Security for online transactions

[todthedog]

Anyone else having problems with the new secondary security, receiving a text message with a code to confirm a transaction.
Where we live there is no mobile coverage. No text messages.

To date Nationwide and MBNA no alternative plan in place.

Nationwide solution I accept responsibility for no secondary security.
MBNA I phone them prior to each transaction go through the transaction with them babysitting .

No one even thinks it is an issue, everyone has a mobile phone and lives in a big city

[didds]

No one even thinks it is an issue, everyone has a mobile phone and lives in a big city

Yup.. Its the same scenario as "everyone" lives within a commutable distance of the City apparently, when seeking work and ebign contacted by agentcies

didds

[mc2fool]

No one even thinks it is an issue, everyone has a mobile phone and lives in a big city

New online security checks exclude people without mobile phones or decent signal
"...when we surveyed 1,838 Which? members in March 2019, nearly one in five told us they could be excluded from making online card payments entirely, either because they don’t own a mobile phone (4%) or have poor mobile phone signal at home (13%)."

https://www.which.co.uk/news/2019/06/new-online-security-checks-exclude-people-without-mobile-phones-or-decent-signal/

Here's a relatively up to date (14-Sep) list of which banks are doing what. Nationwide's alternatives to SMS are "From Q1 2020".

https://www.which.co.uk/news/2019/09/new-online-security-checks-kick-in-today-what-will-your-bank-require/

[sunnyjoe]

A plan was announced today to improve coverage from two thirds of UK today to 95% by 2025
https://www.bbc.co.uk/news/business-50179195

Some financial services and social media providers offer 2 factor authentication via email or an authenticator app which might help if you have a reasonable internet connection at home

[swill453]

To date Nationwide and MBNA no alternative plan in place.

Nationwide have a card reader, can't you use that?

Scott.

[todthedog]

I suggest this, no go.
Ditto as yet with email.
Nor an automated call on landline as does HM revenue.
They are seeking alternatives

[sg31]

We are in a not spot. I can sometimes get a text (in or out) if I hang out of the upstairs back window and wave the mobile above my head slowly. Alternatively a walk backwards and forwards at the top of the garden might get a momentary signal. As for using it as a security aid, forget it.

Apparently some mobile companies will do mobile over internet wifi but I have all my computers hard wired as I use them for moving money and share dealing. I didn't trust myself to set up WiFi securely so went for cable connections rather even trust homeplugs. Anyway because we can't get a signal at home I've never updated my mobile phone and it won't work with internet WiFi according to 3

I know one bank sends a code by landline, I think that was Tesco but I've just closed those accounts. If other companies did the same I wouldn't have a problem.

This can't be an isolated problem, according to BBC news 35% of the country doesn't have a reliable mobile signal and even after the newly announced plans to get rid of not spots there will still be 5% not covered.

[PinkDalek]

Anyone else having problems with the new secondary security, receiving a text message with a code to confirm a transaction.
Where we live there is no mobile coverage. No text messages.

To date Nationwide ...

Is this a similar issue to that being discussed at Bank Accounts etc?:

viewtopic.php?p=260039#p260039

Card reader?

[stevensfo]

To date Nationwide and MBNA no alternative plan in place.

Nationwide have a card reader, can't you use that?

Scott.

If you have a current account, Nationwide will still allow you to use the card reader if you don't want to use a phone.

My attitude to security has changed a lot over the last few years. I've had colleagues who have had strange deductions from their contactless cards, then this summer, my own card was cloned and used in two shops in London. I only noticed because I never use that card in shops; only online, and keep a close eye on the balance. The bank was quick to react but totally uninterested in finding the culprit, despite me being 99% sure where it was cloned. Apparently, the thieves are very clever in using the cards for sums that probably wouldn't stick out like a sore thumb and in shops where we may have gone, or are too embarrassed to admit that we can't remember.

So now, it's mainly cash or cards with real time notification via the App.

Steve

[XFool]

To date Nationwide and MBNA no alternative plan in place.

Nationwide have a card reader, can't you use that?

I suggest this, no go.

Whyever not? It is one of their standard methods and will continue in use after the change to their log on procedures.

[stevensfo]

To date Nationwide and MBNA no alternative plan in place.

Nationwide have a card reader, can't you use that?

I suggest this, no go.

Whyever not? It is one of their standard methods and will continue in use after the change to their log on procedures.

Received today from Nationwide:
(my Bold)


What you need to know

You’ll still be able to log in to the Internet Bank with your card reader, but you will no longer be able to use memorable data to log in. Don’t worry though, we’ve introduced a new way to log in using a one-time code sent in a text message. Learn more about these changes or view our video.
Make sure your details are up to date

If you’re not sure if we have the right mobile number for you, you can check and update your contact details in the Banking app or Internet Bank. If you’re not already registered, learn more about how to download our Banking app.

Use your card reader to log in
If you have a current account with us, you can continue to use your card reader as usual. If you no longer have a card reader or have forgotten how to use it, get help using your card reader or log in to the Internet Bank and order a new card reader.

You can use any bank or building society card reader to log in, as long as it accepts your debit card.

If you can’t use a card reader or a mobile phone, please get in touch by calling the number on the back of your card, or visiting in branch to discuss your log in options.

Steve

[todthedog]

Card readers are fine, sorry but I think I was not making my problem clear.

