First Direct says customers will have to get a one-time code AND type their email address in full to pay online as it unleashes more security checks
- First Direct to ask customers to type in their email address when paying online
- Bank already sends customers a 6 digit passcode by text to confirm it’s them
- It will monitor how each customer enters email address via keystroke
- Data will be stored for up to 3 months and be compared against previous entries
- Known as ‘behavioural biometric’ data and it should be unique to each customer
First Direct customers are facing the prospect of an arduous extra security check in order to make online payments.
The bank will begin asking customers to type in their email address as well as their one-time passcode when making online card payments.
First Direct claims the decision has been made to make the payment process more secure and protect customers from fraud.
The purpose for asking customers to type in their email address is about monitoring how each customer enters the email address – including the keystrokes
At present, First Direct sends its customers a six digit passcode via text message to confirm it’s them when making some online purchases – these passcodes have become more frequent in recent years.
This is typical of many banks and only poses an issue if there is a problem with phone signal or if the mobile number itself has been recorded incorrectly.
However First Direct’s new email address requirement takes security protocol one step further.
It says the purpose isn’t about checking the email address or updating records, but about monitoring how each customer enters the email address – including the keystrokes.
It’s known as ‘behavioural biometric’ data and it should be unique to each customer.
First Direct will record this data and it’ll be stored for up to three months, so it can be compared against previous entries.
The bank will then use this data in future, together with other information like a person’s location and how they use their device, as an added measure to help it reduce the risk of fraud.
It’s important to note that an email address will not be required every time a customer chooses to authenticate an online payment – just some of the time.
Although some may welcome the heightened security, others may be concerned by the extra admin of having type in their email address as well as the potential for online payments being more frequently declined.
It’s not clear whether typing an email address a little slower than usual or if you’re overseas will mean blocked payments.
On its website First Direct states: ‘When you enter your email address, we keep a record of how it’s entered and compare it next time you make a payment.
‘If it doesn’t match, payments may not go through until we can confirm it’s you making them.
‘As fraudsters become more sophisticated, we believe it’s in the substantial public interest to include this extra layer of security to protect you and your payments from fraud.’
With banks advising customers to ignore text messages requesting personal information such as email addresses, some customers may also be forgiven for querying whether the prompt is genuine.
Can you avoid the email address security check?
There is an alternative route for those First Direct customers who don’t want to type their email address in order to receive a one-time passcode – but they’ll have to use the First Direct mobile app or a card reader.
You can log into the app by using a Digital Secure Key password or by using Tough ID or Face ID on your mobile phone. Once on, you can confirm a debit or credit card payment.
To do this, you select the First Direct app whenever you see the request to confirm a card payment while you’re checking out during an online purchase.
Once you’re on the app you can either confirm or reject the payment. To confirm, you’ll just need to use your fingerprint recognition or Digital Secure Key to confirm it’s you.
Once that’s done you then need to return to the checkout and click ‘Payment confirmed on Mobile App to complete the purchase.
A first direct spokesperson said: ‘Protecting our customers against fraud is our first priority, and we see the implementation of Secure Customer Authentication as a positive step towards helping reduce fraud and make online card payments more secure.
‘Asking a customer to enter an email address together with a One Time Passcode is just one of the ways a customer can verify a payment online.
‘The primary method for customers to confirm a payment is by using the first direct mobile banking app, and we also offer a physical card reader option for those who would prefer that method.
‘We employ a range of security methods to help keep our customers safe. Behavioural biometrics is a valuable addition to our fraud-fighting toolbox, making it easier to spot fraudsters while also helping legitimate payments to be processed more quickly and with less friction.’