SECURITY ALERT:
How card firms are putting YOU at risk online
VITAL password systems for protecting online shoppers are being brushed aside by credit card issuers to help oil the wheels of commerce. Password safety checks have been used for many years – and are designed to give buyers ‘complete confidence when shopping online’. They help validate that shoppers are who they say they are when making a purchase by computer.
But retailers and plastic card issuers find the checks create a barrier to sales and risk them losing custom – so in many cases the verification screen does not even appear and this extra layer of security is effectively bypassed.
The three most common protection systems shoppers sign up to through card issuers are Verified by Visa, MasterCard SecureCode and American Express SafeKey. They are not compulsory but shoppers are strongly advised by providers and anti-fraud organisations to join.
HOW VERIFICATION WORKS
THE checking systems all work in a similar way – using pop-up screens at the end of an online transaction that prompts the customer to provide digits from their chosen password, or in the case of Amex, tap in a one-time code that is sent by text or email. Some provide a personal greeting that confirms to the buyer that the checking request is a genuine one.
These measures are primarily designed to prove the buyer is the cardholder before an online purchase is completed.
When an online business signs up to a verification system, the card issuer steps in during a transaction to verify the authentic- ity of the purchaser. The aim is to reduce fraud while switching any liability from the retailer to the card issuer.
VANISHING SECURITY SCREENS
INCREASINGLY, buyers are noticing that the verification screen does not always pop up – with transactions waved through without this extra layer of security. In some cases, even when a screen appears and the shopper fails to enter the password, the purchase goes ahead regardless. On other occasions, the screen appears momentarily and vanishes before the shopper can take action. Christopher Caruk, from High Wycombe, Buckinghamshire, is a technology expert who helped design the UK’s first chip and PIN security systems. Recently, he was astounded to find that a purchase for £2,000 worth of airline tickets – which he believed he had cancelled before the sale completed – still went through without his authorisation.
He says: ‘The payment was taken by the merchant and accepted by my card provider HSBC, even though I did not provide the requested digits from my secret security code.’
Christopher, 54, who is married to training consultant Claudia Lima, 60, was planning to pay for the tickets using the couple’s HSBC MasterCard.
But just before finalising the transaction, he noticed he had misspelt his wife’s name on the flight booking.
As a result, he decided not to enter his secure code and pressed the ‘cancel’ button, believing the transaction would not go ahead. He was wrong. The payment was still taken.
REDUCE ABANDONED PURCHASES
BEHIND the scenes, it seems the merchant and MasterCard had completed a ‘risk assessment’ and decided Christopher’s transaction could go ahead – irrespective of him not completing the verification process.
Businesses are scaling back the use of pop-up checking screens according to research by Visa. The move is to stop shoppers abandoning transactions when they cannot remember passwords – or using another form of payment.
Instead, card issuers are switching to ‘risk-based authentication’. Here, a customer who regularly shops at a particular website from a certain computer is likely to have a purchase waved through. But a first-time purchase or one made from an unknown computer will trigger the password screen.
Visa says just five per cent of transactions are high risk and claims fraud levels have remained stable despite the reduced checks. But Christopher and Claudia’s air tickets were a first-time purchase with the travel website – therefore they expected authentication to be compulsory. It was not.
Christopher says: ‘It’s as if I had walked into a shop, taken goods to the counter, started pulling money out of my pocket but then decided not to buy – only then to have the shop assistant run after me, take my money and force the goods on me.’
He adds: ‘Such changes to online security expose buyers to fraud. It seems all someone needs to do to fraudulently use someone else’s card is to press cancel when the pop-up screen asks for the security code.’
The couple contacted the travel company to inform it they had not authorised the online payment but they were rebuffed. It demanded £100 to cancel the transaction and refund the price of the tickets. Christopher, who went on to book the flights a second time from the
same website, adds: ‘HSBC wasn’t interested when we told them there was a serious flaw with its security system.’
HSBC eventually agreed to issue the couple with a credit covering the flight cancellation charge but were told that if the merchant disputed it the bank would reinstate the charge.
HSBC says: ‘If a customer gets to the SecureCode page, they have already confirmed to the retailer they want the item or service.
‘If they cancel at that stage, the retailer can still proceed with the transaction but if they do so, it loses certain rights if the customer disputes the payment.’
The bank adds: ‘Not all online retailers use verification which is why some websites won’t ask for the password, such as Amazon.’
MasterCard says: ‘SecureCode is not about customers authorising the transaction, that happens when they click on the ‘buy’ button.’
CARD NOT PRESENT RISKS
THE cost of ‘card not present’ fraud has risen 80 per cent in the past five years. Katy Worobec, director of Financial Fraud Action UK, says this is primarily a result of the theft of card details by hackers.
She says: ‘Measures taken by banks, including online verification, have stopped £6 in every £10 of attempted card fraud.’