It has become a habit: when paying for an online purchase, a "3D Secure" page appears – and asks you to enter a code received via SMS. In recent years, banks and e-merchants have adopted dual factor authentication to minimize Internet fraud. A priori with this system, it is impossible for someone in possession of your card to make a payment on the internet without your consent, since it must enter a unique code that you have received on your smartphone.
Code by SMS: it will finally be necessary for payment on the internet until 2022
Thus the Echos underline that the fraud rate of authenticated transactions has risen to 0.07% against 0.21% for other types of transaction, according to the figures of the observatory means of payment quoted by the daily. Yet the use of SMS for sending the code is not a guarantee of absolute security. As shown in a video of security researchers at the firm Positive Technologiesit is indeed possible by collecting certain information on a particular target to intercept its SMS. This in turn can allow to authenticate a purchase improperly. There is also malware that discreetly handles this. Not to mention data leaks.
This kind of attack remains for the moment rather rare and complex. But it is not excluded that it will develop in the coming years. This is why both the financial institutions and the policeman of the European banks have been aware of these flaws for several years and push for the adoption of new strong authentication methods. It is in this sense that a new directive called DSP2 (2nd Payment Services Directive EU2015 / 2366) was adopted on 25 November 2015. With an additional Delegated Regulation (EU2018 / 389) adopted on 27 November 2017.
In addition to setting new standards and lowering the threshold of liability of customers to 50 € (against 150 € so far) in case of fraud, this text makes the implementation of electronic payment services on the internet easier and less expensive. It was initially imposed on all traders and banks from September 14, 2019. But several countries – including France – have decided to postpone its implementation, with varying durations. In France, it will be necessary to wait another three years until 2022 for the SMS to be replaced either by a code to enter a banking applications and / or biometric data.
Read also: Internet shopping – banks will soon no longer have the right to send a code via SMS
The United Kingdom has for its part postponed its application to March 2020 – Germany has meanwhile not announced a deadline to believe Les Echos. In addition to these three countries, Spain and Italy have also chosen to postpone its entry into force. The reason is everywhere the same: online marketers have trouble adjusting in time. Nevertheless, at the end of this suspension, the States will be able legally to obligate all the actors to comply with the legislation.
Source: Les Echos