• Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!

Ensignbus £10 contactless limit and Apple Pay / Google Pay ban

Status
Not open for further replies.

TTS

Member
Joined
17 Jan 2021
Messages
19
Location
High Weald
Seems crazy to sell high value tickets on the bus in cash. Not only does it make the bus trip slow, it puts the bus driver at risk of robbery. Season tickets need to be off bus. Several technologies to choose from. Smartcard, contactless capping and mobile app.
Ensignbus weren't selling high-value tickets on-bus by cash but by contactless payment.
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

johncrossley

Established Member
Joined
30 Mar 2021
Messages
2,974
Location
London
Ensignbus weren't selling high-value tickets on-bus by cash but by contactless payment.

But were they allowing cash as well as contactless? Selling them on bus even with contactless isn't great anyway for an urban operation.
 

jon0844

Veteran Member
Joined
1 Feb 2009
Messages
28,013
Location
UK
Given this is part of my job (which shall remain anonymous), here’s the proper reason for the 10p charge…

When Littlepay processes a transaction for settlement, a pre-authorisation amount needs to be sent to the issuing bank first in order to verify the card for contactless payments. This is to ensure the card has not been reported lost or stolen before Littlepay attempt to take payment from the card.

This pre-authorisation amount is usually £0.10 for UK MasterCards and can be up to £1 for MasterCards outside of the UK. This is effectively a holding fee on the card while we wait to authorise the full payment amount on the card.

For Visa cards, the pre-authorisation amount is £0.00 and should not be visible on a customer's account. The pre-authorisation value is never sent for settlement from the card, and if this is still visible on a customer's account, they should speak to their issuing bank to investigate.

Depending upon the operator the full amount may be requested fairly quickly after the transaction takes place, but for most large operators this is part of an overnight process so tap-on-tap-off payments can be aggregated.

I have a Starling Bank account and use MasterCard, and recently I've had some pre-authorisations of £0.00 done - suggesting they're now replicating Visa?

Also, I noticed that a local car park has signs saying they no longer accept Google Pay or Apple Pay and I did find it rather odd, as they will still take physical contactless payment cards. Other signs in the car park say you can pay with Google Pay and Apple Pay, just to add to the confusion, so maybe someone will be out with some tape to cover those bits up - or just allow people to become thoroughly confused.

I guess I'll have to start carrying my wallet all the time now. I currently go out a lot with only my phone to make payments.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
97,521
Location
"Marston Vale mafia"
I guess I'll have to start carrying my wallet all the time now. I currently go out a lot with only my phone to make payments.

I've generally found Google and Apple Pay not quite reliable enough to do this (in acceptance and in it actually working). For instance while it's not supposed to "refer to PIN" because it's authenticated via the phone, it sometimes still does for me.
 

jon0844

Veteran Member
Joined
1 Feb 2009
Messages
28,013
Location
UK
I've never had a problem. I mat sometimes be asked to unlock the phone and use my fingerprint sensor to authenticate, then tap again, which has always worked for me - so far!
 

johncrossley

Established Member
Joined
30 Mar 2021
Messages
2,974
Location
London
Also, I noticed that a local car park has signs saying they no longer accept Google Pay or Apple Pay and I did find it rather odd

Could that be because of the use of virtual card numbers? (See thread about Google Pay on First buses)

 

robertclark125

Established Member
Joined
12 Mar 2008
Messages
1,616
Location
Cardenden, Fife
I wonder how much of this is due to the fact that transactions aren't debited on the spot. I've noticed that the last few times I've used contactless with Stagecoach, the transactions haven't actually gone through until after much later in the day (after 7pm if it's local journeys only - presumably this coincides with the time that the bus returns to the depot). In the meantime, there's no "hold" on the funds, and therefore it's possible to spend the same amount of money twice.
This happens at Halbeath Park and ride. If you buy on the bus it comes off late in the day. BUT if you buy at the supervisor office it comes off straight away.
 

