Visa text messages: new security measure could replace your old password

Your old Verified by Visa password could soon be replaced with a one-time passcode sent by text. Time to check your bank has your correct contact information.

Visa cardholders have been urged to ensure their contact details are up to date as they could soon be required to enter a passcode sent via text message in order to make online purchases.

Up until now, shoppers have occasionally been asked to provide certain characters of their ‘Verified by Visa’ password as a second layer of security.

Soon, this will be replaced by a text message with a one-time passcode (OTP), which you’ll then have to type in to complete your transaction.

This won’t happen on every transaction, but it’ll likely happen more often as we’ll explain shortly.

We should also stress that Visa customers won’t have to receive the OTP by text, and can instead opt to receive it by email.

Here’s a full breakdown of what’s changing, why, and what it means for your shopping habits.

Check your credit report for suspicious transactions

New EU rules behind the change

At present, just 1-2% of all online transactions require cardholder authentication, according to Mastercard.

However, this will jump sharply to 25% in September 2019 as part of new EU regulations.

With passwords being seen as an increasingly outdated method, banks and payment firms are looking at new ways to beef up security when shopping online.

First Direct has been the first bank to blink, notifying its customers of its planned move to text-based authentication.

You can see a screengrab of the email below, which was sent to one of the loveMONEY team last month.

In the mail, the bank explained:

We wanted to let you know about a new security upgrade that’s being made to the Verified by Visa authentication process which helps protect you when you pay online with your debit or credit card.

When you do this, you can be asked to enter characters from your Verified by Visa password for some transactions. But soon this will be replaced by a one-time passcode (OTP) sent directly to your mobile phone via text message.

What you need to do

To make sure you get this OTP when you need it, we need you to provide your mobile phone number. You can do this by sending us a message using the ‘anything else’ option via Online Banking or give us a call on the number below so we can update it for you.

It’s also important we have your correct email address – if we don’t have your mobile phone number, we may be able to email the OTP to you instead. You can check and update your email address via Online Banking or by giving us a call on the number below.

We’re sorry we need to ask you to do this but if we don’t have the right contact details and we can’t confirm a transaction’s genuine, we may not be able to process it and we really don’t want to get to that stage.

Text message from first direct (Image: loveMONEY)

Who will be affected by the change?

It’s expected that other banks will begin contacting their customers to inform them of similar changes.

As Visa explained to finance site This is Money: “We recently introduced a new rule designed to encourage card issuers to move away from the use of passwords which will strengthen authentication for online payments, and this means that customers will increasingly see the use of OTPs when they make online payments with a Visa card.

“Although all Visa card-issuing banks will support this increased level of security, alternatives are available should customers feel uncomfortable or unable to use a OTP.

“Customers should contact their card-issuing bank to discuss their options.”

There’s no word yet on any changes affecting Mastercard, but it seems likely it will also seek to make changes.

In a press briefing earlier this month, it’s worth noting that Mastercard described the use of passwords to authenticate a shopper as “woefully outdated”.

We’ll update this piece if and when there are any further announcements.

How safe is text message authentication?

There will naturally be concerns that a move to text message authentication will open the door to fraudsters (although remember you can choose email as an alternative).

As we’ve reported on numerous occasions, criminals are able to spoof a bank’s number and have their text messages appear within an existing thread, making them seem more believable.

If you were to receive a message from your bank referencing an OTP when you weren’t expecting one, it’s vital you follow best practice: don’t click on any links, don’t respond to it and thirdly contact your bank using a number you looked up separately to learn more.

Check your credit report for suspicious activity


Be the first to comment

Do you want to comment on this article? You need to be signed in for this feature

Copyright © All rights reserved.