Maximise your Avios, air miles and hotel points

Why the Lloyds Avios Amex fraud happened (probably)

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

As a follow-up to my recent articles on the major fraud in the US on Lloyds Avios Rewards American Express cards, I was contacted last week by a reader who works in the credit card industry on the fraud side who explained how he believed it had happened.

You may remember that Lloyds Bank claimed to be the innocent party in all this.  The line given to the media, including me, was that there had been a data breach somewhere on the American Express side.

This had a funny smell to it, as I said to all of the journalists who contacted me.  The fraudsters had made fully working American Express credit cards.  I found it unlikely, to put it mildly, that you could make a fully working plastic Amex card just from knowing the card number.

The reader thought that Lloyds Bank does not appear to have implemented two important security features on its credit cards. 

Firstly, he believes that the Lloyds Bank / Amex processing system does not verify most of the key card information, including the expiry date, before transactions are approved.  The net result of this is that you only need the credit card number in order to manufacture a fake Lloyds Bank American Express credit card.  As the first six digits of Lloyds Bank American Express cards appear to be the same for all cards, it is easier to churn through various permutations to find working numbers even if there was no data breach.

In addition, the reader believes that Lloyds does not appear to match the data from the card terminal (which tells Lloyds whether a transaction is chip, swipe or a contactless tap) with the security data used for verification.  If this was right, it would mean that it would accept the lower level of verification required for contactless transactions – and this is low level verification because contactless fraud is virtually impossible – even when the transaction was not contactless.  It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction which would be charged to a Lloyds Avios Amex account.

I should stress that we don’t know if any of the above is actually true, but the hypothesis does appear to fit the known facts in this case.

best travel rewards credit cards

Want to earn more points from credit cards? – June 2024 update

If you are looking to apply for a new credit card, here are our top recommendations based on the current sign-up bonuses.

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

You can see our full directory of all UK cards which earn airline or hotel points here. Here are the best of the other deals currently available.

Marriott Bonvoy American Express

HUGE 60,000 POINTS BONUS UNTIL 2nd JULY and 15 elite night credits each year Read our full review

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points (TO 16TH JULY), FREE for a year & four airport ….. Read our full review

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Virgin Atlantic Reward+ Mastercard

18,000 bonus points and 1.5 points for every £1 you spend Read our full review

Earning miles and points from small business cards

If you are a sole trader or run a small company, you may also want to check out these offers:

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Capital on Tap Business Rewards Visa

10,000 points bonus – plus an extra 500 points for our readers Read our full review

For a non-American Express option, we also recommend the Barclaycard Select Cashback card for sole traders and small businesses. It is FREE and you receive 1% cashback on your spending.

Barclaycard Select Cashback Business Credit Card

1% cashback uncapped* on all your business spending (T&C apply) Read our full review

Comments (106)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Ben Chode says:

    FWIW: I have used my AmEX platinum multiple times online (at various merchants) simply using the card number and 4-digit code. The expiry date I enter is usually a guess when I don’t have my card to hand it I’ve never had a transaction rejected even after I realise the expiry I entered was completely wrong!

  • Mr(s) Entitled says:

    Headline appears to give a lot more certainty about why the fraud happened than the corresponding article. I’m not a card holder and have no real interest in the story but I fell for the click bate so I guess it worked.

    • Mr(s) Entitled says:


    • Graeme says:

      You poor thing. We should have a whip-round for you.

      • Simon says:

        Could add miserable as well!!

      • Mr(s) Entitled says:

        Wait…. do you want to offer to refund my subscription as well?

        “Why the Lloyds Avois Fraud Happened” becomes “I was contacted last week by a reader who works in the credit card industry who explained how it could have happened.”

        These are to very different statements and I contend that the headline is misleading and below what I expect from this site based on years of use.

        Criticism can be valid even if fanboys are blind to it.

        • Gary says:

          I’m with you on this. The click bait title made the difference between me reading the article and clicking away. So I guess it fulfilled the intended purpose.

        • Graeme says:

          well said, from a different Graeme!

        • ups says:

          I also agree.
          Rob: Hope you will consider avoiding such clickbait headlines. This and the other article headline (Seven Avios secrets you probably didn’t know) are very much clickbaits and don’t go with the good quality content that you produce. They are more of the Daily Mail variety which I’m sure you’re not aiming for.

        • Rob says:

          The guys knows what happened. For legal reasons I have toned it down.

    • Mr Dee says:

      I think the truth is known but is often not a good idea to share with the general public the exact details to how some things have been done.

  • Genghis says:

    OT has anyone’s IHG Creation Dec 17 statement been generated? We’re still waiting

    • Peter K says:

      Both my wife and mine have. 27th Dec last and this year.