XAM2175

Established Member
Joined
8 Jun 2016
Messages
3,469
Location
Glasgow
Whether the Ticketer system can blacklist such tickets (assuming seasons are barcode-scanned on Ensignbus) I do not know. But that would make the exercise fruitless for fraudsters.
Blacklisting the tickets if the authorisation declines would seem an obvious fix. Time for Ticketer to get on it if it doesn't already! :)
Yes, if the payment for the ticket fails the ticket should be cancelled. Breaking the payment up into amounts that fall below the merchant's responsibility threshold to evade the problem is barely a whisker a way from being a scam itself, AFAIK.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
97,521
Location
"Marston Vale mafia"
Yes, if the payment for the ticket fails the ticket should be cancelled. Breaking the payment up into amounts that fall below the merchant's responsibility threshold to evade the problem is barely a whisker a way from being a scam itself, AFAIK.

Indeed, and one that is being done to evade liability for not putting in place an obvious security step of blacklisting the ticket barcode if it happens.

I believe the term for that is "fraud".

I think we can sit and watch this with some interest. One of three things will likely happen:
1. Ticketer will put in place ticket blacklisting when transactions decline
2. Ensignbus will lose their merchant account due to wilful breach of T&Cs and so end up cash only
3. Ensignbus will cease selling seasons for card payment for over £10 entirely
 

XAM2175

Established Member
Joined
8 Jun 2016
Messages
3,469
Location
Glasgow
I think we can sit and watch this with some interest. One of three things will likely happen:
1. Ticketer will put in place ticket blacklisting when transactions decline
2. Ensignbus will lose their merchant account due to wilful breach of T&Cs and so end up cash only
3. Ensignbus will cease selling seasons for card payment for over £10 entirely
It wouldn't surprise me to see them threatened with (2), which would force them to implement (3) as a matter of urgency. Whether (1) ever happened is a different matter.

I remember back in the days of using those mechanical credit-card imprinters at a previous job that we were able to accept transactions up to a certain (quite small) value without authorisation, but that any transactions over that value had to be authorised over the phone with the payment provider before we handed over the goods. It was explicitly forbidden for us to split-up and 'batch' transactions so as to bring each one in under the authorisation floor limit.

I can't see any difference in principle between that scenario and this one.

£10k in 3 month's is what they've lost
For the avoidance of doubt I do have sympathy for Ensign finding themselves in this situation, but it's plainly wrong for them to respond to it by simply shifting the burden onto the payment processor - because that's exactly what this solution does. It's not a million miles away from saying that theft is totally fine so long as the goods that get stolen were fully insured.

Either they get their act together on cancelling tickets for which payment has failed (and blacklisting the card if it happens more than once or twice in a long span of time), or they stop taking contactless payments over ten quid full-stop. Don't forget that First seasons sold through PayPoint retailers could only be bought with cash precisely because there was no ability to recall them after issue.
 

jammy36

Member
Joined
28 Aug 2013
Messages
295
£10k over three months is substantial - especially if the fraud is being carried out by a few individuals as is said in the above interview. I think Ensigns most expensive ticket to buy on board is the Thurrock + X80 four week season ticket.

I'm not sure this can be as simple as buying these tickets without funds being in place so the transaction is declined after the ticket is issued... A fraudster would need to do this over 123 times (buying the most expensive ticket to account for a £10k loss) ... surely that would be too risky and too easily traceable... is there that big a black market for Ensignbus season tickets?!

This suggests there might indeed be more to the fraud than initial assumptions suggest and that it is more complex, nuanced and sophisticated. The interview makes it clear it is an issue that appears specific to Apple Pay and Google Wallet, but isn't and issue with them per se. Instead, the way transport transactions are processed has opened an opportunity that fraudsters are somehow exploiting on these devices.
 

RJ

Established Member
Joined
25 Jun 2005
Messages
8,383
Location
Back office
£10k over three months is substantial - especially if the fraud is being carried out by a few individuals as is said in the above interview. I think Ensigns most expensive ticket to buy on board is the Thurrock + X80 four week season ticket.

I'm not sure this can be as simple as buying these tickets without funds being in place so the transaction is declined after the ticket is issued... A fraudster would need to do this over 123 times (buying the most expensive ticket to account for a £10k loss) ... surely that would be too risky and too easily traceable... is there that big a black market for Ensignbus season tickets?!

