SOME banks are working on plans
to kill off many of the passwords
that customers set up years ago,
The Mail on Sunday can reveal.
Under new security regulations
being introduced over an
18-month period from September
14, banks will be prevented from
allowing customers to log in online
using only a password and
memorable information such as
your mother’s maiden name. In
practice, that means banks will
force all their customers to use
codes sent to their handheld card
readers, right, or mobile phone to
log in. As a result, some are
already working on phasing outpasswords for good. However, that
won’t necessarily make logging in
a whole lot simpler than it is today.
Nationwide is ditching the need
for ‘memorable data’ during log-
ins. Though it is currently
still available, customers
logging in this way
cannot initiate
payments to new people
or change personal
details on the account.
Eventually the option
will be completely
phased out under the
new Strong Customer
Authentication rules,
the building society toldThe Mail on Sunday. Instead,
customers will log in using their
long customer number and a one-
time passcode generated by a card
reader or sent via text message.
At Barclays, customers
will have to remember a
five-digit PIN to generate
the code they need to log
in online. At First
Direct, customers will
require a username,
PIN and the answer to a
memorable question,
such as ‘What was your
first school?’ On its
website, First Direct –
which is part of HSBCand uses largely the same log-in
requirements – says: ‘With digital
fraud and hacking at a record
high, new regulations are coming
into effect in mid-September that
are designed to help everyone’s
accounts be even safer. This
means that very soon, you won’t
be able to log in to online or mobile
banking using just your online
banking password and answer to
your memorable question. Instead,
you’ll need to use a Secure Key.’
The good news is that customers
will need to remember less
information if they set up
thumbprint or facial recognition on
their mobile phone banking apps.98 The Mail on Sunday September 1 • 2019A
MAJOR crackdown on online fraud launches in
less than two weeks’ time – and it will herald
radical changes to the way we shop online. Under
new EU legislation – regardless of whatever hap-
pens with Brexit – it will eventually become
almost impossible to make online purchases
worth more than £30 using only a bank card.
In a bid to stop fraudsters going on spending sprees,
retailers are being told they must also ask you to prove
that you are the cardholder when you make a purchase.
In practice, this means that you will need to enter a tem-
porary ‘authentication’ code after you have input your
card details on a retailer’s payment page.
This code, which will be generated by your card pro-
vider, will be sent to you by text to your mobile phone, via
your mobile banking app or in an email to the address
registered with your bank.
Banks and online retailers – from small traders to major
names such as Amazon, John Lewis, and M&S – have been
given 18 months to conform to this new system, which will
be rolled out gradually.
The Mail on Sunday understands customers of some banks
will begin to see the demands pop up as they shop at larger
retailers in the coming months – well ahead of the final dead-
line to play by the new rules. Follow our definitive guide to
prepare for the online shopping security revolution.
WHY MAKE IT HARDER
TO SHOP ONLINE?
THE new rules are designed to tackle soaring online fraud.
Simply put, banks and retailers are losing the war against
crooks, who are frequently going on spending splurges
with stolen debit and credit card details.
On the dark web – a hidden corner of the internet where it
is impossible to trace users – stolen card details and the cor-
will send you a special temporary
code to the mobile phone number
that it has registered under your
name. You will then need to enter
this code into the retailer’s web-
page to complete the transaction.
You may have noticed your bank
recently asking you to confirm that
it has an up-to-date mobile phone
number linked to your account.
This is no coincidence – it has been
a vital part of the preparation work
for the new rules. In time, sources
say, banks will move to more
sophisticated methods of proving
your identity. For example, some
are understood to be working on
systems where you will be able to
log in to your mobile banking app
and use the fingerprint scanner orfacial recognition technology avail-
able on modern smartphones to
verify a purchase.
Banks will also offer alternative
ways to verify your identity if you
don’t have a mobile phone or can’t
get a good enough signal to receive
a text message. In these instances,
your bank may offer to give you
the code as an automated message
read out over your landline.WILL I HAVE DO THIS
FOR ALL PURCHASES?
NO. Under the rules, you are likely
to need to prove your identity for
most larger purchases of more than€30 (£27). But the plans currently
allow exemptions for smaller pur-
chases – up to a point. For example,
you may be asked to prove your
identity once you have made five
purchases of less than £27.
Another exception may be stores
where you are a regular customer
and have an account. Think of a
website like John Lewis. If you
buy something using your card
and opt to store those card details
in your online account for future
use, the retailer will only require
you to prove your identity once,
rather than every time you make a
purchase.
That’s why the early industry esti-
mates suggest one in four transac-
tions will need authenticating,Farewell to old banking passwords
By Laura Shannon
Thin Lizzy guitarist tells
how the band earned
£200,000 – for nothing
Page 101
With just days to go until the starting gun is fired on the
most intensive payment card security crackdown ever...
Personal Finance
NaTioNal NEWSPaPER PERSoNal FiNaNCE SECTioN oF THE YEaR
Will banks soon
check it’s you
shopping simply
by the way you
hold your phone?
responding names and addresses
are frequently traded between
criminals who go on to commit iden-
tity fraud.
Many of these sensitive details
have been obtained by hackers.
Online fraud on UK retail web-
sites hit £265 million in 2018 – a 29
per cent rise on the previous year.
Crucially, banks nearly always
cover these fraud losses. The only
time they are allowed to refuse is
where they have evidence that the
customer was negligent with their
card details. If you have ever seen a
rogue payment on your bank state-
ment and have had to ask the bank
to refund it, your details may well
have been traded by criminals.
A crook who wants to commit
identity fraud needs only some-
one’s long card number, the CVV
security code on the back, the name
on the card and the address where
it is registered. Some websites
accept payments with even less
information than this. Hence the
big security shake-up being
launched this month.
HOW WILL IT WORK
IN PRACTICE?
The new rules – called Strong Cus-
tomer Authentication – are the
UK’s version of an EU-wide drive
to beef up security for both online
purchases and internet banking
(see box below).
The key principle for online shop-
ping is introducing an extra layer
of identity checks to confound
fraudsters who try to spend using
stolen card details. One industry
source told The Mail on Sunday
that, at first, nearly all banks will
use a mobile phone SMS text mes-
sage to satisfy this extra layer of
security. In practice, what will hap-
pen is that when you press ‘pay’ on
a retailer’s website – having already
entered your card details, name
and address as you do today – the
company will send a request to
your bank asking it to authenticate
the transaction.
When the bank receives this, it
will work out whether to allow the
transaction through or not. In about
one in four cases, estimates sug-
gest, the bank will require the cus-
tomer to prove they are the owner
of the card they are using to make
the purchase. To do that the bank