This Time Self-Hosted
dark mode light mode Search

Chase UK, Security Features, And TfL

Announced last September, JPMorgan Chase, the US bank, has started offering current accounts in the UK last year. Rather than positioning themselves as a high street bank offering, they went for an App-only approach (there’s no website), and even started the offering without the full set of features than most (but not all) UK banks provide. To date, they still appear to not have a way to set up standing orders, which means most people will be unable to use them to pay for their rent.

Despite the lack of features, Chase UK has been quite interesting. In addition to a general 1% cashback offering on debit transactions (for most other banks, such cashback is only available on credit cards), and no foreign transaction fees, they have been offering relatively high interest on usual savings account, and a whopping 5% on round-ups, which reminds me of what Revolut attempted (but didn’t excel for) previously — Revolut’s round-up earned nothing, so they were essentially just a way to try to keep an easy eye on how much money you had in the account.

As part of the course of a banking application in 2022, Chase UK sends you a free Mastercard Debit card, with no embossed numbers on it, which is not surprising, as I only used the embossed numbers with a carbon-copy device three times since I got my first payment card: in a taxi in the Bay Area, at a Sheraton in Tokyo, and at the FSF booth during a LISA conference — and in the latter case they managed to get the number wrong and got their transaction rejected, I had to send them a donation separately (I had bought some merchandise.) Unlike other cards such as Curve or Revolut, though, they decided to omit the number on the card entirely!

Indeed, if you want to use your Chase UK online, you need to look up the details on their app, at which point the usual 16-digits PAN is revealed, together with expiration date and CVV2. The app also offers you the option to load the card onto Google Pay, which I obviously did since in most places it is the most convenient way to pay.

Where Google Pay is, in my experience, less than convenient to use is on the London transports system, operated by TfL (Transport for London), and implements contactless tap-to-pay-as-you-go. For the longest time I much preferred tapping a physical card rather than my phone, as the latter would require me to unlock the phone to go through — and sometimes re-lock and unlock, particularly if I’ve been keeping the screen on to play Pokémon Go on the train. This latter part is important, because if you tap your phone without having unlocked it recently enough, the tap is not recorded, and you may end up with an “incomplete journey”, which TfL will auto-complete for you with most likely a much higher tariff than you were meant to pay. This meant that for the past few months I’ve been tapping my physical Chase card all over London — well, okay, not really all over since I’ve been commuting only a few times a month to begin with.

On the other hand, just before heading to Italy last month, I realized I was charged a full incomplete journey fare, once I probably forgot to tap out of my local train station — it was a first in all these months, because I hadn’t come back through that route over National Rail – rather than London Underground – where there’s no turnstyle to make sure you tap out. Well, easy enough to address since there’s a self-service option to request a refund for it on the TfL website.

And here’s where things got a bit messy — and with a bit I mean it’s a total disaster. The way you identify your TfL travel when using a contactless card (rather than an Oyster card), is by providing the payment detail of the card. With a physical card that has the details on it, it’s trivia: you provide PAN, expiry date, CVV2, and a billing address et voilà, you can see your journeys and recover incomplete journey fares.

If you use Google Pay (or, I assume, Apple Pay — I have no experience with the alternative smartphone payment systems, so I’m going to be talking about the one I know, only) things are only a smidget more complicated. Google Pay provides a “virtual account number” when using it for a transaction, which does not match the original PAN of the card you registered with it — it’s part of the interface that exists between Google and the card issuer, and why you can’t just take any card and register it for payment. There are ways to connect the virtual and original accounts, though, which is how services like Airtime Rewards, as well as TfL, can connect Google Pay transactions with the original source account. What this means is that the few times I used the phone, with my Santander card, to pay for TfL (because I’d forgotten my physical card at home), it was still showing up as a new contactless card on their website.

But, as I said, I used the Chase UK physical card to travel, so that shouldn’t have been a problem for me. So, I went, and added the details of the card as shown in the app to TfL’s website and… well, I couldn’t find anything. Not just no incomplete journeys, but no journeys at all. No travel history. No payment history. Nothing. Despite having a number of charges from TfL on my statement.

So I took a chance, when I was coming back from Italy, to take with me one of the smartcard readers I used to use. While I couldn’t at first get it to work fine on my Linux machine (I since fixed that), I found an EMV (the smartcard application used for Mastercard and Visa chip chards) inspector for Windows, and looked at what it reported. I could have also tried finding a working one for Android, but it does look like most of them has since become paid-for, at least to show you the actual EMV details of a card, maybe to protect against malicious use.

What did I look for, on the card? Well, even if the physical card did not have a magnetic stripe (which it does, because it’s Chase after all), the “Track 2 Equivalent Data” – that is, the cardholder name, and the 16-digits PAN – is still present in the fields of the EMV application. Now, if you’re used to Revolut or Curve, you know that they both allow you to see the details of your card on their app, as long as you authenticate with a fingerprint, and they will match what you see printed on your physical card, which in turn will match what is on the magnetic stripe (when present), and the EMV application. You shouldn’t be faulted for thinking that the same would hold true for Chase UK, but that is not the case.

Indeed, it looks like Chase UK is explicitly providing a different PAN on the physical card than it shows you in the app — despite the app being used to “activate the card” when it arrives, being able to control the card (toggling contactless, chip&pin, swipe transactions and so on), and see the PIN connected to it. I can’t remember of find any reference that documents that what you see in the app does not match what the physical card provides.

Indeed, the only reference that may suggest something is different than other issues is that under “Card details”, it shows:

Returns and collections

For your security, some purchases use different card details. Go to the transaction to see them

Indeed, after you do go ahead and click through one of the transactions from TfL, you can finally find a call to action if you intend to add the card to TfL, from where the actual details of the card can be found, including the CVV2 that is not otherwise available on the EMV application details (since it’s not part of Track 2.)

In the app text, this is all declared to be “for security” — the assumption is that, since you don’t get to know the detail of the physical card, you can’t use it online, so any skimming that would lead to an attempt to use those details online are for nothing. Indeed, even for transactions that used the physical card, but are not coming from TfL, there’s no way to see the full original details.

This may be a decent security measure, but it also means annoyance for some corner cases. If you buy a ticket for the cinema online, they usually require you to use the card you used to pay to pick it up — since Chase UK is not telling you that the details you’re given don’t match the physical card, you may have to end up in a long annoying discussion with a cashier over the fact that you’re unable to provide exactly that card.

This is exactly the type of “security” that I was afraid would end up being justified with “PSD2 made me do it” — even though in this case, there’s no PSD2 excuse claimed, either. It might have some effect on fraud, but it also will cause annoyance to users with no clear explanation as of why. It is an uncommon step to take, and not one that is explained in any detail for the customers. At the very least, I would have expected that the card would have a Virtual Account Number, similar to what Google Pay would provide, that TfL would be able to map to the card I’m adding, the same way it can map the virtual cards generated by Google Pay.

But, maybe, I’m just expecting too much from a bank.

Comments 2
  1. If you look at your details in the speding from TFL, you can actually see the different ‘card’ used with the details. Adding that to TFL works. What I also found is that it is that card and not the one in the app needed for the airtime rewards app.

  2. Such a helpful article. I have had no luck getting any TFL history for my chase bank card – physical or through google pay. Very frustrating and neither TFL or Chase seem equipped to help!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.