This suggests there might indeed be more to the fraud than initial assumptions suggest and that it is more complex, nuanced and sophisticated. The interview makes it clear it is an issue that appears specific to Apple Pay and Google Wallet, but isn't and issue with them per se. Instead, the way transport transactions are processed has opened an opportunity that fraudsters are somehow exploiting on these devices.

The opportunities are definitely not limited to Apple Pay and Google Pay - only certain methods involve them.
 

markymark2000

On Moderation
Joined
11 May 2015
Messages
3,535
Location
Western Part of the UK
£10k over three months is substantial - especially if the fraud is being carried out by a few individuals as is said in the above interview. I think Ensigns most expensive ticket to buy on board is the Thurrock + X80 four week season ticket.

I'm not sure this can be as simple as buying these tickets without funds being in place so the transaction is declined after the ticket is issued... A fraudster would need to do this over 123 times (buying the most expensive ticket to account for a £10k loss) ... surely that would be too risky and too easily traceable... is there that big a black market for Ensignbus season tickets?!
Are they perhaps counting the revenue lost as well from the tickets being sold on? So £81 lost in the original sale. Plus £81 lost with the ticket being sold on so someone is travelling on their services without paying. So £162 lost per occasion?

With regards to buying the ticket, possibly in big warehouses with a lot of employees who happen to travel by bus such as Amazon, this could easily happen.



The same thing was happening in Manchester so most weekly tickets which can be bought on the bus, can't be bought by contactless.
 

DelayRepay

Established Member
Joined
21 May 2011
Messages
2,929
I'm not sure this can be as simple as buying these tickets without funds being in place so the transaction is declined after the ticket is issued... A fraudster would need to do this over 123 times (buying the most expensive ticket to account for a £10k loss) ... surely that would be too risky and too easily traceable... is there that big a black market for Ensignbus season tickets?!

I agree it's not something simple. In the interview, he said the finance manager spotted something unusual by chance. Surely if cards are being declined they would know. They'd have a shortfall and I assume they get notified of declined transactions. So I do think this is something more unusual.

I also agree it's not easy to see how a criminal would launder £10k worth of bus tickets in three months.
 

Hophead

Established Member
Joined
5 Apr 2013
Messages
1,192
Ie this paper tickets which are being bought? These can potentially be used by more than one person in any one day (or over a longer period if applicable). Admittedly, I'm not suggesting this practice alone is causing such a loss.
 

Stephen42

Member
Joined
6 Aug 2020
Messages
231
Location
London
I agree it's not something simple. In the interview, he said the finance manager spotted something unusual by chance. Surely if cards are being declined they would know. They'd have a shortfall and I assume they get notified of declined transactions. So I do think this is something more unusual.

I also agree it's not easy to see how a criminal would launder £10k worth of bus tickets in three months.
It's unclear to be honest, the interview doesn't indicate great familiarity with how transmit mode contactless payments work. Possibly they started taking contactless payments and Apple/Google Pay without fully understanding the operating model and potential liabilities. Only when trying to reconcile the accounts they found what the gap amounted to. Using split transactions might also be as they are unaware it's not an acceptable mitigation strategy.

An offline authorisation isn't dissimilar to a cheque, a more fancy digitally generated signature from the card but like the handwritten equivalent it's no guarantee the bank will fulfill it. For offline chip & pin transactions risk of stolen/lost cards is reduced as the person has at least entered the right pin. Even then a shop is unlikely to use offline transactions unless their internet is down and roaming terminals often will be online only by default.

Offline transit mode wasn't designed for season ticket purchase, it relies on those attempting fraud/insufficient funds being blocked from travel before excessive revenue loss. That's harder with one off high value purchases especially with a physical ticket that can be (against contract) resold. The £10k gap over three months might be a combination of deliberate fraud and accidental insufficient funds rather than just fraud.
 

