.svg)
Strong customer authentication (SCA) could come at a cost for certain customers and open up new ways for fraudsters, the UK consumer association warns as the full implementation deadline glides by.
In a new alert published by consumer body Which?, the association says consumers without a mobile phone or reliable signal could be unable to make payments as banks are too reliant on mobile phones for carrying out the extra security checks.
The notice was published on March 14, which was the deadline for UK firms to fully comply with SCA rules and ensure they identify payors via at least two independent factors in online payments. All non-secure transactions will be declined from this date on.
The latest deadline brings SCA into card-based e-commerce transactions, which previously had only been required for online and mobile banking.
Need for alternatives to mobile phones
Although the new checks are intended to reduce fraud, Which? warns that the “improved security could come at a cost for customers who don’t use mobile phones or have patchy reception”.
When adopting the requirement, the UK regulator did not give specific directions on how firms should implement SCA, instead it encouraged firms to develop their own ways to approve transactions.
This led to most banks relying on mobile phones for security, either by sending one-time passcodes via SMS or push notifications via their banking app.
An October survey by Which? of 4,438 current account customers showed that 17 percent of those who make online card payments had issues passing new security checks. Although SCA is inherently meant to introduce some degree of friction, these cases are related to issues such as poor mobile signal, the absence of a card reader to hand, running out of time to make the payment or not having a mobile phone.
According to the consumer body, around 300 people have already made complaints about SCA to the Financial Ombudsman Service.
It is worth pointing out, however, that in order for SCA to work properly, many stakeholders have had to be ready to implement it.
“Banks have been planning the implementation of SCA for years now,” Mastercard told VIXIO. The FCA ramp-up plan allowed all stakeholders to make sure the process works as intended by the time full compliance is required. By now, most consumers will have already experienced and overcome these initial frictions, the card giant explained.
In addition, most of the banks Which? was looking at offer more than one method of authentication, effectively allowing consumers to opt for alternative choices.
UK Finance stressed that SCA is an “important tool in the fight against fraud” and many customers “will have already come across SCA as it has been introduced gradually since the start of the year”. It advised customers to make sure their bank has their correct contact details so the process can work properly.
New ways for fraudsters
According to Which?, rather than reduce fraud, there is a danger that new SCA rules could help open up new opportunities for fraudsters.
“We could see a spike in fake texts, calls and emails claiming to be from ‘your bank’ using the new security checks as the hook,” the association says.
It also warns about the increased threat of SIM-swap fraud, where criminals trick mobile network providers into transferring a consumer’s phone number to a SIM card that they control.
“Whilst any consumer protection measures are to be welcomed, this is merely the tip of the iceberg,” Fergal Parkinson, director of TMT Analysis, commented.
“The new rules don’t go far enough and still leave the door wide open for potential SIM-swapping,” he added.
Instead of relying just on basic two-factor authentication, retailers should ensure that devices are linked to a specific person, according to Parkinson. This can provide “a much more secure approach which dramatically reduces risk to both customers and retailers".
“Crucially, this needs to be done at account creation or registration not just at point of sale to avoid the tricky position PayPal recently found itself in, where 4.5m fake accounts needed to be weeded out after they’ve already committed fraud.”