    • Graeme says:

      Mine hasn’t generated yet, points transferred over a few days ago though.

    • jason says:

      yes around 22nd

      • Genghis says:

        Thanks guys. A complete mixed bag then. I always thought Creation generated statements for everyone on the same day.

        • Graeme says:

          mine is late though Genghis, previous statements normally generate between 21 and 23 of the month.

        • Liz says:

          Same here – pts transferred on 27/12 – the statement has been generated as my payment date says 15/1 but statement not showing to view yet or email received. Very slow this month.

        • Peter K says:

          So did I. They have done for my wife and me and we applied at different times.

        • RussellH says:

          Mine has usually been 21-23 of the month. December was 27 – points transferred and a statement apparently generated, but not received it yet. Used the card for my final council tax installment; hiopefully will not be billed until the end of Jan.

    • Tim W says:

      I’m still waiting for the statement, though the points have transferred and the “recent transactions” has obviously been pruned for transactions on the as yet unavailable statement.

    • thehornets says:

      I am waiting too Genghis and have contacted them using their form. Who knows if/when they will reply. Bill was due on 22nd….

      • Peter K says:

        It’s are usually earlier in the month but in December last and this year it has been later in the month when the statement has been generated. I imagine they want as much as possible of the xmas buying to be on this statement.

    • Tracy says:

      Nope, still waiting. Points have posted to IHG and details are available for payment due date etc

    • Alan says:

      Nope – points all across to IHG OK (although thanks to VS transfer had triggered Spire already so didn’t actually need them for that). Suspect we won’t see statement until next working day (2nd Jan in England).

  • Siy says:

    OT: Can anyone advise how long it takes for the bonus 1000 VFC miles to be credited once the auto-convert has been selected on a clubcard account. I did this for 2 clubcards accounts (quoting the 1 BA account) on the 31st Oct, but am yet to get anything. Just worried that my clubcard vouchers will auto-convert soon if I don’t opt-out again. Thanks

    • Liz says:

      Doesn’t look like we got them this time – I switched mine back to vouchers last week. I hadn’t tried it for a while so was hoping to get the points but hey ho !

      • Genghis says:

        Current collection period doesn’t end till 25 Jan. I’m leaving mine on until a few days before.

        • Alan says:

          Ah OK – I was about to switch mine back (after having a reminder from my calendar!) thinking it was a bust for this quarter but guess can keep going a wee bit longer just in case!

  • Genghis says:

    I got my last one on 28 Sep after turning on just after receiving the Aug statement (can’t seem to find exactly when generated).

  • the real harry1 says:

    One for Anika!

    And anybody else who fancies a decent TV stream – I’ve been watching it completely satisfactorily out here in the sun, we have broadband, no great shakes, about 12 gigs but I am competing against 3 teenagers 🙂

    Has dropped out a couple of times only.

    No VPN needed, just email registration – seems to run on (very unobtrusive) ads.

    Many countries seem to be covered, eg France has 121 channels to choose from. One to bookmark for your next trip, I feel – or use now to brush up on your French/ German/ Spanish etc?

    Happy New Year!

  • Oxonlad says:

    As an HFP fan I have to agree with Mrs Entitled, the Lloyds fraud story is poor journalism. It’s one reader’s speculation about the cause.

    Feels like it’s bordering on fake news without any corroboration.

    We’re Lloyds asked to respond to the allegations as per normal editorial guidelines that respectable organisations follow?

    • New Card says:

      FWIW Raffles I found the article to be plausible, interesting and informative.

      • Rob says:

        The original email from the reader was SUBSTANTIALLY more forthright. This is his job, he knows what happened. For legal reasons I have had to tone it down. I will tweak the headline to keep you happy though!

    • Andrew says:

      Generating technically valid numbers is simple enough – whether that is Visa, MasterCard, Amex or just a bank account number. Anyone with a basic grasp of arithmetic can manage it.

      Obviously that account number needs to be “on-file” for it to apply to an account though.

      The contact’s hypothesis is not too outrageous, but I would hope the fraud was far more refined. If it really was that basic there must be hundreds of small businesses, who process offline or have a high threshold for online approval, that have been stung with chargebacks. This would explain the blocking of the relevant number range.

    • Lady London says:

      Hum. Let’s just say that a lot of truth can be told sometimes provided it’s not attributed. Headline a bit risky though?

  • Ian says:

    Re: Lloyd’s Amex

    That seems really far-fetched. Normally, US-based card-cloning scams are carried out using a prepaid or gift card that has had its magnetic stripe overwritten with a different card’s number and expiry. They still use swipe-and-sign in the US, which IMO is why the bulk of the fraudulent transactions occurred there. Some point-of-sale terminals will require the operator to type in the last 4 digits printed on the card to mitigate against this attack, but that’s not very common.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.