Strong Customer Authentication - **Now delayed** changes to online verification

masonic

Doc_N wrote: »

Which is the point that was being made. And some products are fast reaching that point for some of us, perhaps.

The point I'm making is that designers of such measures won't see it as a bad thing if some users reduce, stop or change their usage of vulnerable systems as a result of tightening security as this will just reduce the potential for fraud via those systems even further.

I've never supported the use of SMS for authorising transactions - that's a clear case of convenience compromising security. Contemporary email is more secure than SMS, and no less convenient, while authenticator apps are ubiquitous and much more secure, but devices must be made available to those without smartphones - and it's the inconvenience of that which has led the banks to compromise on security.

Uxb1

I'm still looking forward with wry amusement to see how regular but variable payments which are currently treated as being pre-authorised are going to be dealt with in the new regime.

Are they still going to be regarded as being authorized - or are they going to have to be re-authorized by some 2FA method each time the amount changes.
If the latter I predict chaos as customers suddenly receive a 2FA request out of the blue for some transaction.

Typical examples might all types of insurance continuous renewal where they have your card or DD details and currently send/email you the notice of renewal and if you don't do anything then payment is automatically taken.
Other examples might be anything from magazine/gym subscriptions to variable utilities payments.

masonic

Uxb1 wrote: »

Typical examples might all types of insurance continuous renewal where they have your card or DD details and currently send/email you the notice of renewal and if you don't do anything then payment is automatically taken.
Other examples might be anything from magazine/gym subscriptions to variable utilities payments.

SCA appies to payment instructions. For Direct Debits and Continuous Payment Authorities, the payment instruction is made once, at the start of the agreement, and individual payments are collected according to that instruction until cancelled.

It is unlikely that SCA would apply to DDs at all, since they are arranged by the company not the customer, and the bank indemnifies them, while new CPAs might be subject to SCA when the initial payment is made.

KimballKinnison

KimballKinnison said:

The Financial Conduct Authority (FCA) referred me to their document, "Payment Services and Electronic Money – Our Approach The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 June 2019 (version 4)":
<Sorry as a new user you are not allowed to post with links.>
Section 20.21 states:
"...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations."

I am without mobile phone reception.
I have raised a formal complaint, quoting the FCA document, with Asda Money (credit card) who stated in an email (25/8/19):
"Unfortunately if you do not possess a mobile phone, after September 2019 you will no longer be able to use your card online."
Also Virgin Money (savings) who stated in an email (9/8/19):
"...you won’t be able to access your account online if we don’t have your mobile number."

Update:

When challenged, Asda Money and Virgin Money provided alternatives for customers without mobile phones.

Santander didn't provide an alternative - they referred me to their terms and conditions and rejected my complaint.

The Financial Ombudsman (with guidance from the Financial Conduct Authority) upheld my complaint and awarded £200 compensation.

eskbanker

KimballKinnison said:

KimballKinnison said:

The Financial Conduct Authority (FCA) referred me to their document, "Payment Services and Electronic Money – Our Approach The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 June 2019 (version 4)":
<Sorry as a new user you are not allowed to post with links.>
Section 20.21 states:
"...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations."

I am without mobile phone reception.
I have raised a formal complaint, quoting the FCA document, with Asda Money (credit card) who stated in an email (25/8/19):
"Unfortunately if you do not possess a mobile phone, after September 2019 you will no longer be able to use your card online."
Also Virgin Money (savings) who stated in an email (9/8/19):
"...you won’t be able to access your account online if we don’t have your mobile number."

Update:

When challenged, Asda Money and Virgin Money provided alternatives for customers without mobile phones.

Santander didn't provide an alternative - they referred me to their terms and conditions and rejected my complaint.

The Financial Ombudsman (with guidance from the Financial Conduct Authority) upheld my complaint and awarded £200 compensation.

