Unsanctioned payment

DavidL58

Please can someone advise.
Basically , if I am making a purchase using a credit card and I don't enter the OTP , should the transaction not then go ahead ?
What happened was I purchasing flight tickets, £960 with a credit card I hadn't used for a while. It said we will send you an OTP. I noticed that they had an old disused mobile number of mine. So, I knew I wouldn't get a OTP. I immediately closed the page. Then went through the booking process again and paid with PayPal which is linked to a different bank , Santander.
All well and good but totally unknown to me the initial time I booked, the bank, Halifax, put the payment  through anyway. Without me using the OTP. I only found out when I received the statement. I rang them, this was when you could still get through 14/03. They haven't done anything and want me to make the minimum payment which I'm loathe to do because 1, I don't owe it ( it has to be Halifax's fault) and 2, will paying it be an admittance by me that I owe the debt ?
Oh, Halifax made me raise a complaint.
First time on , sorry if I've gone on a bit and blundered by naming the banks.
Thanks

eskbanker

DavidL58 said:

What happened was I purchasing flight tickets, £960 with a credit card I hadn't used for a while. It said we will send you an OTP. I noticed that they had an old disused mobile number of mine. So, I knew I wouldn't get a OTP. I immediately closed the page.

So in order to get to a Halifax page showing your old phone number, you'd presumably have pressed a 'submit' button on the merchant's page committing to the purchase against the card number you'd just keyed in?  I suspect that both Halifax and the merchant will regard this as you authorising the payment, despite the lack of additional OTP verification.

You can obviously proceed with your complaint but it probably would be prudent to make the minimum repayment to minimise any damage to credit status if they don't come down on your side....

DavidL58

Thanks but surely the point of the OTP is to verify your identity. With a debit card I think that can happen . I will go through that booking process again to check. I don't recall any submit button. And the merchant was fully prepared to accept payment from both banks !! An email to me saying ' you've already booked these flights' maybe. 

Tildaplum

I am surprised the payment went through without the OTP - what would happen if it was a fraudster using your details. 

Indeed, by not putting in the OTP then you COULD argue that you hadn't authorised the payment as you had specifically been told that to authorise it you needed to input the OTP.

eskbanker

DavidL58 said:

Thanks but surely the point of the OTP is to verify your identity. With a debit card I think that can happen . I will go through that booking process again to check. I don't recall any submit button.

Yes, OTPs are indeed intended to verify identity, but that doesn't necessarily mean that without OTP (even if promised) you can claim not to have authorised the transaction - my point about sequencing through the booking process was that you'd have put all the relevant details into the merchant's site but in order to get as far as a Halifax page you must have committed in some way to the merchant first.  You can obviously try to recreate this but I can't see any way in which you can get as far as seeing a Halifax screen with your old phone number on it, without passing the point of no return on the merchant's site.

DavidL58 said:

And the merchant was fully prepared to accept payment from both banks !! An email to me saying ' you've already booked these flights' maybe. 

Yes, that's potentially a productive avenue to pursue if you specified passenger names and so on, making it a clearly duplicated booking.

Tildaplum

Difficult to get any definitive info on this but Monesese for example seem to imply the transaction won't go through without the OTP:

https://support.monese.com/hc/en-gb/articles/360001954619-How-will-I-authorise-the-online-transaction-with-MasterCard-SecureCode-

DavidL58

Been back through the booking process an after entering card details there is a  pay and book button. Even so, clicking on that would take you to a page where you can review your booking first. I didn't dare press it. Don't think I can name who I booked with. Not an airline direct .

jonesMUFCforever

When are the flights due to take place?
Your saving grace could be that Covid-19 is still around meaning your flights would be cancelled and you get a refund.
The OTP has never been there to protect you the consumer but the card issuers against fraud - so IMO you pressed Enter/Submit/Proceed or whatever and the payment was authorised.
Are you sure you did not get any e-mails to confirm the original flights?

DavidL58

Some interesting answers, thanks. The OTP is not there to protect the consumer. No surprise there !Also a point of no return. I agree in principle but should it not come after your identity has been verified . It could easily say ' we are sending you a OTP, if this is not entered the transaction will not go ahead.' That's clear, unambiguous. It could be an expensive lesson to learn, for anyone. I'm not to sure I have. It might as well say ' we will send you a OTP but don't concern yourself actually entering it - we'll let the transaction go through anyway,' You're not getting your money back either .😄
What's the point of having an OTP.
We didn't travel due to the coronavirus but the outward flight hadn't been cancelled. One of the return flights had been. All tourist sites closed and a two week ban on all flights the day after we would have arrived . Couldn't travel with those circumstances. But lots of other people have had the same thing happen.

eskbanker

DavidL58 said:

Also a point of no return. I agree in principle but should it not come after your identity has been verified . It could easily say ' we are sending you a OTP, if this is not entered the transaction will not go ahead.' That's clear, unambiguous. It could be an expensive lesson to learn, for anyone. I'm not to sure I have. It might as well say ' we will send you a OTP but don't concern yourself actually entering it - we'll let the transaction go through anyway,' You're not getting your money back either .😄

Still not sure you're really getting the point I was making - there are two completely separate parties involved here, i.e. the merchant selling the flights and the bank arranging payment to them.  My comment about the point of no return was specifically about your commitment to the merchant, made when you press the 'book and pay' button - the merchant doesn't know what security arrangements will be involved between you and your bank thereafter, in that some banks will use OTPs and others won't, so the merchant is happy however the transaction is ultimately authorised.  Your point about the potential for better OTP dialogue relates to the interaction between you and Halifax, which doesn't involve the merchant, who's handed over control of the transaction by then, i.e. any use of OTPs is verifying your ID to Halifax, and the merchant is oblivious to this....

DavidL58

eskbanke, I appreciate your replies, really. You seem knowledgeable about this. I  do get your point though, absolutely. I know there's two separate parties .
However and I hope you can clarify this, I'm working on the assumption that the absolute final say in whether a transaction goes through rests with the bank. The bank, not the merchant.
If that's true. The wording is in your reply : the bank's 'security arrangements.' So, if that bank's security arrangements have not been finalized by use of a OTP, or whatever else, then surely that bank has a duty to not let that transaction go ahead. Regardless of any 'point of no return'. The merchant is not to blame for the transaction, I know that. But the bank are, in my opinion, as a layman speaking. 
That's the point I am trying to make.