PG

Established Member
Joined
12 Oct 2010
Messages
2,809
Location
at the end of the high and low roads
Seems crazy to sell high value tickets on the bus in cash. Not only does it make the bus trip slow, it puts the bus driver at risk of robbery.
Not that long ago (5+ years), you could pretty much guarantee you'd be running late on Monday mornings having to faff about giving change for weekly ticket after weekly ticket in a row and have a shirt pocket bulging with notes...
 

markymark2000

On Moderation
Joined
11 May 2015
Messages
3,535
Location
Western Part of the UK
Offline transit mode wasn't designed for season ticket purchase, it relies on those attempting fraud/insufficient funds being blocked from travel before excessive revenue loss. That's harder with one off high value purchases especially with a physical ticket that can be (against contract) resold. The £10k gap over three months might be a combination of deliberate fraud and accidental insufficient funds rather than just fraud.
That depends. You could blacklist the QR code but how quickly will Ensign find out that the money has not gone through and how quickly can transactions be tracked back to deactivate the QR code. Ideally, something needs to be done in this respect and if possible, transactions need doing every few hours rather than daily just so then it's quicker to stop and preferably catching it quick enough to stop the person returning home.
 

_toommm_

Established Member
Joined
8 Jul 2017
Messages
5,843
Location
Yorkshire
I have a Starling Bank account and use MasterCard, and recently I've had some pre-authorisations of £0.00 done - suggesting they're now replicating Visa?

I’ve noticed that too recently. I booked a hotel, where I pay at the hotel. What’s new is that it ‘debited’ my Mastercard Debit £0.00, and what was even funnier, was that NatWest flagged it and made me authorise it in the app.

I had my card blocked too temporarily when using Apple Pay on payday. It seems there may be a crackdown.
 

GusB

Established Member
Associate Staff
Buses & Coaches
Joined
9 Jul 2016
Messages
6,543
Location
Elginshire
I’ve noticed that too recently. I booked a hotel, where I pay at the hotel. What’s new is that it ‘debited’ my Mastercard Debit £0.00, and what was even funnier, was that NatWest flagged it and made me authorise it in the app.

I had my card blocked too temporarily when using Apple Pay on payday. It seems there may be a crackdown.
I think this is just a cracking down on the "new rules", which I'm in no position to explain in any detail right now. To keep a long story short, transactions that are performed online have to go through an extra layer of verification, either via a text message to your nominated mobile phone or through your bank's app.

I received a new card from the payment provider that I currently use (it's not a bank as such) and when I "upgraded" my plan I was sent a new card which had an entirely different card number. It was a complete pain in the backside because I had to update Google Pay Wallet along with a couple of other apps, and in each case I was either sent a text messsge with a code, or a prompt to open an app and confirm a transaction for £0.00.

They have our best interests at heart, apparently! While I grudgingly accept that, it still doesn't make it any less of a pain in the arse when it happens.
 

Towers

Established Member
Joined
30 Aug 2021
Messages
1,657
Location
UK
They have their best interests at heart, presumably, assuming that they stand the cost of a lot of fraud?

It's easy to see how bus operators have tied themselves up in knots trying to keep up with contactless. First seemed to have introduced a rather bizarre system in Bristol when I was there recently, whereby for journeys within a defined zone you tapped on boarding the bus, and that was it. No tapping off again. Your day's travel was capped (indeed I think it was marketed as 'Tap & Cap'), but there seemed to be a glaring hole in the idea on some routes in that if the bus was continuing outside of the zone, there was nothing to stop you tapping in for a local journey and then going as far as you liked. I see they've just recently introduced the more conventional tap on/tap off system, which I presume has replaced it?

As an aside, I notice that Tesco pre-authorises £1 when buying fuel at a pump. Is this system not open to the same sort of abuse?
 

zero

Member
Joined
3 Apr 2011
Messages
955
Ie this paper tickets which are being bought? These can potentially be used by more than one person in any one day (or over a longer period if applicable). Admittedly, I'm not suggesting this practice alone is causing such a loss.

Nothing to do with contactless though, you can transfer paper tickets bought with cash

They have their best interests at heart, presumably, assuming that they stand the cost of a lot of fraud?

It's easy to see how bus operators have tied themselves up in knots trying to keep up with contactless. First seemed to have introduced a rather bizarre system in Bristol when I was there recently, whereby for journeys within a defined zone you tapped on boarding the bus, and that was it. No tapping off again. Your day's travel was capped (indeed I think it was marketed as 'Tap & Cap'), but there seemed to be a glaring hole in the idea on some routes in that if the bus was continuing outside of the zone, there was nothing to stop you tapping in for a local journey and then going as far as you liked. I see they've just recently introduced the more conventional tap on/tap off system, which I presume has replaced it?

