Why the Lloyds Avios Amex fraud happened (probably)

As a follow-up to my recent articles on the major fraud in the US on Lloyds Avios Rewards American Express cards, I was contacted last week by a reader who works in the credit card industry on the fraud side who explained how he believed it had happened.

You may remember that Lloyds Bank claimed to be the innocent party in all this.  The line given to the media, including me, was that there had been a data breach somewhere on the American Express side.

This had a funny smell to it, as I said to all of the journalists who contacted me.  The fraudsters had made fully working American Express credit cards.  I found it unlikely, to put it mildly, that you could make a fully working plastic Amex card just from knowing the card number.

The reader thought that Lloyds Bank does not appear to have implemented two important security features on its credit cards. 

Firstly, he believes that the Lloyds Bank / Amex processing system does not verify most of the key card information, including the expiry date, before transactions are approved.  The net result of this is that you only need the credit card number in order to manufacture a fake Lloyds Bank American Express credit card.  As the first six digits of Lloyds Bank American Express cards appear to be the same for all cards, it is easier to churn through various permutations to find working numbers even if there was no data breach.

In addition, the reader believes that Lloyds does not appear to match the data from the card terminal (which tells Lloyds whether a transaction is chip, swipe or a contactless tap) with the security data used for verification.  If this was right, it would mean that it would accept the lower level of verification required for contactless transactions – and this is low level verification because contactless fraud is virtually impossible – even when the transaction was not contactless.  It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction which would be charged to a Lloyds Avios Amex account.

I should stress that we don’t know if any of the above is actually true, but the hypothesis does appear to fit the known facts in this case.

---

Want to earn more points from credit cards? – August 2022 update

If you are looking to apply for a new credit card, here are our top recommendations based on the current sign-up bonuses.

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

You can see our full directory of all UK cards which earn airline or hotel points here. Here are the best of the other deals currently available.

EDIT: Until 25th October 2022, there is an exceptionally generous sign-up bonus on The Platinum Card. You will receive 60,000 Membership Rewards points – double the usual amount – and £200 to spend at Amex Travel. You need to spend £6,000 within six months to earn the bonus.

Earning miles and points from small business cards

If you are a sole trader or run a small company, you may also want to check out these offers:

For a non-American Express option, we also recommend the Barclaycard Select Cashback card for sole traders and small businesses. It is FREE and you receive 1% cashback on your spending.