IDENTITY CRISIS
Banks’ growing security checks to tackle the scourge of card fraud
I don’t use telephone or online banking but regularly use my debit card to buy things online. Previously my bank would verify it was a valid purchase by sending me a One Time Passcode by email, and this worked perfectly. However, the bank is now insisting that these passcodes have to be sent to a mobile phone instead, but I don’t have or plan to get one. Can I receive a One Time Passcode by a different method?
Name and address supplied.
Gareth says…
From September last year, banks and retailers have been introducing a whole suite of security checks when you buy goods online, log in to your online banking or use a contactless card. The deadline for all banks and retailers to do this is March 2021.
Dubbed ‘ Strong Customer Authentication’, it stems from new European regulation designed to cut fraud and protect payments by checking that it is really you making a purchase. Criminals stole £ 1.2bn in 2019 through scams and fraud.
There were more than two million instances of ‘ card not present’ fraud, with losses totalling £ 470m.
Under the new rules, banks and retailers have to make extra checks to verify your identity and that you’re a genuine payee.
They can do this in three ways – through something only you know ( a password or pin); something only you possess ( a card reader or registered mobile device) and something only
you are ( a digital fingerprint or voice pattern). This doesn’t apply to every payment. Small transactions, recurring payments and direct debits are excluded.
You can also ‘ whitelist’ retailers with your bank, so you don’t have to jump through additional hoops if you regularly buy goods from the same retailer.
Banks are carrying out these checks in lots of different ways – through SMS texts to your phone, via mobile banking apps, card readers, email and even landline calls.
Each card provider and bank can decide how it carries out the checks and, as you’ve just discovered, are free to change the way that they do.
In the bank’s defence, email phishing scams are rife and it may believe that offering email verification is too risky for it and its customers.
But where does that leave you? Well, the banking watchdog, the Financial Conduct Authority,
has publicly stated that people in your situation, who don’t own a mobile phone, should not be disadvantaged and that your bank should tell you about the other ways you can verify a payment.
This also applies to people who live in areas with poor mobile reception, who may struggle to receive text messages.
Which? surveyed all of the major banks last year when the rollout of Strong Customer Authentication began.
Some were allowing passcodes to be sent via email as a temporary measure, not as a long- term solution. I suspect your bank had a similar approach for a period for customers
to adapt to a new way of paying.
At the time of our research, only Nationwide, Royal Bank of Scotland, NatWest and The Co- operative were offering passcodes sent via email. I should caveat that this was carried out last year, so this may not be the case now.
However, there were plenty of firms, including most of the major high street offering authentication via a landline, which could be a useful alternative.
This would either involve receiving an automated call where you are told a passcode to enter in on payment, or a customer service team verifying your identity.
If you’re really dissatisfied with the changes your bank has made, you may want to consider switching accounts, or opening an additional account.
You can read the full list of banks and their authentication methods at which. co. uk/ sca.
Criminals stole £ 1.2bn in 2019 through scams and fraud. Gareth Shaw, Head of Money at Which?