How do I prove I’m me when buying online if I don’t have a mobile device?
Strong customer authentification protects us from fraudsters but can cause headaches
Idon’t use telephone or online banking but regularly use my debit card to buy things online. Previously my bank would verify it was a valid purchase by sending me a One Time Passcode by e- mail, and this worked perfectly. However, the bank is now insisting these passcodes have to be sent to a mobile phone, but I don’t have or plan to get one. Can I receive a One Time Passcode by a different method?
From September last year, banks and retailers have been introducing a whole suite of security checks when you buy goods online, log in to your online banking or use a contactless card. Dubbed “Strong Customer Authentication”, it stems from new European regulation designed to cut fraud and protect payments by checking that it is really you making a purchase.
Banks and retailers have to make extra checks to verify your identity and that you’re a genuine payee. They can do this in three ways - through something only you know
( a password or pin); something only you possess ( a card reader or registered mobile device); and something only you are ( a digital fingerprint or voice pattern).
Small transactions, recurring payments and direct debits are excluded. You can also “whitelist” regularly used retailers with your bank, so you don’t have to repeatedly jump through additional hoops. Banks are carrying out these checks in lots of different ways – through SMS texts to your phone, via mobile banking apps, card readers, email and even landline calls. Each card provider and bank can decide how it carries out the checks and, as you’ve just discovered, are free to change the way that they do. In the bank’s defence, email phishing scams are rife and it may believe that offering email verification is too risky for it and its customers.
But where does that leave you? Well, the banking watchdog, the Financial Conduct Authority, has publicly stated that people in your situation, who don’t own a mobile phone, should not be disadvantaged and that your bank should tell you about the other ways you can verify a payment. Which? surveyed all of the major banks last year when the rollout of Strong Customer Authentication began. Some were allowing passcodes to be sent via email as a temporary measure, not as a long- term solution. I suspect your bank had a similar approach for a period for customers to adapt to a new way of paying. At the time of our research, only Nationwide, Royal Bank of Scotland, Natwest and The Co- operative were offering passcodes via email. However, there were plenty of firmsoffering authentication via a landline, which could be a useful alternative. This would either involve receiving an automated call where you are told a passcode to enter in on payment, or a customer service team verifying your identity. If you’re really dissatisfied with the changes your bank has made, consider switching accounts, or opening an additional account.
See the full list of banks and their authentication methods at which. co. uk/ sca
Gareth Shaw is the Head of Money at which. co. uk