Online Shoppers Beware

[Deleted User]

If you use your credit card to shop online you may be interested to hear of a new pitfall masquerading as a security improvement.

The banks have recently introduced a new security system whereby you can register a couple of passwords with them for your credit card. Lloyds call it Clicksafe, but it goes by various other names. The idea is that when you get to a retailers checkout the bank will prompt you with one password and you then respond with the other.

Last week I visited a retailer with the intention of buying some DVDs. When I got to the checkout I was asked for my pasword, but at that time I hadn't heard of the system let alone registered any passwords. With no password to offer, my only option was to quit and ssume that the order wouldn't be processed. Wrong assumption. I found out that they had processed my order without a password when the goods turned up on my doorstep two days later. By that time I had already bought the goods from another supplier. From the retailers point of view the system is optional, but if they ask for a password they're indicating that they've opted in. If they then process the transaction with no password they defeat the whole point of the system and mislead the customer.

The moral of this story is two fold:

1. If you don't have passwords registered don't assume the order won't be processed. It may be.
2. If you do have passwords, and find a fraudulent transaction on your credit card, don't be told that it can't have happened without your authorisation. It can.

If this system is going to have any credibility, the banks have to ensure that any retailer who opts in can't then arbitrarily opt out, either on a whim or by error.

Antispam

I know the security check as been going for around a year at Abbey at least

vyle

Visa has one of these "verified by visa". It annoys me because i wish it WAS optional, because it demands a style of password which is different to my usual password.

Anyhoo, with VBV it insists itself upon a transaction and it doesnt go through unless you pass it.

Perhaps it's just Lloyd's whose is rubbish.

salesadmin

It always used to be optional but I've noticed that recently it's compulsory. I always ticked no thanks when it was optional but it made it clear that the order would still go ahead, even if I didn't sign up

I use Visa btw

[Deleted User]

There's nothing optional about the system from the customers point of view, it's the retailer who decides whether he wants to use the system. The point is that if the bank allows the retailer to opt in and out on a whim then it's not providing any additional security for the customer, and shouldn't be marketed as such.

The system provides extra security for the retailer, if and when he chooses to demand a password, but at the moment the banks are pushing the system as if it's some benefit to the customer. From the customers point of view it's about as much use as an ATM that dispenses money without a PIN.

The retailer has agreed to accept the goods back, so once I have a refund I'll take it up with the bank, the Ombudsman and the Consumers Association.

Tea3

[not the website mentioned in this post but thought it may help] - Our card processing system say we have to opt in - unfortunately we get no choice as its the customers banks who decide if their cards are in the scheme or not and we have to go along with it. At our checkout we ask for the 3d secure password (as we are required to do if the bank has this set up) but the customer can then either leave the order (abandoning their shopping cart) or they can enter their password and proceed through checkout. If they go through with the transaction we then receive a summary of the payment - some banks allow the transaction to go through if the 3d secure number is incorrectly entered and we can then decide whether to send the order or reject the payment.

I have not heard of a system where the customer chooses not to enter the password yet the order was still placed without the customer clicking further through the checkout system or on the 'confirm order' type button, so there may be a prorgamming problem on the sellers website as you should be given the option of whether to enter the password, set one up new or abandon the order.

ADDED - before people reply saying how horrible it is please remember we get NO say in whether to have it on the account or not - we used to but were told by our Patement Gateway company and our Merchant Account providers that we MUST have it on for security reasons - apparently more and more payment gateway companies are forcing sellers to use this or risk payments being rejected/refunded (possibly after goods have been sent) - there were even talks of accounts ebing closed if they did not include this system. As a seller it is handy to have extra security measures in place but not at the risk of losing customers because the scheme has not been advertised much so most people have no idea what it is. I personally dislike the scheme because of the lack of advertising/information available but again have no choice in whether to have it on my website unfortunately

Ivory_Tinkler

I back up what Tea3 says - we too have to use 3D secure for maestro payments and this is a compulsory requirement imposed by the banks. I too believe that this added level of security has not been advertised widely enough by the banks causing confusion and mistrust by any consumer who is not familiar with it.

