Online card payments changing ?

[StillTrying]

What's all this junk, online card payments supposedly changing on 14th September.

https://www.which.co.uk/news/2019/06/new-online-security-checks-exclude-people-without-mobile-phones-or-decent-signal/

https://www.halifax.co.uk/aboutonline/changes-to-online-banking/

http://www.theukcardsassociation.org.uk/internet_trading/online-fraud-prevention-tools.asp


https://stripe.com/guides/strong-customer-authentication

Banking apps = bloatware
https://forums.moneysavingexpert.com/showthread.php?t=6021774&page=11

https://www.co-operativebank.co.uk/security/two-factor-authentication

[magic]

Some stupid new EUSSR directive about e-banking security.
My bank keeps reminding me that from the 14th I will need SMS confirmation to fucking log in to their website.

As I understand, it boils down to basically everything requiring 2 factor authentication. So yes, if you don't have a phone or it craps out then you can't do anything over the Internet, not even check your balance.

I presume that cards will continue working as before, though.

[StillTrying]

I presume that cards will continue working as before, though.

But not online ?

An SMS confirmation code wouldn't be too bad compared with insisting you download an app, I don't use a smart phone so I'm looking at closing accounts instead.

I predict chaos, especially in the UK.

[MrMobodies]

I hear of sim swap frauds here in the UK.

If such requirement become inevitable I'd get a separate phone with a prepaid SIM and a new number where I don't receive spam JUST for the SMS that nobody knows about but the bank system for each bank and also a dedicated laptop. I have this distrust of "APPS" with online banking on phones.

I still don't think that is enough when quite a few spam callers in the past knew my name and whom I'm with.

[SiliconWizard]

Up until now, in most cases your bank had to credit you back in case of fraud on online payments.

I highly suspect this "increased security" thing may lead to the banks not being required to do so anymore, thus putting back all liability on your shoulders.
Tell me I'm wrong though.

[StillTrying]

I highly suspect this "increased security" thing may lead to the banks not being required to do so anymore, thus putting back all liability on your shoulders.

Oh yes, much of what I've read is how it conveniently shifts the blame from the merchant or bank on to the user.

I'm considering a small ebay spending spree, while I still can.

[MrMobodies]

How RIGHT you are.

https://www.thesun.co.uk/money/7071921/rights-if-scammed-bank-customers-protection/

The Sun

BANKING BLUNDER Banks slammed for blaming customers who’ve been scammed – your rights if you’ve been conned
Banks don't have to refund cash stolen from customers' accounts if they handed over personal details

Hollie Borland
22 Aug 2018, 11:13

BANKS have been slammed for automatically blaming scam victims when money has been lost to fraudsters.

The Financial Ombudsman has warned the industry that it's "not fair" to claim that a customer has been "grossly negligent" just because they've fallen for a scam.
Banks are being warned that it's "not fair" to automatically blame customers when they've been a victim of fraud

Banks are being warned that it's "not fair" to automatically blame customers when they've been a victim of fraudCredit: PA:Press Association

Customers were conned out of nearly £236million last year but only a quarter of that was actually refunded, according to UK Finance.

Banks have to refund cash stolen when a transfer is made without their authorisation.

The ombudsman claims that the firms often shift the blame on customers who may have handed over personal details which has allowed the fraud to happen so they don't have to pay out.

But crooks are using more sophisticated measures making a scam harder to spot, like masking their phone number to make it look like they're calling from the bank.

And now they WILL get authorisation through their phones whether it is authorised by the real owner, a sims-swapper or through a hidden remote controlled piece of software installed by some free "app".

So banks now have a new DIY victim blaming machine where the customer is "seen" authorising it themselves.


Edit:

I found this:

https://www.bbc.co.uk/news/business-48385426

How will the new code work?

People who realise they have been caught out in these "authorised push payment" scams should report the fraud to their bank immediately as normal.

From now, payment providers - primarily banks - that are signed up to the voluntary code will have a new set of criteria to judge whether the customer should get the money back.

Previously, banks only tended to reimburse people if there was an obvious fault in the way the payment was handled by the bank. Some £354m was lost in this fraud to individuals and businesses last year, but only £83m was refunded.

Now anyone who has taken reasonable care, or has any element of vulnerability, is much more likely to receive a refund of the lost money.

What are the pitfalls?

Anyone who has already been a victim of such a fraud cannot ask for their case to be reconsidered under the new rules.

A victim who has been "grossly negligent" will not be reimbursed.

Significantly, not all banks are signed up to the code. Banks such as Co-op and Virgin, which were not involved in drawing up the rules, said they could only sign up in the future. The Payment Systems Regulator has also ruled that the code should be voluntary, rather than mandatory.

Moreover, one bank - TSB - has broken ranks in announcing a guarantee that it would automatically refund all "innocent" customers who have been defrauded.

Other banks have suggested that a blanket refund policy would simply encourage fraudsters to try their luck.

A separate scheme to ensure a recipient's name is as important as the bank account number and sort code when payments are made - designed to cut out much of this kind of fraud - has also been delayed until the end of March next year.

