Interesting SCA article

Key paragraph…

“The Financial Conduct Authority has indicated it will delay the enforcement of the new rules to give the industry more time to implement them and keep online tills ringing”

There is also info from a recent survey saying 75% of online retailers are not even aware of the new rules, let alone when they come into force and steps they must take.

1 Like

What a ridiculous headline. All verification has to give the option of either a mobile text or an email.

Given that you must be on some sort of device that receives emails if you are making an online purchase in the first place then no one will be excluded or “frozen out”

Assuming the device your on receives emails and or texts!

I’ve a dual sim phone, voda and three sim installed, I get no signal at home on either. There is no network that works at home. I also don’t have email on it 24/7 as I don’t want to be annoyed by emails all the time. They are set be off from 7pm to 9am.

As an online shopper I don’t want to be forced to have emails arrive at my phone all the time, just so I can shop online.

I think Google authenticator is the solution to SCA, but I’m yet to really dig into the regs. That’s a task I’ve ear marked for week commencing 5th Aug.

Regardless though, considering the impact this will have its been very poorly communicated and almost no one is a actually ready, least of all the banks who are the ones it’s been done for!

But back to your point… When has a headline ever NOT been OTT?

Then either don’t shop between those hours or turn on email if you really need to buy something.

Seems like this is beyond a first world complaint.

Damn right!

But, daft headlines and my personal email/mobile preferences aside, the point in, as buried in that article, no one is prepared, and as most haven’t even worked out how the regs are going to be interpreted, let along put systems in place, we’re heading for an almightly shitstorm, for which the only real option as of now is a postponement of their role-out. Which appears to be the position of the ICO, but in the present climate, the EU might feel differently. Their position I guess depends on how ready the rest of the EU is, and my guess is, they are also not at all ready!

Yep, completely. I have already made several purchases where this has been implemented though and all my 3D secure transactions though the bank are showing a dialog that I need to accept advising me that a pin code may be emailed or texted to me.

And really, we both know that that ain’t gonna work in the real world.

Many online purchases are impulse. I spent years analysing the psychology of the typical online buyer. Many want a barrier to completion, so they have a get out. They see a purchase when there wasn’t a barrier as “not my fault”. It’s a weird mentality but it is real.

I first saw it in retail, then soon after online retail become big the exact same thing was present.

Asking a buyer to wait for a text, or email, or anything that isn’t 100% instant is going to kill a large percentages of online purchases. And the payment gateways, plus of course the retailer, will not accept that.

I’ve been using/testing Google Authenticator a lot recently and it’s extremey reliable and almost instant: so far, by the time I’ve launched the app the code is there waiting.

The mainstream banks don’t understand tech. Never have. They genuinely think email and texts will work, but we all know in the real world they won’t.

I’ve no doubt that Google is ahead of the game with Authenticator and it will soon become the default solution, its just a matter of how long the banks resist.

And of course, it will give Google yet another data source for your online habits. As if they don’t already know all there is to know about you!

Should add, I do my personal banking with Starling and business banking with Tide, both app based “banks”. My understanding is that they can turn on SCA authentication at the flick of a switch, as can many other app based “banks”. But the mainstream banks who also have apps haven’t as yet even started to seriously look at integration. Dumb fuckers.

Completely agree and this in the most part is the reason for the ubiquity of Amazon purchases in my house. You don’t even need to put in the CVC code to purchase each time it is just instant.

To be fair to RBS Group, on the times that the 2FA authentication has been required, the code has been there in a text message before I’ve even picked up the phone from the side of the computer, just like Google auth does. Perhaps they have learnt something from the past or perhaps it is just piss easy and so even the banks can implement it. Whichever, my experience with main stream banks has been seamless in this respect so far.

In addition to this, for the past year or so, I have received instant text messages on occasions when their heuristics have picked up spurious purchases. I just have to reply yes or no before the transaction is allowed. On one of these occasions, it was a payment of just under £5k in Madrid which got instantly stopped .

Anything that stops people nicking my cash is good in my book. If this makes it slightly more difficult for me to purchase nonsense quickly then it’s a price worth paying. I don’t believe it will kill a large percentage of online purchases if it is implemented across the board. It is still infinitely quicker and more accessible than having to wait until the weekend and go to the shops. If businesses are reliant on compulsive purchases that will all dry up if people have to wait 10 sec before pressing the buy button then there is something very wrong.

1 Like

There has been something very wrong with pretty much all society for many years now!

As you know, online retail has invested most money in making the checkout process as smooth as possible, SCA will throw a huge Spanner onto this process and it will ultimately drive the smaller player out of business whilst further consolidating the big boys, a la Amazon.

Problem with texts is its reliant on a system that is woefully under invested and managed by companies who are at best, inept.

I must be misunderstanding the issue then. When I purchase, the 2FA text is at the point where the 3D secure password used to be. This is after we have pressed the buy button and is just as quick as the 3D secure password was. These are for purchases from small independent retailers.
In addition, my 3D p/w has been hacked twice over the years. This would seem more secure and as a consumer that is all I am bothered about.

Re Amazon, it would seem that their advantage is that they don’t bother with CVC card numbers - presumably because they think it is cost effective for them just to ride the percentage that are fraudulent.
If they were forced into 2FA the same as small businesses then surely the playing field would be more level and equitable and not less.

No, I think we’re just look ing at it from different angles. Perhaps because you are experiencing things differently to me given the fact you have mobile coverage where you are. I don’t, as doesn’t large parts of NI, so I guess I’m basing my opinions on where this is going on a very different experience.

3D secure password is a guaranteed instant solution, assuming you can remember it! Anything that relies on additional services (text, email, etc.) is going to cause real headaches in practice.

But of course, as we’ve discussed, this is a problem to be fixed once the retailers/processors actually get to that point. Most haven’t even looked at implementing extended security!

I get all that, it is just that I maintain that if people have internet in the first place to make a purchase then 99.9% of them will have email turned on.I don’t think the 0.1% of people who refuse to have email turned on will make a perceptible difference to businesses.
Most people only have a computer or smartphone at home for email and internet in the first place. They would not even know how to mute the email.

Having dealt with the online buying general public for nearly 20 years, I’d wager that the majority still check emails infrequently at best. Many wouldn’t know how to collect new emails at the drop of a hat, and of those, most won’t even know what the spam box is.