Maximise your Avios, air miles and hotel points

Why the Lloyds Avios Amex fraud happened (probably)

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

As a follow-up to my recent articles on the major fraud in the US on Lloyds Avios Rewards American Express cards, I was contacted last week by a reader who works in the credit card industry on the fraud side who explained how he believed it had happened.

You may remember that Lloyds Bank claimed to be the innocent party in all this.  The line given to the media, including me, was that there had been a data breach somewhere on the American Express side.

This had a funny smell to it, as I said to all of the journalists who contacted me.  The fraudsters had made fully working American Express credit cards.  I found it unlikely, to put it mildly, that you could make a fully working plastic Amex card just from knowing the card number.

The reader thought that Lloyds Bank does not appear to have implemented two important security features on its credit cards. 

Firstly, he believes that the Lloyds Bank / Amex processing system does not verify most of the key card information, including the expiry date, before transactions are approved.  The net result of this is that you only need the credit card number in order to manufacture a fake Lloyds Bank American Express credit card.  As the first six digits of Lloyds Bank American Express cards appear to be the same for all cards, it is easier to churn through various permutations to find working numbers even if there was no data breach.

In addition, the reader believes that Lloyds does not appear to match the data from the card terminal (which tells Lloyds whether a transaction is chip, swipe or a contactless tap) with the security data used for verification.  If this was right, it would mean that it would accept the lower level of verification required for contactless transactions – and this is low level verification because contactless fraud is virtually impossible – even when the transaction was not contactless.  It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction which would be charged to a Lloyds Avios Amex account.

I should stress that we don’t know if any of the above is actually true, but the hypothesis does appear to fit the known facts in this case.

Want to earn more points from credit cards? – April 2024 update

If you are looking to apply for a new credit card, here are our top recommendations based on the current sign-up bonuses.

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

You can see our full directory of all UK cards which earn airline or hotel points here. Here are the best of the other deals currently available.

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Virgin Atlantic Reward+ Mastercard

18,000 bonus points and 1.5 points for every £1 you spend Read our full review

Earning miles and points from small business cards

If you are a sole trader or run a small company, you may also want to check out these offers:

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

For a non-American Express option, we also recommend the Barclaycard Select Cashback card for sole traders and small businesses. It is FREE and you receive 1% cashback on your spending.

Barclaycard Select Cashback Business Credit Card

1% cashback uncapped* on all your business spending (T&C apply) Read our full review

Category

British Airways and Avios

Comments (106)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • DarrenT says:
    31 Dec31 December 12:22

    I was always suspicious about the Lloyds cards. My AX has ALWAYS been rejected whilst abroad, despite advising Lloyds of my travel plans, yet I then use the MC and it works fine. It is SO frustrating to say the least, especially as I got it for the FX free element, and the avios of course.

    On a side note though… you guys/gals seriously need to chill out. Rob is just giving his thoughts on how this probably happened. If you don’t like it… leave! Some of us really do appreciate his insight and knowledge.

  • Andrew (@andrewseftel) says:
    31 Dec31 December 14:19

    OT: Etihad Guest miles expire today if you have an inactive account. There is no minimum on charitable donations so consider giving if you have a small balance about to expire.

  • Mark says:
    31 Dec31 December 14:37

    >It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction

    Overwriting the magnetic strip would not affect the contactless function of a card, but would charge swiped transactions to a different account.

    There are, however, different levels of contactless card transaction security. The lowest level, designed for the greatest compatibility with older payment systems, sends the magnetic strip data (programmed into the card, not read from the strip) to the terminal.

    • the_real_a says:
      31 Dec31 December 15:39

      This has happened for at least 25 years. Fraudsters often use prepaid MasterCard/visa cards and reprogram the number on the magnetic strip. Anyone with a terminal was made aware of the necessity to check the number on the front of the card and the number printed on the receipt (i.e. mag stripe) whenever a card was swiped.

  • the real harry1 says:
    31 Dec31 December 14:50

    Lloyds TSB to axe 5,000 jobs as a direct result of HfP article
    http://www.dailymail.co.uk/news/article-100566/Lloyds-TSB-axe-5-000-jobs.html

  • Liz says:
    31 Dec31 December 18:36

    OT Dont forget your free Marriott /NFL pts tonight – answer is 1951 .

    Happy New Year to everyone !

    • Scallder says:
      31 Dec31 December 18:48

      Marriott’s reply said “Thanks for playing with us this season” so I’m guessing they’re not doing any in the post season making this week the last one unfortunately

    • thehornets says:
      31 Dec31 December 18:52

      Thanks Liz.

      Ps Happy new year to you all.

  • Alan says:
    31 Dec31 December 18:52

    1951 #RewardsPoints 😀

  • Sundar says:
    31 Dec31 December 19:23

    Wish everyone a Happy New Year 2018

  • S says:
    31 Dec31 December 19:29

    I’m not sure if this is true for Lloyds Amex cards, but Amex issued Amex cards follow this format

    37AA BBCDDD DEFFG

    where

    AA – country/currency code
    BB – product code
    C – billing cycle
    D – account number
    E – card # (e.g. 1 if you have never got a card replacement for that account)
    F – position on account (e.g. 0 for main cardholders, 1 for first supplementary)
    G – luhn check digit

    so if it’s the same for lloyds cards, it actually sounds rather plausible, as with one combination of the first 6 digits (BIN code), there’s just 5 digits to guess.

    • mark2 says:
      31 Dec31 December 20:48

      I’m not sure that it applies for Amex Amex cards as far as AA and BB is concerned.
      My wife and I hold or have held::
      SPG with AA = 17 & 66; BB = 88 & 84
      and similar variations in other cards especially when Gold upgraded to Plat or BAPP down to Blue only last few digits change (in our examples) but I agree with F and G.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

NEW: Sign-up bonuses boosted to 3,000 and 18,000 points

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!