Wouldn't that put customers greater at risk if the scammer is able to get hold of information through sim swap or knows what bank you're with and your number to try and trick you in an sms message through some hyperlink if they copy what one looks like from the bank?

[StillTrying]

I'm amazed by how many ppl think having all their bank security in their phone is great, until they lose it or it gets nicked.

https://www.which.co.uk/news/2017/10/revealed-how-text-message-scammers-pose-as-your-bank-to-rip-you-off/

Humans survived nearly a million years without even knowing what electricity was, now if the leccy goes off for a couple of hours ppl start to die, living every part and every second of our lives wrapped in a digital networked smog won't end well. 


Don't tell me I'm gonna need a smartphone to use paypal, I just don't know at the moment.

[HwAoRrDk]

I think, in a way, this thing is a step backwards. By using SMS messages for second-factor authentication you are effectively introducing a reliance on the security of a third party: your mobile network operator. As others have said, SIM card or number-porting shenanigans are not unheard of.

The more sensible banks are not making assumptions that all their customers have mobile phones, and are making available other methods.

For example, my mother got a letter about these changes; she shops online frequently, but has never had (nor ever intends to get) a mobile phone. When she enquired at her bank's local branch, they told her they will be issuing card readers - of the same kind as already used for online banking - to customers like her.

Card readers are a more secure option in my opinion. They effectively add a third factor: you need to possess the physical card, possess a reader, and know the card's PIN. But, not quite as convenient, admittedly.

[Towger]

Here they are going card reader and mobile app.  The banks which have already being using SMS are also changing. SMS is a diaster and their open support forms are full of problems.  Local 'cheap' providers block/lose them.  Go abroad a bigger diaster.  In a country whos number's starts with 7, forget about it working. Of course the call center 1st and 2nd line support are totally clueless.
 
I have an old savings account which cannot have a card, so that is screwed up.  I have to install their app...  Then you have people like my father, who will go from on line banking to arriving into the bank (with dog) every few days to check his accounts.

[Jeroen3]

I have to use my token generator for credit and debit card any time I order something in europe. It's only the US that doesn't care about security and takes the numbers on the card as enough proof.
Even PayPal added SMS tokens to the equation some time ago.

Often you also have the option to be called instead of a text, a disability option. Some distorted computer voice will then read the numbers to you.

[magic]

Often you also have the option to be called instead of a text, a disability option. Some distorted computer voice will then read the numbers to you.

What if the reason I don't have a cellphone is because I'm deaf?

[StillTrying]

How come an app on a smartphone can generate the magic numbers but not an app on a tablet, or at least I've not seen a tablet app version yet.

[Red Squirrel]

I hate the current implementations of 2 factor auth as they require you use a phone and there's no standard. Everyone does their own thing, and you need some stupid app.  What if you lose your phone?  What if your phone completely craps out?  There's no easy way to back this up.  I've been reluctant to use 2 factor auth on anything for this reason.  SMS is not TOO bad but it has it's issues too. 

At very least there should be a standard format/protocol for 2 factor auth, and you should be able to run the code generator on a standard PC or dedicated hardware token etc and be able to make a backup of it.  Ex: some kind of certificate or key that you can backup. I hate that it's reliant on having a phone and it's just some black box app that you have no control over. 

[Jeroen3]

How come an app on a smartphone can generate the magic numbers but not an app on a tablet, or at least I've not seen a tablet app version yet.

There is a slight possbility the app uses the sim card for the crypto operation.
The other most likely option is the developer is not getting paid to develop a version for the larger screen.

[magic]

https://source.android.com/security/overview/app-security.html#sim-card-access

This suggests they probably don't. I expect the app just contacts the bank's website and downloads your key. If you are lucky, it uses HTTPS or other crypto to verify that it really is connecting to the bank and not some middleman messing with you.

[Psi]

Be cool if they support a one-time-pad as well.
So if you're out of cell range you can use that.

[magic]

Be cool if they support a one-time-pad as well.
So if you're out of cell range you can use that.

They don't. My bank used to offer it and they are phasing it out precisely because of that stupid directive.

[Towger]

I have not looked into it, but the banks apps here will not work on a rooted phone. So might be using some unique Id from the phone. Simm, MAC address etc or drop a token/certificate on the phone.  Hopefully both.  They also go through an extra verification check when first used, such as looking for extra security/login verification.  I have also seen different levels of checks depending on the amount to be transferred. E.g. under 2k code via SMS, upto 20k letter in the post.

[steve30]

I opened a new account at the Nationwide Building Society the other week. The lady there assured me that they can send the security code to an email address, so I gave her my email address for this purpose. This was backed up by the Which article in the first post.

I'm sure she also told me that it is only going to apply to transactions of over £90.

It sucks that they are trying to make things more difficult though.

[Red Squirrel]

The issue with this too is it's only a false sense of security.  Someone guessing your password is not "hacking".  Someone finding a flaw in the way the bank implements authentication, or someone finding a way into the bank's IT systems due to a code execution vulnerability in some public facing software, is what real hacking is, and is normally how data leaks happen.  Even if they use two factor authentication it won't protect from this sort of attack.