As an aside, I notice that Tesco pre-authorises £1 when buying fuel at a pump. Is this system not open to the same sort of abuse?
Not too different from asking for a short fare if you know the driver won't remember/challenge you when you get off (or there's a back door). If an RPI boarded the bus how do they check?

Tesco has your licence plate. Also some fuel stations said they were going to pre-authorise £99. I suppose you could use fake plates like you could steal a card and use it contactlessly
 

Towers

Established Member
Joined
30 Aug 2021
Messages
1,657
Location
UK
Tesco has your licence plate. Also some fuel stations said they were going to pre-authorise £99. I suppose you could use fake plates like you could steal a card and use it contactlessly
Having a vehicle reg number is presumably no more or less foolproof than having a set of bank card details, though? I wonder how the 'Pay at Pump' situation is dealt with; is it theft, fraud or a civil matter for the debt chasing outfits? Is the onus on the customer to know that they have funds, or on the merchant or the bank to check before allowing the transaction?
 

DelayRepay

Established Member
Joined
21 May 2011
Messages
2,929
It's unclear to be honest, the interview doesn't indicate great familiarity with how transmit mode contactless payments work. Possibly they started taking contactless payments and Apple/Google Pay without fully understanding the operating model and potential liabilities. Only when trying to reconcile the accounts they found what the gap amounted to. Using split transactions might also be as they are unaware it's not an acceptable mitigation strategy.

An offline authorisation isn't dissimilar to a cheque, a more fancy digitally generated signature from the card but like the handwritten equivalent it's no guarantee the bank will fulfill it. For offline chip & pin transactions risk of stolen/lost cards is reduced as the person has at least entered the right pin. Even then a shop is unlikely to use offline transactions unless their internet is down and roaming terminals often will be online only by default.
I understand that for offline transit transactions, the banks accept fraud liability for transactions below £10, and the operator is liable for transactions above this. Which explains why they have introduced a £10 limit (although does not explain why they have completely stopped Apple/Google, or why they think 2 x £10 transactions to pay for a £20 ticket would be ok).

Even our vending machines at work, where the maximum item is £1.20, are online.

Offline transit mode wasn't designed for season ticket purchase, it relies on those attempting fraud/insufficient funds being blocked from travel before excessive revenue loss. That's harder with one off high value purchases especially with a physical ticket that can be (against contract) resold. The £10k gap over three months might be a combination of deliberate fraud and accidental insufficient funds rather than just fraud.
Agree - offline contactless should only be used for very low value transactions (e.g. single fares) where, ultimately, the value can be written off without too much impact if it turns out to be fraudulent.

I still find it hard to understand how they didn't notice such a huge shortfall. I suspect, as you say, they are not fully familiar with how the systems work.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
97,521
Location
"Marston Vale mafia"
I understand that for offline transit transactions, the banks accept fraud liability for transactions below £10, and the operator is liable for transactions above this. Which explains why they have introduced a £10 limit (although does not explain why they have completely stopped Apple/Google, or why they think 2 x £10 transactions to pay for a £20 ticket would be ok).

The latter is bizarre as it is almost certainly in breach of their merchant agreement and arguably fraudulent.

My suspicion re Apple/Google is that the fraudsters are loading up their phones with a stack of dodgy cards and flipping between them much more easily on a phone.

Even our vending machines at work, where the maximum item is £1.20, are online.

Even public toilet access is online! This is a nuisance as the cheapo terminals used by e.g. Lake District National Park Authority are really slow. TBH as this is typically about 50p I think it should be transit mode. The main method of "fraud" in this context is people jumping the gates or entering as someone exits.

Agree - offline contactless should only be used for very low value transactions (e.g. single fares) where, ultimately, the value can be written off without too much impact if it turns out to be fraudulent.

I think it's fine to use them for season tickets with barcodes or on smartcards where a failure to authorise later can block the ticket. The most fraudulent travel that could be carried out if the authorisation was done as soon as the machine reached a signal is a single. You could even block returns and day tickets if it failed.
 
Status
Not open for further replies.

Top