Online shoppers will face new anti-fraud checks as retailers and banks finally adopt rules known as strong customer authentication (SCA). Yet improved security could come at a cost for customers who don't use mobile phones or have patchy reception.
SCA checks have been in place for online banking since 14 March 2020, but businesses only began rolling out SCA for online card payments in June 2021, ahead of the regulator's deadline of 14 March 2022.
This has proved to be true of the general public too - when we surveyed 4,438 current account customers in October 2021, 17% of those who make online card payments told us they've had issues passing new security checks.
Many said it was because they have a poor mobile signal (6%) or didn't have their card reader to hand (6%). They also struggled because they ran out of time to make the payment (4%), had to call their bank to complete the online payment (4%), or don't own a mobile phone at all (2%).
The new rules require banks to identify you using at least two of three independent factors:
If this isn't possible, payments will be declined, although low-value payments (under £25) don't always require SCA.
Which? asked banks what options are available to customers looking to pass security for online card payments.
Most banks rely on mobile phones for security - for example, by sending one-time passcodes via SMS or asking you to authorise payments via your banking app.
|SMS||App||Card reader||Landline||Call bank|
|Bank of Ireland UK||N||N||Y||Y||N||N|
|Danske Bank||Y||N||Y [a]||N||Y||N|
|HSBC (and First Direct)||Y||N||Y||Y||N||N|
|Lloyds Banking Group||Y||N||Y||N [b]||Y||N|
Notes: [a] Via the Danske ID Security app (not the mobile bank app). [b] Via token-based authenticator from the first half of 2022. [c] Can call the bank sometimes but only with additional security. [d] Emailed passcodes only available if there's no mobile number on record. [e] Must call bank to switch to email, can only hold one passcode option at a time. [f] Can call bank in exceptional circumstances.
The Financial Conduct Authority has told firms to also develop SCA solutions that don't rely on mobile phones. But as our table above shows, only a handful of banks let you receive passcodes via landline instead of SMS or banking app.
Challengers Chase and Monzo only let you authorise payments via their apps. Danske Bank orginally told Which? it only offers SMS or app authentication but later confirmed that non-mobile users can ask for a one-time passcode to be sent via landline.
Other banks only offer the bare minimum, for example, Metro Bank told us customers without mobiles can call its contact centre 'sometimes' to authorise payments.
Triodos said customers who can't authenticate in the mobile app can log in to Internet Banking instead (and use their physical Digipass to authorise the payment).
UK Finance told Which?: 'Each firm has been developing their own ways to approve transactions and, as with any change coming in, the more people get used to using SCA the more familiar they will become with it.'
'We understand that for some customers the application of SCA may present challenges and would encourage customers to speak to their bank or payment provider if they have any concerns about the way in which they will need to authenticate payments.'
Around 300 people have , including Santander customer Steve, 64, from Surrey, who asked it to intervene in August 2019, when Santander told him he would need to use a local branch or telephone banking to pass online security as he doesn't use a mobile phone.
Santander has since told us it can send one-time passcodes via email to customers who don't use mobile phones or live in areas with poor mobile network signal.
Steve thinks there's an easier solution: 'The solution of emailing OTPs is acceptable to me but those without a mobile phone or adequate reception have a diminished service compared with those who do. Wouldn't it be simpler for everyone if Santander just sent OTPs to landlines as well as mobiles thereby ensuring equal treatment?'
Although it's designed to prevent card fraud, scammers will see SCA as a fresh opportunity so it's important that banks protect cardholders against any emerging threats.
With so many banks relying on SMS, we're also concerned about the increased threat of - where criminals trick your mobile network provider into transferring your phone number to a Sim card that they control. This means they can intercept messages from your bank and potentially hack into your account.
Starling told Which? it has 'made a conscious decision' not to send OTPs via SMS because it does not believe this is secure.
Banks must ensure customers are fully aware of these risks and use other tools at their disposal to frustrate scammers, such as behavioural biometrics where security systems can recognise the unique way you use your phone or laptop.
This article was updated on 14/03/22 to reflect Danske Bank's new position (allowing one-time passcodes via landline).