Around one in four online transactions are likely to require additional authentication in the near future thanks to new EU rules that come into place next September.
That is the estimate of credit and debit card issuer Mastercard, which says at present, just one to two per cent of online transactions currently require two-factor authentication to complete via its Securecode password method.
This is Money revealed last week that Visa users may soon have to enter a one-time passcode sent directly to their mobile phone via text message to complete a transaction, instead of the current Verified by Visa system, similar to Securecode from Mastercard.
Paying online: It is likely around one in four payments will require two-factor authentication soon – compared to 1-2% now
The move is down to European rules to tackle online fraud by increasing the number of transactions subject to two factors of authentication by the payer, known as ‘strong customer authentication’.
Mastercard says that it isn’t looking at one time passwords as the ‘optimal solution’ – instead, it is going down the biometric route.
It has asked all of its issuing partner banks to be ready with a biometric solution to offer customers by next April.
This would most likely be in the form of using your smartphone, if enabled, to read your thumbprint, taking a ‘selfie’ to complete the transaction or eventually, by voice recognition.
Mastercard say that cardholders won’t have to use this method if they don’t wish and can instead use an OTP if they prefer, but need to have the choice offered to them by their bank.
Many are unlikely to have the latest technology to take advantage of the futuristic methods of green-lighting an online payment.
Ajay Bhalla, president of global enterprise risk and security at Mastercard, said: ‘The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.
‘In payments technology this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies such as artificial intelligence.
‘It’s far easier to authenticate with a thumbprint or a selfie, and it’s safer too.’
It adds that the move will hit mainly card payments made over the internet, but it will also apply to some contactless transactions as a periodic check to ensure the card is being used by its rightful owner.
Chip and pin transactions are already two factors so are compliant under the future EU rules, called PSD2 (Revised Payment Service Directive).
Mastercard says the heightened measures are designed to protect consumers and businesses from being defrauded, but it is working with banks to ensure they are implemented without disrupting the convenience and making sure there is choice.
Static passwords will not be allowed under PSD2, which includes the current Securecode and Verified by Visa.
Thumbprint: Mastercard says it will offering biometric solutions to new two-factor authentication rules from April, including thumbprint
At present, that box often pops up before disappearing. This is because the bank is making a decision on your behalf whether or not a transaction is genuine.
Often, this is because you are using a website and/or terminal you’ve used before.
It is believed that banks will be able to make more decisions like these on your behalf after the new rules kick in, but only if they keep fraud levels down.
It is also likely that bigger transactions are more likely to require two-factor authentication.
It is up to banks what they choose to offer customers. Last week, we revealed that First Direct are, for now, going down the OTP route via text message.
What is two-factor identification?
Two-factor authentication is a second layer of security which is used to protect an account, system – and in this case, transactions online.
It increases the safety of online accounts by requiring two types of information from the user, such as a password or PIN, an e-mail account, credit and debit card or fingerprint, before the user can log-in or transact.
What other banks will be offering customers will be revealed soon, but is likely to follow the same lead.
Visa said last week that as well as the OTP option there will be alternatives, including use of partial password entry, knowledge based questions or physical tokens.
It is thought that there will also be the option for customers to ‘white list’ companies.
So, for example, if you frequently use online giant Amazon, you can add this on a list of trusted companies to stop the two-factor authentication kicking in.
Security experts recommend using two-factor authentication to secure online accounts, but some warn that SMS messages have security problems and are the least secure option.
However, that said, the SMS option is more secure than having no two-factor authentication whatsoever, according to the experts.
UK Finance released data earlier in the year that showed card-not-present fraud fell last year.
This fraud occurs when a criminal uses stolen card details to buy something on the internet, over the phone or through mail order.
Losses due to remote purchase fraud fell five per cent to £409.4million.
Intelligence suggests remote purchase fraud continues to result mainly from criminals using card details stolen through data hacks, via phishing emails, and scam text messages.
HOW TO STAY SAFE WHEN PAYING ONLINE
How to stay safe from card-not-present fraud, according to UK Finance:
• If you’re using a retailer for the first time, always take time to research them before you give them any of your details. Be prepared to ask questions before making a payment.
• Trust your instincts – if an offer looks too good to believe then it probably is. Be suspicious of prices that are too good to be true.
• Look for the padlock symbol in the web address bar. It’s a good indication that a retailer is reputable.
• Only use retailers you trust, for example ones you know or have been recommended to you. If you’re buying an item made by a major brand, you can often find a list of authorised sellers on their official website.
THIS IS MONEY’S FIVE OF THE BEST CURRENT ACCOUNTS