A device that allows criminals to clone contactless bank cards in bulk is up for sale on the so-called dark web.
The Contactless Infusion X5 can steal information from nearby cards, including the card number and the card holder's name and address.
This information can then be loaded onto blank cards to create clones that can be used to empty the victim's account.
The device is believed to be the first to specifically target contactless cards.
"It can read any bank card from 8cm away and will read 1024 bytes per second, which is equivalent to 15 bank cards per second," one fraudster told the Daily Star.
"All you have to do is be in close proximity to groups of people with contactless cards – that's around half of all debit card holders – and you're in."
The devices are being sold through the TOR anonymous network, and include the reader itself, cabling and battery and 20 blank chipped cards to be turned into clones.
They're believed to sell for around £500.
Recent research has shown that contactless cards are as much as twice as vulnerable to fraud as traditional cards. According to fraud prevention company Defender Note, 18% of people using contactless have fallen victim to fraud, compared with only 9% of those with more traditional cards.
And while contactless payments must be £30 or under, Which? was last year able to use hacked card information to order a £3,000 television online.
However, according to the Contactless Cards Association, customers should feel safe using them.
"Contactless payment cards have the same level of protection as chip and PIN payments, and contain multiple layers of security," it says.
"If a card is lost or stolen, the customer is completely protected against fraud loss. Fraud on contactless cards is negligible, standing at less than 1p in £100."
In the longer term, though, the problem probably won't persist as contactless cards aren't likely to survive. Following the launch of Apple Pay a year ago and Android Pay earlier this year, payment by phone is likely to become far more popular than contactless - and is believed to be much less vulnerable to fraud.
10 things your bank doesn't want you to know
£500 device can hack hundreds of contactless cards
Once you have opened a current account with a bank or other lender, you will get a steady flow of emails, letters (and maybe phone calls) offering you a savings account, loan, mortgage, ISA etc to go with it. But while it may be tempting to have everything in one place, it's better to do the legwork and shop around for the best financial products. You can compare interest rates on loans and savings accounts in the 'best buy' tables in the newspapers, or look online on comparison sites. Remember you can still easily transfer your money between accounts, even if they are not with the same financial institution.
Whether you want to apply for a new mortgage or refinance an existing one, your bank will probably be very happy to give you an instant quote in the hope that you will go with them. They may not tell you that you can shop around at other lenders. A mortgage broker can give you an overview of the best interest rates on offer, and might be able to cut you an even better deal him/herself.
Want to cash in your jars of change that are sitting on your shelves at home? Many banks are not very keen on coins. They often only take it from their own customers. You will have to sort it into different denominations and put the coins in the bank's bags in set amounts (for example, £1 for coppers, £5 for silver, etc). Some banks only take a limited number of bags a day, or won't take any at busy times. Others take a different view: HSBC has free coin deposit machines in many larger branches where you pour your jar of coins into the machine and it counts them and automatically credits your account. Barclays, NatWest and RBS also have machines in large branches in city centres.
Bank employees now have a duty to point out that they only advise on the bank's products and don't offer independent financial advice. What they won't tell you is that even the advice they give you about the bank's own products should be treated cautiously. Bank staff are often undertrained, underpaid and overworked. (You could ask for the employee's qualifications before getting advice.) So do your own research and/or find an independent financial adviser.
Nothing is set in stone. Your bank won't tell you this, but sometimes it will waive a fee, for example an overdraft or an ATM fee, depending on the circumstances. You have nothing to lose by asking, if you can argue persuasively why they should waive the fee. Citizens Advice says your bank should treat you sympathetically if you can show financial hardship.
As stated in the previous slide, some things are negotiable – such as interest rates or waiving fees – if you can make a good case for it. In that instance, talking to an employee in person is better than filling in a form online.
If your account is overdrawn and you get paid, your bank could use this money to pay off your overdraft without your permission. However, you have a right to ask them not to do this so you can pay your rent or mortgage first. This is called first right of appropriation. You have to ask your bank in writing, and you'll need to write to them with new instructions every time money gets paid into your account. Make sure you write 'first right of appropriation' in your letter.
If money is mistakenly credited to your account, your bank or building society can recover the money, assuming they do this within a reasonable time. But you may be allowed to keep the money, for example if you didn't realise the bank had made a mistake and spent the money in good faith. You would have to prove that you spent it in such a way that it would be unfair to ask you to pay it back. You can complain to the Financial Ombudsman if you think your lender is being unfair in asking you to repay the money.
If you do have to pay it back, you could try to reach an agreement with your bank to pay it back in instalments without interest being added.
The Financial Ombudsman Service has more advice on what happens when payments have been credited to the wrong account. If you did something wrong - for example, by entering the wrong account number - rather than the bank, the Financial Ombudsman may still uphold your complaint. They consider whether the financial institution made it clear to the consumer that only the bank sort code and account number are used to process the payment, rather than the name of the payee. They will also ask whether the lender should have realised that the consumer had made mistake, and once the problem came to light, did the firm take reasonable steps to try to get the money back from the recipient.
If too much is deducted from your account, your lender may have to refund the full amount of the payment. For example, if the money is taken through a direct debit or credit card payment for a hotel room or car rental. When deciding whether the debit was reasonable, the bank or building society will take into account your previous spending pattern. But the bank doesn't have to refund the payment if you agreed the amount beforehand or were informed of the payment by your lender at least four weeks before.
If you don't have enough money in your account to cover a direct debit payment, your bank may not make the payment. It doesn't have to tell you that the payment hasn't been made, so the onus is on you to keep checking your account. If, on the other hand, the payment goes through, you may be charged for an unauthorised overdraft.