Is strong customer authentication working?

Entering a one-time password to complete an online transaction is now mandatory, so is strong customer authentication working? Or have fraudsters simply changed tactics?


Anyone who has shopped online recently will have already become accustomed to the extra step of having to receive and then use a one-time password (OTP) or log onto their mobile banking app to approve a purchase.

This strong customer authentication (SCA) step became mandatory in March, as ecommerce providers were obliged to ensure customers prove their identity through something they know (a password) and something they own (their mobile phone).

The measures were brought in because, according to figures from the banking and financial industries body, UK Finance, remote purchases accounted for four in five (79%) card fraud cases during 2021. By sending the legitimate customer a one-time password or asking them to log into a bank app, the hope is that fraud rates will drop. 

It will not be known how well the new measures are working until the end of the year, when UK Finance will publish fraud figures for 2022. However, Nationwide credited the technology with recording 2,000 fewer cases of fraud each month. Its research has shown that more than two in three customers, 68%, are happy to enter a texted passcode or, as the majority do, approve a payment in their banking app.

But not all companies within the industry are convinced. Tonia Luykx, VP at fraud detection business Sift, claims its figures show that, at the very least, criminals have simply changed tactics. Its network measures fraud across thousands of merchants and has seen a 41% rise in fraud attempts since SCA was introduced. This, she says, is mainly down to criminals changing tactics and using stolen card credentials on goods under the £30 limit at which SCA protection becomes mandatory.

“SCA is definitely a step in the right direction but we’re seeing fraudsters adapt,” she says.

“They’re defrauding sites by making lots of fraudulent payment attempts under SCA’s minimal payment level and then, for larger payments, they are taking over accounts so they are sent a password to complete a transaction.”

Fraudsters take over accounts by tricking people into passing on their email address and password, typically through phishing, or by duping a network into thinking a person is changing SIM cards and so needs messages sent to a new number. This new number is owned by a fraudster who will then pick up any one-time passwords without the victim knowing. 

SCA is definitely a step in the right direction but we’re seeing fraudsters adapt

Neil Downing, VP of products at TMT Analysis, reveals there has been an uplift in fraudsters using tactics such as SIM swap to circumvent SCA’s protections. Without detection technology, this fraud can be hard to spot because so many people are legitimately changing numbers that the deception continues until the victim spots unexpected charges on their accounts. 

“As an industry we see exploits against SMS vulnerabilities are on the rise, either through SIM-swapping or SIM-jacking to intercept a message, or telephony-based social engineering fraud to trick the victim into divulging the SMS one-time passcode and circumvent the security,” he says.

“However, although the industry is seeing significant growth in attacks against SCA, the risk of fraud from a reliance on password-only security is substantially greater. The humble SMS OTP is better than no SCA by orders of magnitude.” 

While security businesses commonly agree SCA is a welcome step in the right direction, there are plenty of experts who will point out the extra ‘friction’ in making a payment is having a negative impact on ecommerce. When there is an extra step to go through, consumers may think again about an impulse purchase, and many may not have a phone at their side to approve a sale.

Research from open banking payments platform, Nuapay, reveals 99% of merchants have seen at least a 5% rise in declined payments since SCA was brought in. The average rate of increase in payments not being completed is 37%. While this figure will include payments declined because of insufficient funds, Nuapay’s CEO Brian Hanrahan believes because this has always been the case, most of the rise is likely down to SCA. It is a welcome addition in the battle against fraud, he maintains, but it has had a major impact on retailers because of how it had to be implemented.

“The problem is that cards are decades old and they’re being used online, so payment providers have to put sticking plaster on them, like texted one-time-passwords, to try to make them safer,” he says. 

“That’s why we expect merchants will start using technology to allow direct payments from bank accounts because they have security built in, just by the person logging on.” 

The payments industry will not be able to say for sure whether SCA has reduced card-not-present fraud until the end of the year. It is fair to say that the tactics used to circumvent its measures were already in use to take over accounts to make fraudulent payments. They grew in popularity during the pandemic as more people started to shop online. Many were new to digital channels and the phishing methods used by criminals, making account takeover far easier. 

When 2022 fraud figures are released, industry experts believe they will likely show SCA has caused criminals to switch to lower-value fraud, meaning the number of cases may be up but individual sums involved will be down. For higher value fraud, fraudsters will likely continue to rely on phishing and social engineering tactics to trick people into passing on log-in details so their online accounts can be taken over. As ever, technology can only do so much. The biggest risk in the security chain is often the customer.