Fraudsters are stealing money from contactless payment cards at the rate of almost £27 ($53) every minute, raising fears that the technology is becoming a "magnet" for thieves.
Analysis for The Mail on Sunday suggests the security threat is increasing at an alarming rate as the nation's shoppers turn in droves to convenient "tap and pay" cards and phone apps to ease queue stress, according to the Daily Mail.
Spending this way soared last year to above £52 billion – double the amount in 2016 according to industry body UK Finance.
Unlike conventional cards, contactless cards contain a special chip that emits radio waves that can be easily read by a payment terminal – and cuts out the extra seconds it takes to tap in a PIN.
But this flexibility has brought penalties – with crooks last year using stolen contactless cards to plunder a total of £14 million – a haul that far exceeds the £9.8m stolen using fraudulent or altered cheques.
Card providers offer reassurance to customers that any spending on snatched contactless cards is kept in check because each transaction is capped at £30 – with a further safeguard that after a "random" number of purchases shoppers are asked to enter their PIN to prove a card is theirs.
But no bank will reveal after how many attempts such checks are made. Another problem with stolen cards is that a quirk in the technology means some have been used even months after being cancelled.
Banks blithely say that customers need not worry because any stolen money is swiftly – usually – returned to their accounts.
Martyn James, of complaints service Resolver, says the banks' attitude to contactless crime smacks of "complacency".
He says: "The amount stolen may seem like a drop in the ocean compared to overall annual banking fraud of £732m but given there are limits on the spending, there were still at least 467,000 incidents last year. Probably a lot more if you allow for transactions that were for less than £30."
Christopher Somes-Charlton, 58, manager of Palestinian singer Reem Kelani, is not impressed by the banks' empty promises over security after being a victim of contactless card theft nearing £600.
Eight days ago, Chris, from Notting Hill in West London, had his wallet pickpocketed while out drinking with team-mates from Hampstead & Westminster Hockey Club after their Saturday match.
As soon as he realised it had vanished, Chris contacted Royal Bank of Scotland and John Lewis Financial Services to cancel his three stolen contactless cards.
But when he checked his accounts online the next day, Chris found that the thief had been on a rapid spending spree with his John Lewis credit card. It had been used to carry out 13 transactions in 75 minutes at various outlets including supermarkets Waitrose and Marks & Spencer, many of them for precisely the maximum £30 spending limit.
Last Tuesday, he found that seven transactions totalling £180 had also been made on his RBS cards – appearing on his statement 36 hours after he cancelled them.
He says: "This technology is making our wallets a magnet for thieves. They know they can make off with your money easily. Yes, the money – £390 for the John Lewis card alone – will be refunded but it is the sense of violation that makes me uncomfortable as well as the hassle involved. I also need to replace a Network Rail and organ donor card. More should be done to prevent this crime happening otherwise thieves are just laughing at us. These contactless cards make us honeypots to them with greater values available to them than cash."
He now plans to use only cards without the tap and go feature – though this will require him to return the contactless versions automatically sent out to him as replacements for his stolen cards.
Most banks issue contactless cards by default for new and replacement cards – though many providers such as Santander and RBS will provide the old style chip and PIN cards on request.
Barclays says just one per cent of debit card holders request the older version while its Barclaycard credit card arm only issues contactless varieties on the basis that "contactless payments are integral to ensuring our customers are able to pay conveniently, securely and quickly for small value items."
Chris has reported the incident to the Metropolitan Police which after initial reluctance has now promised to investigate. He says: "The pub and many of the shops where the crook used my card must have cameras. They should be able to match this footage with the exact times the purchases were made."
UK Finance defends contactless cards, saying the losses pale into insignificance compared to online fraud.
It says: "Contactless fraud is low with robust security features in place. Customers are fully protected against fraud and will never be left out of pocket, unlike if they lose cash."
Harry Rose, editor of consumer magazine Which? Money, says he is concerned about the haphazard security responses of banks. He says: "Obviously the banks have to balance convenience and security but it is the inconsistency of how many times a card can be used before the PIN is requested that concerns us. Some have high levels of security, including calling a customer if transactions look suspicious while others seem to let the card be used ten times or more."
John Lewis and Royal Bank of Scotland confirmed they have refunded Chris in full. The card providers would not reveal how often a PIN is demanded but John Lewis said the type of transaction influences any trigger.
Chris has been left disenchanted. He says: "Evidently, the banks want to make it as easy as possible to execute payments so that we make lots of them – and they are quite willing to tolerate a high degree of fraud along the way."