Strong Customer Authentication - **Now delayed** changes to online verification

Migster

The September deadline is somewhat up in the air at the moment, at least for e-commerce card payments.

There are three elements to authentication under SCA and the banks must use two of them. The three elements are a) something you are, b) something you possess and c) something you know.

Up until recently, it was assumed that an OTP would count as something you know, but the EBA recently threw a spanner in the works by stating that this was not the case.

In response to this the FCA had the following to say:

“…the FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this”.

If you google “EBA SCA opinion” you’ll find more details, though be warned, it’s not the most exciting read.

londoninvestor

lr1277 wrote: »

I think Metro bank are using a OTP to a mobile phone based on this webpage:
https://www.metrobankonline.co.uk/ways-to-bank/i-want-some-information-about/fraud-and-security/

Yes for setting up payees; not (yet) for logging into online banking.

Herbalus

Not sure how extensive you want the list to be, but tandem credit cards are already using an OTP to mobile when making purchases online.

But given it’s app only, everybody who has it will by definition have a mobile so won’t be a barrier.

brianposter

Migster wrote: »

The September deadline is somewhat up in the air at the moment, at least for e-commerce card payments.

Already had my HSBC cards fail repeatedly for online purchases.
The banks appear to be being particularly incompetent in implementing these measures - sending passcodes to fixed line phones doesn't appear to be especially difficult.

eskbanker

Herbalus wrote: »

Not sure how extensive you want the list to be, but tandem credit cards are already using an OTP to mobile when making purchases online.

Happy to add info in if supported by a link?

peachyprice

18cc wrote: »

Does this also apply to eg Monzo, Starling or is it desktop banking they are targeting?

eskbanker wrote: »

Two factor authentication involves:My understanding is that an app is considered to be the middle of these and therefore, if combined with passwords/PINs, etc, satisfies the requirement, hence the use of apps as a second factor for non-app banks.

So, app-only banks, assuming they also require the use of something the user knows (or is, such as fingerprint/facial recognition), shouldn't need any additional securing.

Happy to be corrected though, I'm not claiming to be an expert!

Monzo already use OTP.

Although they seem to be pretty good at recognising spending patterns and will auto authorise transactions from retailers you've already used an OTP for a few times.

Herbalus

eskbanker wrote: »

Happy to add info in if supported by a link?

Probably doesn’t make the cut for authoritative info on here from the FAQs looking like a community blog https://intercom.help/tandembank/en/articles/1978234-online-purchases

But the first 3 transactions I’ve done online (I’ve only just got the card) have all sent a passcode to my mobile.

MovingForwards

Can't find the virgin letter eskbanker, but will come back if I get any more information.

Radnorsaver

Capital One (capitalone.co.uk) credit cards will send OTP to EITHER mobile or landline, which is fine. Why can't others do it?

Radnorsaver

For your info the HSBC info is here: https://www.hsbc.co.uk/help/security-centre/simple-safe-secure/