They’re meant to stop fraud, but online payment checks are frustrating

They’re meant to stop fraud, but new online payment checks left TOBY WALNE in a tizz: ‘I had to tap in 45 digits to pay for my parking’

  • Anyone buying on internet may now need to verify transaction with their bank 
  • This is done by typing in a code sent to their mobile phone by their bank
  • All part of major crackdown on online criminals’ push payment scams
  • Record £754million stolen in first half of last year 

Online shoppers must now tap in up to 45 separate card and security numbers to buy a single item under tough new measures introduced by banks to tackle fraud. 

So-called ‘strong customer authentication’ (SCA) rules, just rolled out, mean that anyone who buys an item over the internet may now need to verify a transaction with their bank before the payment is approved. 

This is done by typing in a code sent to their mobile phone by their bank – in addition to the bank card details they must already provide. 

Code red: Toby Walne grapples with the new security system on his phone

As we show in the box, right, I had to type in a staggering 45 numbers before I could pay to park at my local station at Bishop’s Stortford, Hertfordshire. 

These included the code to unlock my phone, the numbers of my bank card and an authentication code from the bank. 

I found it fiddly, time consuming and prone to me making repeated typing errors – and it almost made me miss my train. 

Yes it’s ultimately in my best financial interests. But so frustrating! It made me wonder just how much convenience we are willing to give up for better security online. 

It is all part of a major crackdown on online criminals who stole a record £754million in the first half of last year through activities that included so-called push payment scams. 

This is where customers are tricked into making purchases online that turn out to be fraudulent or where goods and services are bought using stolen ID. 

The level of this fraud is up almost 30 per cent compared to the £582million stolen in the first six months of 2020. 

The extra layer of security that the SCA rules provide has been added to make it harder for criminals to use stolen personal details to make fraudulent purchases. 

By sending a payment verification request to a customer, it alerts them if a criminal is using their account to defraud them. 

Although the added security is welcome, having to tap in up to 45 separate numbers to approve one single purchase may seem excessive to many. 

Jana Mackintosh, a manager at banking trade association UK Finance, says: ‘Payment fraud is a fast growing problem. It was vital to introduce this strong customer authentication as an extra level of security. 

‘It should give customers peace of mind that they can pre-approve payments about to be taken from their bank account or credit card.’ 

The additional protection is part of a European Union ‘payment services directive’ adopted by the UK to make online shopping more secure. 

It involves so-called ‘two-factor authentication’ that requires the tapping in of a six-digit code sent to a customer’s mobile phone to confirm a purchase. 

This authentication might also be via a phone call or a thumbprint made on a mobile phone banking app. 

Consumer groups welcome the additional layer of security despite the extra hassle it involves. But they warn that consumers must still be careful about falling victim to online fraud. 

Jenny Ross, money editor for consumer group Which?, says: ‘We have long called for banks to introduce additional payment protections such as strong customer authentication. 

‘These new rules could make a big difference when it comes to tackling certain types of online fraud.’ 

But she adds: ‘Improved security could also come at a cost to customers who don’t use mobile phones. Banks must make sure they provide solutions for all customers.’ 

Which? is also concerned that scammers could view SCA as an opportunity – and that there may now be a spike in fake texts, calls and emails claiming to be from ‘your bank’ as criminals use these new security checks as a hook to steal your personal banking details. 

It means customers need to be extra vigilant when receiving unsolicited texts and emails. 

This added layer of friction might also make shoppers think twice before they make a purchase – something they may appreciate after the all-too-easy convenience of swishing via a contactless card that encourages impulse buys. 

Fortunately, the need for keeping so many numbers at hand or in the head could well be only a short-term problem – as biometric identification is expected to become more widespread as a double-checking solution within the next decade as new technology is rolled out. 

Fingerprints, iris scanning and facial recognition technology is already being used in banking apps and passport control checks, with the industry keen to roll out further innovation to screen out fraudsters in the future. 

The National Cyber Security Centre (NCSC) was set up six years ago by the Government Communications Headquarters (GCHQ), which also looks after security agency MI5 and Secret Intelligence Service MI6. 

Sarah Lyons, a director at NCSC, says: ‘It is vital consumers have confidence that security measures are in place to protect their day-today transactions. 

The additional authentication now required adds an important layer of security to combat cybercrime.’ 

The NCSC points out that alternative authentication options are also being explored – including iris recognition, which can take images of the eye using infrared light. 

Reading finger prints is another option. Such technology could become rolled out more widely in the future. Those who believe they might have been scammed should contact their bank immediately. 

Most banks are signed up to the ‘voluntary authorised push payment scam code’ which means there are steps they must take to keep fraud down to a minimum. 

If you believe your bank has being negligent in stopping a fraudulent payment and has failed to provide a satisfactory explanation, contact the Financial Ombudsman Service. You should also contact Action Fraud and report the online fraud.