Are card firms are putting YOU at risk online as they scale back verified schemes to stop shops missing out on sales?

Vital password systems for protecting online shoppers are being brushed aside by credit card issuers to help oil the wheels of commerce.

Password safety checks have been used for many years – and are designed to give buyers 'complete confidence when shopping online'. 

They help validate that shoppers are who they say they are when making a purchase by computer.

But retailers and plastic card issuers find the checks create a barrier to sales and risk them losing custom – so in many cases the verification screen does not even appear and this extra layer of security is effectively bypassed.

Security alert: Extra layers of security are effectively bypassed

Security alert: Extra layers of security are effectively bypassed

The three most common protection systems shoppers sign up to through card issuers are Verified by Visa, MasterCard SecureCode and American Express SafeKey. 

They are not compulsory but shoppers are strongly advised by providers and anti-fraud organisations to join.

HOW VERIFICATION WORKS

The checking systems all work in a similar way – using pop-up screens at the end of an online transaction that prompts the customer to provide digits from their chosen password, or in the case of Amex, tap in a one-time code that is sent by text or email. 

Some provide a personal greeting that confirms to the buyer that the checking request is a genuine one.

These measures are primarily designed to prove the buyer is the cardholder before an online purchase is completed.

When an online business signs up to a verification system, the card issuer steps in during a transaction to verify the authenticity of the purchaser. The aim is to reduce fraud while switching any liability from the retailer to the card issuer.

VANISHING SECURITY SCREENS

Increasingly, buyers are noticing that the verification screen does not always pop up – with transactions waved through without this extra layer of security.

In some cases, even when a screen appears and the shopper fails to enter the password, the purchase goes ahead regardless. On other occasions, the screen appears momentarily and vanishes before the shopper can take action.

Christopher Caruk, from High Wycombe, Buckinghamshire, is a technology expert who helped design the UK's first chip and PIN security systems.

Fears: Mr Caruk is an IT expert who helped design the UK’s first chip and PIN security systems

Fears: Mr Caruk is an IT expert who helped design the UK's first chip and PIN security systems

Recently, he was astounded to find that a purchase for £2,000 worth of airline tickets – which he believed he had cancelled before the sale completed – still went through without his authorisation.

He says: 'The payment was taken by the merchant and accepted by my card provider HSBC, even though I did not provide the requested digits from my secret security code.'

Christopher, 54, who is married to training consultant Claudia Lima, 60, was planning to pay for the tickets using the couple's HSBC MasterCard.

But just before finalising the transaction, he noticed he had misspelt his wife's name on the flight booking.

As a result, he decided not to enter his secure code and pressed the 'cancel' button, believing the transaction would not go ahead. He was wrong. The payment was still taken.

REDUCE ABANDONED PURCHASES

SIX STEPS TO SAFER SHOPPING ONLINE 

- Look for the card issuer's pop-up screen when making an online purchase. If it is missing, then alarm bells should ring.

- Delete any email requests to sign up to a verification scheme. Instead, contact your card provider direct.

- Check you have up-to-date security software installed on your computer – some banks offer this for free.

- Watch out for spelling mistakes on websites and unusual website addresses. They might be a sign of fraud.

- Complete a purchase only if the website is secure. Look in the browser for https – the 's' stands for secure – and ensure a locked padlock or unbroken key symbol is showing.

- Find more information at getsafeonline.org.

Behind the scenes, it seems the merchant and MasterCard had completed a 'risk assessment' and decided Christopher's transaction could go ahead – irrespective of him not completing the verification process.

Businesses are scaling back the use of pop-up checking screens according to research by Visa. 

The move is to stop shoppers abandoning transactions when they cannot remember passwords – or using another form of payment.

Instead, card issuers are switching to 'risk-based authentication'. 

Here, a customer who regularly shops at a particular website from a certain computer is likely to have a purchase waved through. 

But a first-time purchase or one made from an unknown computer will trigger the password screen.

Visa says just five per cent of transactions are high risk and claims fraud levels have remained stable despite the reduced checks. 

But Christopher and Claudia's air tickets were a first-time purchase with the travel website – therefore they expected authentication to be compulsory. It was not.

Christopher says: 'It's as if I had walked into a shop, taken goods to the counter, started pulling money out of my pocket but then decided not to buy – only then to have the shop assistant run after me, take my money and force the goods on me.'

He adds: 'Such changes to online security expose buyers to fraud. It seems all someone needs to do to fraudulently use someone else's card is to press cancel when the pop-up screen asks for the security code.'

The couple contacted the travel company to inform it they had not authorised the online payment but they were rebuffed. It demanded £100 to cancel the transaction and refund the price of the tickets. 

Christopher, who went on to book the flights a second time from the same website, adds: 'HSBC wasn't interested when we told them there was a serious flaw with its security system.'

HSBC eventually agreed to issue the couple with a credit covering the flight cancellation charge but were told that if the merchant disputed it the bank would reinstate the charge.

HSBC says: 'If a customer gets to the SecureCode page, they have already confirmed to the retailer they want the item or service.

'If they cancel at that stage, the retailer can still proceed with the transaction but if they do so, it loses certain rights if the customer disputes the payment.'

The bank adds: 'Not all online retailers use verification which is why some websites won't ask for the password, such as Amazon.'

MasterCard says: 'SecureCode is not about customers authorising the transaction, that happens when they click on the 'buy' button.'

CARD NOT PRESENT RISKS

The cost of 'card not present' fraud has risen 80 per cent in the past five years. Katy Worobec, director of Financial Fraud Action UK, says this is primarily a result of the theft of card details by hackers.

She says: 'Measures taken by banks, including online verification, have stopped £6 in every £10 of attempted card fraud.'

Forgotten your password again? Just take a selfie! 

The face fits: New systems use facial recognition

The face fits: New systems use facial recognition

Passwords may soon be consigned to history for online shoppers as plans for biometric checking systems move ahead.

Last week, payments processing giant MasterCard launched 'Identity Check Mobile' that uses fingerprints or facial recognition to check a cardholder's identity. 

It will be available in the UK from next year – if card issuers choose to take it on.

Instead of a passcode, online shoppers will be asked to take a selfie on their mobile phone or use its fingerprint scanner.

A MasterCard spokesman says: 'People don't like passwords, which is why banks are looking to use risk-based assessment where they can. MasterCard's ID Check Mobile removes the need for passwords altogether, so customers can authenticate themselves with their fingerprint or a selfie.'

Representative example: If you spend £200 at a purchase interest rate of 18.9% p.a. (variable) your representative rate will be 18.9% APR (variable). Credit limits and terms may vary based on your individual circumstances. Balance transfer offers and introductory fees limited to transfer made with 60/90 days of account opening. See product specific T&Cs.;

 

The comments below have not been moderated.

The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.

By posting your comment you agree to our house rules.

Who is this week's top commenter? Find out now