Why the Lloyds Avios Amex fraud happened (probably)

As a follow-up to my recent articles on the major fraud in the US on Lloyds Avios Rewards American Express cards, I was contacted last week by a reader who works in the credit card industry on the fraud side who explained how he believed it had happened.

You may remember that Lloyds Bank claimed to be the innocent party in all this.  The line given to the media, including me, was that there had been a data breach somewhere on the American Express side.

This had a funny smell to it, as I said to all of the journalists who contacted me.  The fraudsters had made fully working American Express credit cards.  I found it unlikely, to put it mildly, that you could make a fully working plastic Amex card just from knowing the card number.

The reader thought that Lloyds Bank does not appear to have implemented two important security features on its credit cards.  Firstly, he believes that the Lloyds Bank / Amex processing system does not verify most of the key card information, including the expiry date, before transactions are approved.  The net result of this is that you only need the credit card number in order to manufacture a fake Lloyds Bank American Express credit card.  As the first six digits of Lloyds Bank American Express cards appear to be the same for all cards, it is easier to churn through various permutations to find working numbers even if there was no data breach.

In addition, the reader believes that Lloyds does not appear to match the data from the card terminal (which tells Lloyds whether a transaction is chip, swipe or a contactless tap) with the security data used for verification.  If this was right, it would mean that it would accept the lower level of verification required for contactless transactions – and this is low level verification because contactless fraud is virtually impossible – even when the transaction was not contactless.  It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction which would be charged to a Lloyds Avios Amex account.

I should stress that we don’t know if any of the above is actually true, but the hypothesis does appear to fit the known facts in this case.

---

Want to earn more points from credit cards? – December 2020 update

If you are looking to apply for a new credit or charge card, here are our December 2020 recommendations based on the current sign-up bonus. 

You can see our full directory of all UK cards which earn airline or hotel points here.

Earning miles and points from small business cards

If you are a sole trader or run a small company, you may also want to check out these:

Disclaimer: Head for Points is a journalistic website. Nothing here should be construed as financial advice, and it is your own responsibility to ensure that any product is right for your circumstances. Recommendations are based primarily on the ability to earn miles and points and do not consider interest rates, service levels or any impact on your credit history.  By recommending credit cards on this site, I am – technically – acting as a credit broker.  Robert Burgess, trading as Head for Points, is regulated and authorised by the Financial Conduct Authority to act as a credit broker.