However if you buy something on line fill out all your details push the buy button.
The screen whirls and then wants to send a security code to your mobile that you have to enter to verify and complete the transaction.
If you don't have a mobile or receive a mobile signal it is impossible to complete the transaction.

No alternatives offered or suggested.

I said that perhaps my wife should take the mobile phone, drive the 5 miles up the road where there is a signal, get the code and then phone our landline to me at home to complete the purchase. I don't think Nationwide were even aware of the sarcasm!

[Alaric]

However if you buy something on line fill out all your details push the buy button.
The screen whirls and then wants to send a security code to your mobile that you have to enter to verify and complete the transaction.
If you don't have a mobile or receive a mobile signal it is impossible to complete the transaction.

Is that at least partly the fault of the site you are trying to buy from? You could try giving them grief as it's their sale they've lost.

[XFool]

...I see the problem.

I wonder why card readers are not automatically used as an alternative for all online transactions, after all the verification involves the PIN card and the account. Is it known if they can they be used with some merchants but not others?

[JohnB]

You are conflating 2 changes

1) banks insisting on card readers or mobile codes to log in to their sites

2) shops payment processing systems generating mobile codes

For 2, no card reader is involved, and shops will have the option of skipping the verification step for either small transactions or valued customers, if they take on the risk of fraud from the banks. I guess any retailer that does will gain a competitive advantage as all the rest see a high rate of abandoned transactions, already a big concern for them. I hope Amazon will take this approach, as the main place I buy stuff, and tourist attractions will go back to the sensible approach of selling you a ticket on the door.

[chas49]

You are conflating 2 changes.

Yes, I think that's correct.

However, in the online shopping scenario, the merchant's payment processor won't be choosing to verify by text, it'll be the card company or bank. The merchant, or their payment processor, won't have your mobile number - or if they do it wouldn't be worth them using it.....

[mc2fool]

You are conflating 2 changes

1) banks insisting on card readers or mobile codes to log in to their sites

2) shops payment processing systems generating mobile codes

For 2, no card reader is involved, and shops will have the option of skipping the verification step for either small transactions or valued customers, if they take on the risk of fraud from the banks. I guess any retailer that does will gain a competitive advantage as all the rest see a high rate of abandoned transactions, already a big concern for them. I hope Amazon will take this approach, as the main place I buy stuff, and tourist attractions will go back to the sensible approach of selling you a ticket on the door.

Errrr....not sure where you're getting all that from but as I understand it it's all pretty much the opposite.

The changes are all part of and mandated by the Strong Customer Authentication (SCA) requirement of the EU Revised Directive on Payment Services (PSD2), which requires multi-factor authentication when a payer:

(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

I.e. whenever you (a) log in, (b) buy something online, transfer money, etc (c) do stuff like change your linked account, etc.

For buying stuff online it's not the shops that will be implementing it but the card issuers (your bank) in conjunction with the card providers (Visa, Mastercard, etc), like Verified by Visa and Mastercard Securecode were. As the Which article I linked to earlier makes clear, some issuers will be allowing card readers to be used for online purchases (inc. Nationwide from Q1 2020).

In regards to having the option of skipping the verification step for either small transactions or valued customers, again, it's the card issuers that will be implementing the provisions of the directive, which allow exemptions for:

low-value payments under €30 or equivalent in pounds (until you make more than five exempt payments in a row, or the total value hits €100),
recurring payments, so if you take out a subscription you’ll only be asked to prove your identity once,
direct debits set up for regular bills.
Your bank may also allow you to add any online shopping site that you trust to a ‘whitelist’, meaning it will not continue asking for authentication after the first check.

https://www.which.co.uk/news/2019/09/ne ... nk-require

Also see https://www.barclaycard.co.uk/business/ ... cation-sca

[XFool]

You are conflating 2 changes

1) banks insisting on card readers or mobile codes to log in to their sites

2) shops payment processing systems generating mobile codes

For 2, no card reader is involved, and shops will have the option of skipping the verification step for either small transactions or valued customers, if they take on the risk of fraud from the banks.

But why should these be separate, if they both relate to a Chip & PIN card?

Previously, paying by say a credit card online could direct you to something like 'verified by VISA'. As a replacement I have been issued with a Barclaycard 'PIN sentry' card reader for a credit card - I have no Barclays Bank accounts to log on to. I can't see why this should be different with a debit card, though personally I never use one for purchases.

[todthedog]

I would love to use my card reader to verify online purchases, not an option.

Just a verified by visa/mastercard screen with instructions to use the code sent by text.
I believe this is sent by the card issurers or visa/mastercard not the merchants, to conform with the new regulations.

[XFool]

I would love to use my card reader to verify online purchases, not an option.

Just a verified by visa/mastercard screen with instructions to use the code sent by text.
I believe this is sent by the card issurers or visa/mastercard not the merchants, to conform with the new regulations.

It seems this is being rolled out, or has so far, in an inconsistent manner by the banks. It would obviously be helpful if a standardised approach was adopted by everyone.

I remember when Chip & PIN was first introduced, the machines used by different retailers were all of a different design. You never knew whether to put the card in at the top, the bottom, the side... Let us hope that in time this new system ends up with a sensible, standardised set of options. Phone PIN or Card Reader.