore not had it blocked. As she had previously only been in contact with the credit card issuer by telephone, the Ombudsman recommended that she first submit a written complaint to the management, so that the latter would be given the opportunity to reconsider its position. Naturally, he expressed his readiness to take up the case if no solution could be found. The customer followed this advice and suggested to the credit card issuer that it should contribute one third of the loss. Shortly afterwards, she informed the ombudsman that the credit card issuer had informed her by e-mail after re-examining the case that it would take over the damage in full.

The case shows that it is important and useful for the ombudsman to refer customers to the bank’s management for a written complaint as a first step, if this had not been done before contacting him. This allows the Bank’s management to examine the case and, if necessary, deal with it directly. In the present case, it has even exceeded the customer’s expectations, which the Ombudsman was pleased to note.

More from this Category