[Deleted User]

Tea3, that's interesting. I've been using the same card online for a few years now and this was the first time I'd been asked for a password, hence my being unprepared with one. Now that I've registered the card with a PW, it will be interesting to see if any of my familiar retailers start asking for the PW when they hadn't done previously.
(The logo on the retailers site was PROTX, is that the name of a gateway?)

It seems that there's an obvious hole in the system too. If a fraudster with my card number visits a genuine retailer, the system will give him the prompt password. He now has all the information he needs to construct a trojan site and phish for the other PW.

Tea3

Yeah - many banks were fine not asking for a password but we just get notification through that from x date all maestro transactions for example must be 3d secure, or that lloyds tsb are now in the scheme and their cards have to be 3d secure etc. It could be that your bank was not enroled/set-up for it before and only just activated it recently. We use protx too and they set the rules we have to abide by - if your other retailers online are with protx or a similar card processing company who have insisted on the 3d secure option being set up then you would be asked for the password (I believe some companied are told from now it must be activated and some are told from x date so it may vary and one day you may not get asked but from the next day you may). It is becoming more widespread so you should be asked for it more.

Not sure how the security of it all works as thats set up by visa/mastercard etc but I would assume its the same as using a chip and pin in an atm - you need to check it looks right and nothing dodgy about it before entering you pin number - same with online - check its a secure website (https start and possiblky padlock symbol etc), check if the website is new, any oher feedback on it if in doubt etc before entering any details on it - although I would recommend anyone checks a website is fully secure and ligit before entering any card or personal details regardless of whether they are set up for 3d secure or not.

Hope this helps

Ivory_Tinkler

jack_pott wrote: »

Tea3, that's interesting. I've been using the same card online for a few years now and this was the first time I'd been asked for a password, hence my being unprepared with one. Now that I've registered the card with a PW, it will be interesting to see if any of my familiar retailers start asking for the PW when they hadn't done previously.
(The logo on the retailers site was PROTX, is that the name of a gateway?)

It seems that there's an obvious hole in the system too. If a fraudster with my card number visits a genuine retailer, the system will give him the prompt password. He now has all the information he needs to construct a trojan site and phish for the other PW.

We use Protx too so I only know as much as Tea3. If you are concerned about security then I'd suggest you clarify this with your card issuer as the information you give when you enrol onto the system isn't shared with the retailer and that part of the transaction is set up by your issuing bank. But if someone knows your card number, the purchase supposedly can't go ahead without the correct code but I don't know the in's and out's of how someone could get prompted to get that code.

I do know that you can set up a personal greeting so that when the pop up box appears you know that you are communicating with your card issuer (I set one up for my card recently).

I saw a letter sent to our firm by the bank to state the the 3d secure system was compulsory by a certain date (pretty recent) and that we had to sign up for the scheme or risk fines and the possible suspension of our merchant account. As we use Protx as our payment processor this was already in place but this is something that the banks have imposed and not the retailers.

Just out of interest, when you made your transaction that you thought you'd cancelled, did you get a confirmation email from the company concerned because it does seem very strange that they went ahead and processed the order. Maybe, as Tea3 has said, that company needs to review it's website.

[Deleted User]

Yes I did get a confirmation email, but this computer's in the library, so by that time I'd gone home and bought the goods elsewhere. The first I knew was when the goods turned up on the doorstep.

I quizzed the retailer, but this was all he had to say:-

"We are not sure to be honest this can happen from time to time but no one will accept the responsibility of why it happens for example the Bank/ Payment Provider"

I'm more irritated than worried, but at the moment the system is behaving a bit like an ATM that hands out the money without any PIN.

It'll be interesting to see what the bank says, but I suppose they'll just fob me off. Are either of you old enough to remember the saga with phantom withdrawals from ATMs back in the 1980s? In that instance the banks just stonewalled with the line that the system was secure until there were so many cases in the media that their position became untenable.