Beyond the compo, have FOS instructed Santander to actually implement something compliant with the FCA steer?

lightbulb2760

KimballKinnison said:

KimballKinnison said:

The Financial Conduct Authority (FCA) referred me to their document, "Payment Services and Electronic Money – Our Approach The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 June 2019 (version 4)":
<Sorry as a new user you are not allowed to post with links.>
Section 20.21 states:
"...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations."

I am without mobile phone reception.
I have raised a formal complaint, quoting the FCA document, with Asda Money (credit card) who stated in an email (25/8/19):
"Unfortunately if you do not possess a mobile phone, after September 2019 you will no longer be able to use your card online."
Also Virgin Money (savings) who stated in an email (9/8/19):
"...you won’t be able to access your account online if we don’t have your mobile number."

Update:

When challenged, Asda Money and Virgin Money provided alternatives for customers without mobile phones.

Santander didn't provide an alternative - they referred me to their terms and conditions and rejected my complaint.

The Financial Ombudsman (with guidance from the Financial Conduct Authority) upheld my complaint and awarded £200 compensation.

I do not have a mobile phone capable of receiving text messages, and complained to Santander two or three years ago on similar grounds. They too rejected my complaint, but when I complained to the Financial Ombudsman, they agreed with Santander and did not uphold my complaint.

[Deleted User]

lightbulb2760 said:

KimballKinnison said:

KimballKinnison said:

The Financial Conduct Authority (FCA) referred me to their document, "Payment Services and Electronic Money – Our Approach The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 June 2019 (version 4)":
<Sorry as a new user you are not allowed to post with links.>
Section 20.21 states:
"...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations."

I am without mobile phone reception.
I have raised a formal complaint, quoting the FCA document, with Asda Money (credit card) who stated in an email (25/8/19):
"Unfortunately if you do not possess a mobile phone, after September 2019 you will no longer be able to use your card online."
Also Virgin Money (savings) who stated in an email (9/8/19):
"...you won’t be able to access your account online if we don’t have your mobile number."

Update:

When challenged, Asda Money and Virgin Money provided alternatives for customers without mobile phones.

Santander didn't provide an alternative - they referred me to their terms and conditions and rejected my complaint.

The Financial Ombudsman (with guidance from the Financial Conduct Authority) upheld my complaint and awarded £200 compensation.

I do not have a mobile phone capable of receiving text messages, and complained to Santander two or three years ago on similar grounds. They too rejected my complaint, but when I complained to the Financial Ombudsman, they agreed with Santander and did not uphold my complaint.

Quite right too, banks should not compromise security because of situations like this. Even the most basic mobile phone can have text messages, you can get the Vodafone Alcatel 20.03 for £6 with £10 credit required that will make calls and receive texts fine.

lightbulb2760

Deleted_User said:

lightbulb2760 said:

KimballKinnison said:

KimballKinnison said:

The Financial Conduct Authority (FCA) referred me to their document, "Payment Services and Electronic Money – Our Approach The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 June 2019 (version 4)":
<Sorry as a new user you are not allowed to post with links.>
Section 20.21 states:
"...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations."

I am without mobile phone reception.
I have raised a formal complaint, quoting the FCA document, with Asda Money (credit card) who stated in an email (25/8/19):
"Unfortunately if you do not possess a mobile phone, after September 2019 you will no longer be able to use your card online."
Also Virgin Money (savings) who stated in an email (9/8/19):
"...you won’t be able to access your account online if we don’t have your mobile number."

Update:

When challenged, Asda Money and Virgin Money provided alternatives for customers without mobile phones.

Santander didn't provide an alternative - they referred me to their terms and conditions and rejected my complaint.

The Financial Ombudsman (with guidance from the Financial Conduct Authority) upheld my complaint and awarded £200 compensation.

I do not have a mobile phone capable of receiving text messages, and complained to Santander two or three years ago on similar grounds. They too rejected my complaint, but when I complained to the Financial Ombudsman, they agreed with Santander and did not uphold my complaint.

