There’s a big security loophole affecting plastic payment cards—called a replay (or pre-play) attack. Banks have known about this loophole for more than a decade. But they may still blame you, the victim, if a scammer makes use of it.
In a 2022 fraud, a former British soldier holidaying in Brazil found that £20,000 had been charged to his bank card in eighteen separate transactions. The ex-soldier, Henry Williams, said he’d only used his card once and that most of the money had been taken from his account without his knowledge.
His bank, a well-known British high street name, initially refused to compensate him, arguing he must have authorised all the payments. Only a year later did the bank agree to refund him—partially and with a grudging apology.
Even after one of the UK’s best-known security experts intervened on behalf of the victim, the UK’s financial ombudsman, which is supposed to settle complaints between consumers and financial services businesses, sided more with the bank.
How does a replay attack occur? Most plastic debit (or credit) cards contain a chip which is used to identify and authenticate the user. The chip comes into action when the user taps the card on a contactless payment terminal (or inserts the card into the terminal and then enters a PIN code).
At this point, the payment terminal generates a number that is supposed to be unpredictable, ensuring that each payment transaction is a fresh one.
Unfortunately, payment terminals can be tampered with and the supposedly unguessable number can be manipulated. This opens the door to replay attacks—and to more paydays for criminals.
As many as half of all payment cards and half of all terminals may be vulnerable to exploitation, says my Unseen Money co-host Timur Yunusov, who demonstrates a card replay attack in this YouTube video.
In the latest episode of Unseen Money from New Money Review, we explore replay attacks: how they occur, why the vulnerability is still there more than a decade after it was exposed, and why the payments industry is so reluctant to address the issue.
*************
The New Money Review podcast brings you the best minds from the world of money.
From economics to payments, financial markets, technology, law, digital assets, crime and fraud, you’ll find an episode that interests you.
