New requirements for authenticating online payments have been introduced in Europe as part of the second Payment Services Directive (PSD2).
The new regulations, put in place to prevent fraud, require customers to use an access code sent to their mobile phone. The number must be entered at checkout to confirm payment. It’s classed as two-factor authentication (2FA) to validate the customer and the transaction.
The issues with SMS codes
The problem with this is, it’s easy to defraud the system. A fraudulent customer can buy a Pay As You Go (PAYG) SIM card and use the phone number for account registration and verification, and then get rid of the SIM card. As it is a PAYG, the number wouldn’t necessarily be registered to the customer so there is also no proven link between the phone number and the customer.
Also fraudsters can access text messages through a number of means, such as if they know your phone number and some of your personal details (which could have been accessed via the Dark Web) then they could contact your mobile phone provider asking for a new SIM card to be sent out under your phone number – this is known as SIM swapping.
Making SMS verification safer with Mobile Validate
We offer Mobile Validate, which validates phone numbers and checks the number and details aren’t available on the dark web. We can confirm that the number is active, and verified, or flag that the number is blacklisted or suspect. The service returns associated subscriber, carrier and location information, and this can be done for individual numbers at point of entry on in batch.
Email Validate for those without mobile phones
Equally, verification codes can be sent by email for those without mobile phones, however the same issues exist. As such we offer Email Validate, which validates an email address as active and legitimate, without sending it a message. We can check whether the address is a bot account or spam trap or suspect in any way, in order to validate its use for verification.
As part of the new SCA regulations, mobile devices will be used to share authentication codes in an effort to reduce fraud, but to make this security step actually work mobile phone numbers will have to be checked. This can be done using Mobile Validate, to ensure it’s actually the customer using their card details to make transactions.
If you’d like to know more about these services or any others, please get in touch.