Is this why the Lloyds Avios Amex fraud happened?
As a follow-up to my recent articles on the major fraud in the US on Lloyds Avios Rewards American Express cards, I was contacted last week by a reader who works in the credit card industry on the fraud side who explained how he believed it had happened.
You may remember that Lloyds Bank claimed to be the innocent party in all this. The line given to the media, including me, was that there had been a data breach somewhere on the American Express side.
This had a funny smell to it, as I said to all of the journalists who contacted me. The fraudsters had made fully working American Express credit cards. I found it unlikely, to put it mildly, that you could make a fully working plastic Amex card just from knowing the card number.
The reader thought that Lloyds Bank does not appear to have implemented two important security features on its credit cards. Firstly, he believes that the Lloyds Bank / Amex processing system does not verify most of the key card information, including the expiry date, before transactions are approved. The net result of this is that you only need the credit card number in order to manufacture a fake Lloyds Bank American Express credit card. As the first six digits of Lloyds Bank American Express cards appear to be the same for all cards, it is easier to churn through various permutations to find working numbers even if there was no data breach.
In addition, the reader believes that Lloyds does not appear to match the data from the card terminal (which tells Lloyds whether a transaction is chip, swipe or a contactless tap) with the security data used for verification. If this was right, it would mean that it would accept the lower level of verification required for contactless transactions – and this is low level verification because contactless fraud is virtually impossible – even when the transaction was not contactless. It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction which would be charged to a Lloyds Avios Amex account.
I should stress that we don’t know if any of the above is actually true, but the hypothesis does appear to fit the known facts in this case.
(Want to earn more miles and points from credit cards? Click here to visit our dedicated airline and hotel travel credit cards page or use the ‘Credit Cards Update’ link in the menu bar at the top of the page.)
About Head for Points
Wish everyone a Happy New Year 2018
I’m not sure if this is true for Lloyds Amex cards, but Amex issued Amex cards follow this format
37AA BBCDDD DEFFG
where
AA – country/currency code
BB – product code
C – billing cycle
D – account number
E – card # (e.g. 1 if you have never got a card replacement for that account)
F – position on account (e.g. 0 for main cardholders, 1 for first supplementary)
G – luhn check digit
so if it’s the same for lloyds cards, it actually sounds rather plausible, as with one combination of the first 6 digits (BIN code), there’s just 5 digits to guess.
I’m not sure that it applies for Amex Amex cards as far as AA and BB is concerned.
My wife and I hold or have held::
SPG with AA = 17 & 66; BB = 88 & 84
and similar variations in other cards especially when Gold upgraded to Plat or BAPP down to Blue only last few digits change (in our examples) but I agree with F and G.
On the Zeek offer they have various Amazon vouchers @ 1/2% discount so these are now valid for the free £5 when spending £50 offer. Picked up a few of these earlier on today.
Good luck with the maple leaf club and star alliance access… i was dnied at no less than 6 star alliance lounges with m maple leaf lunge card. All AC said was sorry. 700 dollars of sorry
Actually, their own lounges are of little value too. I recently did a lounge crawl at Heathrow T2B cluster – United was 5* with great ambience, cocktails and food, Singapore was ok (the downside was it was too crowded as it was just before a packed A380 flight, perhaps at quieter times it will look better, but AC was unevenful and the mixer drinks they offered were from Waitrose Essential range. Waitrose Essential for premium travellers, Carl!
I now buy Amazon gift cards at Morrisons, to get their points. Works out at a few % back.