AmEx: Online Checkout Changes, 1 Jun 2021

Sounds like interesting times ahead if VISA and Mastercard use the same process.

How would we buy anything online? :man_shrugging:

1 Like

Sadly, I do not think you are wrong.

Those threads will appear.

1 Like

It’s been planned for ages as an upgrade to 3D Secure.

Visa and Mastercard will be the same, but for most people it should be a simply case of approving requests through app push notifications.

1 Like

On several occasions already on both Starling and Nationwide, I’ve had to do an in app authorisation prior to the transaction completing. I take it this is what is being talked about?


Yes, that’s how payments will increasingly need to be authorised from now on. It’s still being phased in, but soon almost every online transaction will require it.

Fallback options depend on the bank, but include telephone or text-based code, card reader authentication or “token” device.

1 Like

I’ve had to use SafeKey with online transactions more recently.
It never seems like an effort really.
I will note it does seem what starling & Monzo both do.

1 Like

I agree, it really isn’t any effort at all. I’m perfectly happy for every online transaction I make to be verified by tapping into my banking app or putting a code in from a text.


These fallbacks will apparently be phased out soon though. These app only banks are really gonna need to start expanding to more devices when that happens, because I’m seldom nearby my phone when at home!

1 Like

So what happens for those who aren’t registered for mobile bankning?

I raised a similar concern on the Monzo forum just several days ago, in respect of legacy banks not having the infrastructure to handle this with their app.

It was implied those banks would have to use those finicky CAP devices. I would imagine it would be the same for those who don’t have mobile banking too. Personally I still struggle to grasp why we need to move away from SMS at all. It’s a good enough second factor for most other 2FA services, and it’s a universal thing that most people will have access to.

To me, this is just turning the mobile into a CAP reader and forcing them back onto people. Security theatre at its finest, now impacting the new banks who tried to set themselves apart from this.


Oh hell, what a fiddle. That’s going to do my (technophobic) mum’s head in :man_facepalming:

SMS would certainly be more convenient here, but an offline 2FA device such as the card readers or something linked to an app that itself has strong authentication is more secure than SMS, due to the risk of SIM swap attacks. I’ll absolutely admit, however, that the vast majority of banks have bigger security holes in their systems than this, and so SMS for now would’ve been perfectly acceptable.

I don’t know if it’s still a thing, but you used to be able to write to HSBC’s offices with an account number and sort code and request that the account be closed and all funds moved to another account (which you’d also provide the account number and sort code to in the letter). All you needed was the account holder’s signature (or a good copy of it) in the letter. Absolutely terrifying.


Absolutely. The risk of a swap attack is quite small though, and with push notifications, you’re likely to notice something nefarious pretty quickly anyway. For me the convenience and accessible nature of it far outweighs the risks. Especially with iCloud pushing them out to my all my devices, and my devices being smart enough to extract the code from the SMS and auto fill at a tap.

In all honesty it would be nice to see Apple push out notifications to all devices via iCloud too, especially if the banks implement a mechanism to confirm and verify from within the notification itself like some Authenticator apps do with Face ID.

Speaking of authenticator apps, and their greater platform support and availability, perhaps utilising those would help bridge some of the lost convenience. Some banks do already work with these to some degree for some things. I view these as the better, more secure successor to SMS.


@Lonford is right, we have to move away from SMS due to the risk of SIM swap attacks making it inherently insecure.

You could argue about the realistic risk level, but the regulators have already decided that it’s not good enough.

I think we will see banks drag their heels in moving away from it, as they know it will be customer unfriendly, and Nationwide have already said that card readers may be needed if you don’t have a smartphone. So expect more banks to jump on that bandwagon!

Most seem to be looking to add 2 factor authentication to their smartphone apps as first preference, so hopefully it won’t be too painful to use that - although I can imagine it could be difficult with a clunky implementation.