New anti-fraud measures: unintended consequences

eskbanker

https://www.ukfinance.org.uk/system/files/2022-10/Half year fraud update 2022.pdf provides a decent overview of the relative scale of the different types of financial fraud in the UK....

born_again

I posted this in the other thread on this.

While making cold calls illegal. People will still fall for them. Just the same as they fall for all the old scam calls, despite being warned by banks & in the media. Saying they are from their bank..

So just who is going to refund these people?

Step in the right direction. Yes. Just very short on details on how exactly they plan to stop them.🤷‍♀️

Slowing faster payments down is the only way to stop the people that simply ignore the warning & protect them. Does adding a day before a payment debits the account you are paying make any difference? 

Sadly everything these days is done for consumer convivence. People want everything now.

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

eskbanker

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision?

TheBanker

eskbanker said:

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision? 

Originally it was the merchant that decided whether to use 2FA. But there was a change last year which makes 2FA mandatory for most online transactions (there are various exceptions that can be applied). Banks will decline them otherwise.

born_again

eskbanker said:

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision?

Still does not stop it when retailer does not use it.

Sadly to put the brakes on these frauds, requires a step back & more time for purchases & transfers. To allow for more checks.

Even something as simple as. When new payee is set up & funds transferred. They are held for 3 days, either @ own bank. Or even better receiving bank. Which would stop fraudsters receiving funds & then moving it straight away.

eskbanker

born_again said:

eskbanker said:

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision?

Still does not stop it when retailer does not use it.

It sounds from the previous post that they no longer have the choice, but even if they could choose not to use it, then they'd suffer more fraud losses, a self-inflicted problem for them?

born_again said:

Sadly to put the brakes on these frauds, requires a step back & more time for purchases & transfers. To allow for more checks.

Even something as simple as. When new payee is set up & funds transferred. They are held for 3 days, either @ own bank. Or even better receiving bank. Which would stop fraudsters receiving funds & then moving it straight away.

Sounds like that would be throwing out the baby with the bathwater - we could reduce fraud by disabling Faster Payments or not allowing online transactions altogether, but there's always going to be a trade-off between security and usability/convenience so a sensible middle ground needs to be found.

Perhaps worth noting that the UK Finance report linked above reports fraud decreasing, which ought to be expected as CoP continues to take effect:

In the first half of this year, criminals stole a total of £609.8 million through authorised and unauthorised fraud and scams, a decrease of just under 13 per cent compared to H1 2021. The advanced security systems used by banks also prevented just under £584 million from being stolen.

Band7

eskbanker said:

born_again said:

eskbanker said:

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision?

Still does not stop it when retailer does not use it.

It sounds from the previous post that they no longer have the choice, but even if they could choose not to use it, then they'd suffer more fraud losses, a self-inflicted problem for them?

Loads and loads of acronyms being involved in this. I think we are talking about 3D Secure, not about 2FA. This sheds some light on it
https://www.visa.co.uk/partner-with-us/payment-technology/strong-customer-authentication.html

Somehow Amazon appear to have escaped 3D Secure. For example, I can make payments on amazon.uk with debit cards and credit cards from various UK banks. Though if I want to deposit some money with one of my UK debit cards into one of my own UK savings accounts, I have to approve them with 3D Secure.

I think it's farcical that major retailers are able to bypass/ignore the extra checks.

eskbanker

Band7 said:

eskbanker said:

born_again said:

eskbanker said:

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision?

Still does not stop it when retailer does not use it.

It sounds from the previous post that they no longer have the choice, but even if they could choose not to use it, then they'd suffer more fraud losses, a self-inflicted problem for them?

Loads and loads of acronyms being involved in this. I think we are talking about 3D Secure, not about 2FA. This sheds some light on it
https://www.visa.co.uk/partner-with-us/payment-technology/strong-customer-authentication.html

Somehow Amazon appear to have escaped 3D Secure. For example, I can make payments on amazon.uk with debit cards and credit cards from various UK banks. Though if I want to deposit some money with one of my UK debit cards into one of my own UK savings accounts, I have to approve them with 3D Secure.

I think it's farcical that major retailers are able to bypass/ignore the extra checks.

Personally I wouldn't call a single abbreviation "loads and loads of acronyms" but 2FA is two factor authentication, aka (also known as!) strong customer authentication, and 3D Secure is Visa's implementation of this....

Band7

eskbanker said:

Band7 said:

eskbanker said:

born_again said:

eskbanker said:

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision?

Still does not stop it when retailer does not use it.

It sounds from the previous post that they no longer have the choice, but even if they could choose not to use it, then they'd suffer more fraud losses, a self-inflicted problem for them?

Loads and loads of acronyms being involved in this. I think we are talking about 3D Secure, not about 2FA. This sheds some light on it
https://www.visa.co.uk/partner-with-us/payment-technology/strong-customer-authentication.html

Somehow Amazon appear to have escaped 3D Secure. For example, I can make payments on amazon.uk with debit cards and credit cards from various UK banks. Though if I want to deposit some money with one of my UK debit cards into one of my own UK savings accounts, I have to approve them with 3D Secure.

I think it's farcical that major retailers are able to bypass/ignore the extra checks.

Personally I wouldn't call a single abbreviation "loads and loads of acronyms" but 2FA is two factor authentication, aka (also known as!) strong customer authentication, and 3D Secure is Visa's implementation of this....

3D Secure is a security protocol. Used by VISA, Mastercard and Amex.

eskbanker

Band7 said:

eskbanker said:

Band7 said:

eskbanker said:

born_again said:

eskbanker said:

born_again said:

I would also go as far to say that for online purchases, the retailer has to confirm with the supposed card holder that it is them making the payment. Would make a massive dent in card not present fraud. Which would mean that retailer would not have to factor this cos into their losses, as they stand these loses.

Surely this is why 2FA was introduced - it's obviously not initiated for every online purchase, but isn't it the merchant who makes that decision?

Still does not stop it when retailer does not use it.

It sounds from the previous post that they no longer have the choice, but even if they could choose not to use it, then they'd suffer more fraud losses, a self-inflicted problem for them?

Loads and loads of acronyms being involved in this. I think we are talking about 3D Secure, not about 2FA. This sheds some light on it
https://www.visa.co.uk/partner-with-us/payment-technology/strong-customer-authentication.html

Somehow Amazon appear to have escaped 3D Secure. For example, I can make payments on amazon.uk with debit cards and credit cards from various UK banks. Though if I want to deposit some money with one of my UK debit cards into one of my own UK savings accounts, I have to approve them with 3D Secure.

I think it's farcical that major retailers are able to bypass/ignore the extra checks.

Personally I wouldn't call a single abbreviation "loads and loads of acronyms" but 2FA is two factor authentication, aka (also known as!) strong customer authentication, and 3D Secure is Visa's implementation of this....

3D Secure is a security protocol. Used by VISA, Mastercard and Amex.

True, I should have said that 3D Secure is used in Visa's implementation of 2FA, but it's the principle of using multi-factor authentication that's important here in providing protection against fraud, i.e. 2FA is the generic answer to the issue raised in the first of the nested quotes, regardless of which specific technologies are used to underpin it.