Will banks soon check it’s YOU shopping simply by the way you hold your phone?
With just days to go until the starting gun is fired on the most intensive payment card security crackdown ever...
AMAJOR crackdown on online fraud launches in less than two weeks’ time – and it will herald radical changes to the way we shop online. Under new EU legislation – regardless of whatever happens with Brexit – it will eventually become almost impossible to make online purchases worth more than £30 using only a bank card. In a bid to stop fraudsters going on spending sprees, retailers are being told they must also ask you to prove that you are the cardholder when you make a purchase.
In practice, this means that you will need to enter a temporary ‘authentication’ code after you have input your card details on a retailer’s payment page.
This code, which will be generated by your card provider, will be sent to you by text to your mobile phone, via your mobile banking app or in an email to the address registered with your bank.
Banks and online retailers – from small traders to major names such as Amazon, John Lewis, and M&S – have been given 18 months to conform to this new system, which will be rolled out gradually.
The Mail on Sunday understands customers of some banks will begin to see the demands pop up as they shop at larger retailers in the coming months – well ahead of the final deadline to play by the new rules. Follow our definitive guide to prepare for the online shopping security revolution.
WHY MAKE IT HARDER TO SHOP ONLINE?
THE new rules are designed to tackle soaring online fraud. Simply put, banks and retailers are losing the war against crooks, who are frequently going on spending splurges with stolen debit and credit card details.
On the dark web – a hidden corner of the internet where it is impossible to trace users – stolen card details and the corwill responding names and addresses are frequently traded between criminals who go on to commit identity fraud.
Many of these sensitive details have been obtained by hackers.
Online fraud on UK retail websites hit £265million in 2018 – a 29 per cent rise on the previous year.
Crucially, banks nearly always cover these fraud losses. The only time they are allowed to refuse is where they have evidence that the customer was negligent with their card details. If you have ever seen a rogue payment on your bank statement and have had to ask the bank to refund it, your details may well have been traded by criminals.
A crook who wants to commit identity fraud needs only someone’s long card number, the CVV security code on the back, the name on the card and the address where it is registered. Some websites accept payments with even less information than this. Hence the big security shake-up being launched this month.
HOW WILL IT WORK IN PRACTICE?
The new rules – called Strong Customer Authentication – are the UK’s version of an EU-wide drive to beef up security for both online purchases and internet banking (see box below).
The key principle for online shopping is introducing an extra layer of identity checks to confound fraudsters who try to spend using stolen card details. One industry source told The Mail on Sunday that, at first, nearly all banks will use a mobile phone SMS text message to satisfy this extra layer of security. In practice, what will happen is that when you press ‘pay’ on a retailer’s website – having already entered your card details, name and address as you do today – the company will send a request to your bank asking it to authenticate the transaction.
When the bank receives this, it will work out whether to allow the transaction through or not. In about one in four cases, estimates suggest, the bank will require the customer to prove they are the owner of the card they are using to make the purchase. To do that the bank send you a special temporary code to the mobile phone number that it has registered under your name. You will then need to enter this code into the retailer’s webpage to complete the transaction.
You may have noticed your bank recently asking you to confirm that it has an up-to-date mobile phone number linked to your account. This is no coincidence – it has been a vital part of the preparation work for the new rules. In time, sources say, banks will move to more sophisticated methods of proving your identity. For example, some are understood to be working on systems where you will be able to log in to your mobile banking app and use the fingerprint scanner or facial recognition technology available on modern smartphones to verify a purchase.
Banks will also offer alternative ways to verify your identity if you don’t have a mobile phone or can’t get a good enough signal to receive a text message. In these instances, your bank may offer to give you the code as an automated message read out over your landline.
WILL I HAVE DO THIS FOR ALL PURCHASES?
NO. Under the rules, you are likely to need to prove your identity for most larger purchases of more than €30 (£27). But the plans currently allow exemptions for smaller purchases – up to a point. For example, you may be asked to prove your identity once you have made five purchases of less than £27.
Another exception may be stores where you are a regular customer and have an account. Think of a website like John Lewis. If you buy something using your card and opt to store those card details in your online account for future use, the retailer will only require you to prove your identity once, rather than every time you make a purchase.
That’s why the early industry estimates suggest one in four transactions will need authenticating,
rather than all of them. On top of this, a new system to flag ‘suspicious’ purchases is being developed for use by banks, The Mail on Sunday understands.
Technology being launched by Mastercard will enable banks to analyse incredibly precise details of your purchase.
For example, banks will be sent information on your location and the device you are using to shop online. If you are using a mobile phone, this could include the angle that you are holding the phone and the way you tap the keys on the touch screen, industry sources say. This information will be transmitted to the bank in the background.
If anything seems amiss – for example, the way the phone is being held does not match your usual habits – this will be taken into account when the bank decides whether to trigger a request for the customer to prove their identity.
The same is true for larger and unusual purchases – such as flights or a big order from a foreign website you have never used before.
The Strong Customer Authentication rules will also be applied to some off-line shopping on the high street.
For example, people making contactless payments – where they tap a card on the payment terminal rather than inserting it – may be asked to enter their PIN more often than is the case now. ORIGINALLY, the changes were due to happen overnight on September 14 – as dictated by the EU. However, many online companies were not ready to implement the necessary changes this month. There were also concerns that customers had no idea what was going on due to a lack of communication by banks. Some banks were also criticised for failing to prepare a way to cater for customers who do not have a mobile phone, lose their handset or suffer from such a poor mobile phone signal that the codes could not be received promptly enough to complete online transactions.
To allay these concerns, the Financial Conduct Authority earlier this month pushed back by 18 months the final deadline for banks and retailers to play by the new rules.
HAVEN’T I SEEN THIS BEFORE?
YES – but in a much more basic form. Years ago, card companies introduced a second layer of checks for online purchases. Mastercard, for instance, has a service called Secure Code and Visa has Verified by Visa for banks that use their cards. Customers were asked to create a password they had to enter to complete some transactions. However, in practice Mastercard says just 1 per cent of purchases trigger a request for this extra level of verification.
And because the systems were never obligatory, many retailers such as Amazon chose not to use them for fear the extra hassle would put off customers. Thanks to the EU ruling, there will be no avoiding the new authentication services. Mastercard’s system is called Identity Check and will replace Secure Code.
HOW DO I AVOID GETTING CAUGHT OUT?
TO PREPARE for changes, you should first ensure your bank has your up-to-date phone number. It’s also worth downloading your bank’s app to your mobile phone and working out how to use it.
If you are offered a card reader – which banks such as NatWest and Nationwide Building Society require for logging on to online accounts and authenticating payments – get one as soon as you can.
Eric Leenders, of banking trade body UK Finance, says: ‘We would encourage anyone concerned about their ability to verify online payments to speak with their bank or provider, to discuss what alternatives may be available. Your bank could use a text message, phone call, banking app or card reader to check your identity. Other methods are available and more are being developed that will make it easier, including biometric technologies.’