New online shopping anti-fraud measures kicked in on the 14th March, but are they really as secure as they claim to be?




New anti-fraud rules for all online transactions

As of yesterday (March 14th) consumers will more than likely have noticed some additional checks when making online transactions. Unfortunately, they may also have noticed some payments being declined, with many retailers not prepared for new anti-fraud rules introduced by the Financial Conduct Authority.

The new measures have been introduced to help protect banks, retailers and consumers who have been facing increasing costs, both financial and reputational, due to the rapid rise in unauthorised fraud, which in the first half of last year caused losses of £398.6 million.

So, from 14th March onwards, before any online payment can be accepted, merchants will have to verify that a customer is who they claim to be by putting in place additional verification checks such as asking the customer to log into their banking app, or more likely input a one-time passcode that will be sent to them via their mobile phone, in order to confirm a payment

The new rules are part of the Payment Services Directive (PSD2), mandating that ‘Strong Customer Authentication’ (SCA) is used in all online payment flows, and introduced by the Financial Conduct Authority (FCA) this week. Originally due to be introduced a year ago (and delayed by Covid) the new rules were delayed in order to provide retailers with more time to make any necessary changes. The original legislation came from the European Banking Authority and was adopted into UK law before the UK left the EU.

The rules will apply to all online credit or debit card purchases but will have the greatest impact on spending deemed to be high risk, such as high value purchases or activity outside a buyers normal spending habits.

 

Do the new measures go far enough, or are they already outdated and open to fraud?

It seems obvious that putting measures in place to make it more difficult for the bad guys to commit fraud is essential for both business and consumer, but the challenge is going to be keeping up with the fraudsters, who will always be looking for new ways to commit financial crime.

Unfortunately, the allowance of SMS one-time passcodes as part of the new SCA measures does not remove the vulnerability to hackers, who have developed methods to intercept one-time passcodes in transit.

One-time passcodes (OTPs) make sense in a world where the volume of online purchasing and banking is growing significantly, but if hackers gain access to the SMS message prior to the intended recipient, and use it to authenticate into a genuine user’s account, then it offers little or no protection at all to the customer.

 

How the bad guys access a victim’s phone to steal one-time passcodes

The most common way that criminals gain access to an SMS is by taking control of a mobile number by requesting a replacement SIM from the mobile operator (SIM Swap fraud).

The fraudster will start a SIM swapping attack by gathering personal details about the targeted subscriber, through social engineering tactics such as phishing, malware or trawling through social media information. Once they have all the necessary information, they will contact the mobile operator, pretending to be the customer and request a Sim Swap, claiming that the original SIM card is damaged, lost or stolen.

In a successful attack, the subscriber will only realise they have been a victim of an attack once they lose connection to their network leaving them unable to make or receive phone calls or access any of the stored data on their phone.

The result of this is that the criminal will take over to the account enabling them to receive all the SMS and voice calls meant for the legitimate account holder. This means the criminal has access to any one-time passcodes received, enabling them to bypass two-factor authentication and commit fraud.

 

There is a solution and it’s mobile

Happily, mobile operator identity data services offer a ready-made, trustworthy solution to this issue, consumable through simple APIs and offering a far more reliable and efficient alternative to SMS OTPs.

By combining a simple SIM Swap check (when was the SIM card last swapped in the user’s phone) with a secure, seamless mobile authentication second possession factor, it’s possible to provide a fast and reliable solution enabling service providers to create a high level of confidence in the mobile device prior to an authentication, eliminating the need for insecure one-time passcodes.

So, the good news is that even in the high-volume world of online services, both customers, retailers and other payment providers are able to rely on secure, seamless mobile identity checks to verify user identity, silently authenticate users into apps and websites and check for fraud signals without impacting the user journey. Genuine customers are able to purchase and pay, while those with less honest intentions can be stopped at the door.