Maximise your Avios, air miles and hotel points

Why the Lloyds Avios Amex fraud happened (probably)

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

As a follow-up to my recent articles on the major fraud in the US on Lloyds Avios Rewards American Express cards, I was contacted last week by a reader who works in the credit card industry on the fraud side who explained how he believed it had happened.

You may remember that Lloyds Bank claimed to be the innocent party in all this.  The line given to the media, including me, was that there had been a data breach somewhere on the American Express side.

This had a funny smell to it, as I said to all of the journalists who contacted me.  The fraudsters had made fully working American Express credit cards.  I found it unlikely, to put it mildly, that you could make a fully working plastic Amex card just from knowing the card number.

The reader thought that Lloyds Bank does not appear to have implemented two important security features on its credit cards. 

Firstly, he believes that the Lloyds Bank / Amex processing system does not verify most of the key card information, including the expiry date, before transactions are approved.  The net result of this is that you only need the credit card number in order to manufacture a fake Lloyds Bank American Express credit card.  As the first six digits of Lloyds Bank American Express cards appear to be the same for all cards, it is easier to churn through various permutations to find working numbers even if there was no data breach.

In addition, the reader believes that Lloyds does not appear to match the data from the card terminal (which tells Lloyds whether a transaction is chip, swipe or a contactless tap) with the security data used for verification.  If this was right, it would mean that it would accept the lower level of verification required for contactless transactions – and this is low level verification because contactless fraud is virtually impossible – even when the transaction was not contactless.  It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction which would be charged to a Lloyds Avios Amex account.

I should stress that we don’t know if any of the above is actually true, but the hypothesis does appear to fit the known facts in this case.


best travel rewards credit cards

Want to earn more points from credit cards? – June 2024 update

If you are looking to apply for a new credit card, here are our top recommendations based on the current sign-up bonuses.

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

You can see our full directory of all UK cards which earn airline or hotel points here. Here are the best of the other deals currently available.

Marriott Bonvoy American Express

HUGE 60,000 POINTS BONUS UNTIL 2nd JULY and 15 elite night credits each year Read our full review

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points (TO 16TH JULY), FREE for a year & four airport ….. Read our full review

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Virgin Atlantic Reward+ Mastercard

18,000 bonus points and 1.5 points for every £1 you spend Read our full review

Earning miles and points from small business cards

If you are a sole trader or run a small company, you may also want to check out these offers:

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Capital on Tap Business Rewards Visa

10,000 points bonus – plus an extra 500 points for our readers Read our full review

For a non-American Express option, we also recommend the Barclaycard Select Cashback card for sole traders and small businesses. It is FREE and you receive 1% cashback on your spending.

Barclaycard Select Cashback Business Credit Card

1% cashback uncapped* on all your business spending (T&C apply) Read our full review

Comments (106)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • DarrenT says:

    I was always suspicious about the Lloyds cards. My AX has ALWAYS been rejected whilst abroad, despite advising Lloyds of my travel plans, yet I then use the MC and it works fine. It is SO frustrating to say the least, especially as I got it for the FX free element, and the avios of course.

    On a side note though… you guys/gals seriously need to chill out. Rob is just giving his thoughts on how this probably happened. If you don’t like it… leave! Some of us really do appreciate his insight and knowledge.

  • Andrew (@andrewseftel) says:

    OT: Etihad Guest miles expire today if you have an inactive account. There is no minimum on charitable donations so consider giving if you have a small balance about to expire.

  • Mark says:

    >It is apparently possible to overwrite the magnetic strip on a real credit card (issuer and card number immaterial) with the lower level of data required to validate a contactless transaction

    Overwriting the magnetic strip would not affect the contactless function of a card, but would charge swiped transactions to a different account.

    There are, however, different levels of contactless card transaction security. The lowest level, designed for the greatest compatibility with older payment systems, sends the magnetic strip data (programmed into the card, not read from the strip) to the terminal.

    • the_real_a says:

      This has happened for at least 25 years. Fraudsters often use prepaid MasterCard/visa cards and reprogram the number on the magnetic strip. Anyone with a terminal was made aware of the necessity to check the number on the front of the card and the number printed on the receipt (i.e. mag stripe) whenever a card was swiped.

  • the real harry1 says:

    Lloyds TSB to axe 5,000 jobs as a direct result of HfP article
    http://www.dailymail.co.uk/news/article-100566/Lloyds-TSB-axe-5-000-jobs.html

  • Liz says:

    OT Dont forget your free Marriott /NFL pts tonight – answer is 1951 .

    Happy New Year to everyone !

    • Scallder says:

      Marriott’s reply said “Thanks for playing with us this season” so I’m guessing they’re not doing any in the post season making this week the last one unfortunately

    • thehornets says:

      Thanks Liz.

      Ps Happy new year to you all.

  • Alan says:

    1951 #RewardsPoints 😀

  • Sundar says:

    Wish everyone a Happy New Year 2018

  • S says:

    I’m not sure if this is true for Lloyds Amex cards, but Amex issued Amex cards follow this format

    37AA BBCDDD DEFFG

    where

    AA – country/currency code
    BB – product code
    C – billing cycle
    D – account number
    E – card # (e.g. 1 if you have never got a card replacement for that account)
    F – position on account (e.g. 0 for main cardholders, 1 for first supplementary)
    G – luhn check digit

    so if it’s the same for lloyds cards, it actually sounds rather plausible, as with one combination of the first 6 digits (BIN code), there’s just 5 digits to guess.

    • mark2 says:

      I’m not sure that it applies for Amex Amex cards as far as AA and BB is concerned.
      My wife and I hold or have held::
      SPG with AA = 17 & 66; BB = 88 & 84
      and similar variations in other cards especially when Gold upgraded to Plat or BAPP down to Blue only last few digits change (in our examples) but I agree with F and G.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.