Quite right too, banks should not compromise security because of situations like this. Even the most basic mobile phone can have text messages, you can get the Vodafone Alcatel 20.03 for £6 with £10 credit required that will make calls and receive texts fine.

Deleted_User said:

lightbulb2760 said:

KimballKinnison said:

KimballKinnison said:

The Financial Conduct Authority (FCA) referred me to their document, "Payment Services and Electronic Money – Our Approach The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 June 2019 (version 4)":
<Sorry as a new user you are not allowed to post with links.>
Section 20.21 states:
"...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations."

I am without mobile phone reception.
I have raised a formal complaint, quoting the FCA document, with Asda Money (credit card) who stated in an email (25/8/19):
"Unfortunately if you do not possess a mobile phone, after September 2019 you will no longer be able to use your card online."
Also Virgin Money (savings) who stated in an email (9/8/19):
"...you won’t be able to access your account online if we don’t have your mobile number."

Update:

When challenged, Asda Money and Virgin Money provided alternatives for customers without mobile phones.

Santander didn't provide an alternative - they referred me to their terms and conditions and rejected my complaint.

The Financial Ombudsman (with guidance from the Financial Conduct Authority) upheld my complaint and awarded £200 compensation.

I do not have a mobile phone capable of receiving text messages, and complained to Santander two or three years ago on similar grounds. They too rejected my complaint, but when I complained to the Financial Ombudsman, they agreed with Santander and did not uphold my complaint.

Quite right too, banks should not compromise security because of situations like this. Even the most basic mobile phone can have text messages, you can get the Vodafone Alcatel 20.03 for £6 with £10 credit required that will make calls and receive texts fine.

The point I was making was that the Financial Ombudsman upheld KimballKinnison's complaint, but did not uphold mine. Both of us are unable to receive text messages: KimballKinnison having no reception, and my phone being designed without the capability. I'm well aware that there are mobile phones which do have the capability, but the fact that I choose not to use one isn't the issue here: it's that the Financial Ombudsman decided to uphold KimballKinnison's complaint on the grounds that "...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations.", but did not uphold mine. The reason for the inability to receive a text message is irrelevant.

eskbanker

Deleted_User said:

lightbulb2760 said:

KimballKinnison said:

KimballKinnison said:

The Financial Conduct Authority (FCA) referred me to their document, "Payment Services and Electronic Money – Our Approach The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 June 2019 (version 4)":
<Sorry as a new user you are not allowed to post with links.>
Section 20.21 states:
"...For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations."

I am without mobile phone reception.
I have raised a formal complaint, quoting the FCA document, with Asda Money (credit card) who stated in an email (25/8/19):
"Unfortunately if you do not possess a mobile phone, after September 2019 you will no longer be able to use your card online."
Also Virgin Money (savings) who stated in an email (9/8/19):
"...you won’t be able to access your account online if we don’t have your mobile number."

Update:

When challenged, Asda Money and Virgin Money provided alternatives for customers without mobile phones.

Santander didn't provide an alternative - they referred me to their terms and conditions and rejected my complaint.

The Financial Ombudsman (with guidance from the Financial Conduct Authority) upheld my complaint and awarded £200 compensation.

I do not have a mobile phone capable of receiving text messages, and complained to Santander two or three years ago on similar grounds. They too rejected my complaint, but when I complained to the Financial Ombudsman, they agreed with Santander and did not uphold my complaint.

Quite right too, banks should not compromise security because of situations like this. Even the most basic mobile phone can have text messages, you can get the Vodafone Alcatel 20.03 for £6 with £10 credit required that will make calls and receive texts fine.

You're missing the point - as highlighted in the first post within this nest of quotes, the FCA steer is that banks must provide alternatives to mobile phone based authentication....

robatwork

@lightbulb2760 I'm fascinated what mobile phone you have that doesn't support SMS. My Nokia in 1998 did.