Strong Customer Authentication - **Now delayed** changes to online verification

Nicholas

The pin sentry device was just another fancy name for card reader. The card readers from Barclays, Nat West, Co-op, Nationwide etc are interchangeable, so you could have had a device at home, one in the car, another in your drawer at work and so on, and all you would really need would be your debit card and you could online bank from any of these places. HSBC group on the other hand - only the one device that was tied to your account and that was it.

adindas

It has been confirmed that Either Methods: Apps, Text Message, PINsentry card reader will be in use for the future. It does not have to be an app installed on your Mobile Device.

I do not know about other people personal experience but to me it does not make sense to restrict access to Mobile platform only. Keep in mind Mobile Device will never be able to replace Desktop PC, Laptop.

The main advantage of using desktop PC is people could have dual widescreen monitors (or even multi widescreen monitors) which make many tasks to be performed more effectively. The thing like setting up a new payee, standing order, you could just copy and paste it to avoid typo in writing the AC number. , Also the thing like you regularly do such as transferring money among various accounts multiple times a day, etc the things you do when you want to meet the requirement of minimum deposit each month to qualify for a better interest rate.

Here is the letter that I received today from Barclaycard.

Hello XXX

With regulations coming in soon, you'll sometimes need to confirm it's you when you pay for things on line. It's a new way banks are helping protect you from fraud.
Get ready - download the secure Barclaycard app, it's the most convenient way to confirm it's you.

Our secure Barclaycard app
With no codes needed, you can confirm it's you in just a couple of taps
- it's quick, easy and secure.
If you don't already have the app, you can download it from your app store.

Other ways to confirm it's you

Text message
We'll send a one-time veriAcation code to your mobile. You'll then need to enter this into the payment screen to confirm it's you.
Keep your number up to date - you can check we have your correct
UK mobile phone number through Barclaycard on line servicing, the
Barclaycard app or by calling 0800151 0900.

PINsentry card reader
Alternatively, if you don't have the app or give us a mobile number, we'll send you a PINsentry card reader. To use this, you'll need to have your Barclaycard and card PIN to hand.
Whichever you opt For, you'll Find all you need to know in the enclosed leaflet.

If someone else has an additional card on your account, they'll need to confirm their online purchases using a text message or PINsentry card reader. Make sure we have their correct UK mobile number by calling 0800 151 0900.

The Barclaycard Team

alanwsg

Online shopping anti-fraud scheme delayed...

https://www.bbc.co.uk/news/business-49332023

eskbanker

alanwsg wrote: »

Online shopping anti-fraud scheme delayed...

https://www.bbc.co.uk/news/business-49332023

Well spotted!

I've updated post #1 accordingly - note that the FCA have now effectively set two separate deadlines:

For online banking, the changes will be phased in from 14 September 2019 and completed by 14 March 2020.

For online shopping, we have agreed a plan with the e-commerce industry of card issuers, payments firms and online retailers that gives them 18 months up to March 2021 to implement SCA.

spenderdave

The BBC article doesn't even mention those who don't have mobile phones as an issue.

eskbanker

spenderdave wrote: »

The BBC article doesn't even mention those who don't have mobile phones as an issue.

There are clearly a variety of reasons behind the delay but it does refer to:

Consumer groups also questioned how the system could work for people living in areas with a poor mobile signal, who would have difficulty receiving passcodes sent to their phones

but doesn't include reference to the FCA's statement that:

We also want to ensure that authentication methods are available for all groups of consumers

It remains to be seen the extent to which this latter comment will be enforced by the FCA, especially in light of the express stipulation highlighted in post #135, i.e. the section of their approach document stating (in para 20.21):

For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations.

Rich2808

spenderdave wrote: »

The BBC article doesn't even mention those who don't have mobile phones as an issue.

As has been noted above they do say this.

"Consumer groups also questioned how the system could work for people living in areas with a poor mobile signal, who would have difficulty receiving passcodes sent to their phones."

My elderly mother has almost no mobile signal in her house/street - and its in a suburb of London. Some parts of cities also have appalling mobile signal - I often struggle to get more than one bar in parts of the City of London.

Combine that with a housebound elderly or disabled person and they are effectively frozen out as they can no longer order online easily at home e.g. shopping deliveries (at least for anything over £28). Got to be another way that doesn't involve phones - as it effectively forces them to rely on friends and relatives to do this for them assuming they have them nearby?

What is wrong with the current method whereby you are often asked for 3 letters of a separate online shopping password you have created before - which you need personal details to create in the first place (e.g. date of birth)?

Still what a farce its all been delayed six months for online banking and 18 months for online purchases - less than a month before it was due to be rolled out. A bit like the other recently dropped online verification scheme - it clearly hasn't been fully thought out.

eskbanker

Rich2808 wrote: »

What is wrong with the current method whereby you are often asked for 3 letters of a separate online shopping password you have created before - which you need personal details to create in the first place (e.g. date of birth)?

That ship has long since sailed - it's no longer a matter of if there should be two factor authentication, it was decided a long time ago by legislators that this is happening and so the discussion naturally moved onto how and when for the last few years....

Edit: re "like the other recently dropped online verification scheme", assuming you're referring to Confirmation of Payee, then yes, they're similar in that both have been delayed not long before scheduled implementation, but neither has been dropped, just postponed!

edgex

Rich2808 wrote: »

What is wrong with the current method whereby you are often asked for 3 letters of a separate online shopping password you have created before - which you need personal details to create in the first place (e.g. date of birth)?

Still what a farce its all been delayed six months for online banking and 18 months for online purchases - less than a month before it was due to be rolled out. A bit like the other recently dropped online verification scheme - it clearly hasn't been fully thought out.

That's the 'Verified by Visa / MasterCard SecureCode" thing, as in
https://en.wikipedia.org/wiki/3-D_Secure

That was at least done within the browser.


Maybe the best route for the banks etc is to also do a desktop app alongside their mobile app. The authorisation code can be sent in exactly the same way as it would be to the mobile app.

Ergates

eskbanker wrote: »

I've updated post #1 accordingly - note that the FCA have now effectively set two separate deadlines:

Not surprised by this. There are parts of the authentication process that are widely used by the industry that don't meet the FCA's requirements as yet.