SMS authentication of online purchases should disappear

Judged too insecure, the SMS that issues a code to validate our purchases on the Internet will have to be replaced before September 2019.

Enthusiasts of Internet orders will sooner or later change their habits. The European Union wants to strengthen the security of online transactions. Thus, more stringent buyer authentication requirements are introduced in Europe. Used to verify almost 85% of Internet payments, the SMS (called SMS-OTP for "One Time Password") will need to be replaced by more efficient identification systems.

READ ALSO – Europe, payment solutions in the foreground

Today, online credit card fraud accounts for 0.161% of the total amount spent on the Internet. Or a euro fraud for 620 euros of payment, reveals the annual report of the Observatory on the security of means of payment. A figure still too high according to the European Commission. To combat this scourge, the European directive on the second version of payment services (DSP2) officially entered into force on 13 January. Its goal is to introduce a "strong authentication" of the rules for Internet purchases through new and more secure means of verification. "Payment validation text messages can easily be pirated today," says Bertrand Pineau, director of innovation for e-commerce and the distance selling federation (Fevad). "This is why we are working with the Banque de France and the various banks to increase the security of online purchases," he adds. Today, eight out of ten French people use their credit card directly to pay for their purchases on the Internet, reports a study by the fintech Be2bill.

New requirements for customer recognition

The entry into force of part of the directive on the strong authentication of means of payment entered into force in French law is scheduled for September 2019. This implies that banks comply with certain requirements. These must be able, before formalizing a regulation on the Internet, to ascertain the identity of the buyer. To do this, three recognition factors are mentioned by the European Union. Payment will also be certified once two of these have been verified. The recognition factors are: knowledge, which is for the bank to ask for something that only the user knows, possession, which involves something that only the user possesses and the intrinsic, which requires the certification of a physical feature of the buyer such as facial recognition or fingerprints. Once two of these points have been officially verified and are independent from one another, the online purchase can be formalized. Note that SMS authentication validates two of these requirements, possession (mobile phone) and knowledge (code transmitted via SMS), but that the SMS is received on the phone, they are not independent of each other.

"We do not want to run"

Although some banks are involved in strengthening the safety of their clients, they are taken by surprise by this measure. "The changes required by the European Union require many innovations," says Bertrand Pineau. And if some banks are already at an advanced stage on the subject, others deplore too short processing times. "We (the banks and Fedav) do not want to run," says the director of innovation. "We are very worried about not disturbing the ecosystem: too abrupt changes could penalize all the parties: banks, merchants and consumers", he admits that the end of the SMS is scheduled for September 2019. For now "the biometric card is the system more developed substitute, "he says. This new generation of boards incorporating a fingerprint sensor should be proposed in January 2019 by some French banks. Other more advanced verification systems, introduced through the app of some banks, should also appear shortly.

More security, less fluidity

As far as merchants are concerned, we know that these new authentication systems will reduce fraud. But they create new problems, anyway. In fact, security development extends the customer journey on the site, the purchase process is longer and the conversion rate is naturally reduced. Clearly, it makes the purchase longer, more labor-intensive for the customer and undeniably reduces purchases for traders.


Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.