*Terms and Conditions apply

On February 8^th my Mastercard was successfully used to book a Ryanair flight between two Eastern European cities. The flight was to depart the following day, and cost €446.70.

Over the next week another Ryanair flight was booked, originating from a separate Eastern European city, along with an authorisation charge for Hotels.com. Both of these charges were declined.

On February 28^th I used my Mastercard to buy petrol at Topaz beside NUIG, having left my debit card at home. When I got to a computer to pay the charge, a nasty surprise was waiting for me:

Not recognising the €446.70 charge I rang AIB. The CSR gave me details on the three charges, including the names of the passengers on the flights, flight codes and the hotel name.

AIB refunded the fraudulent charge, cancelled the compromised card and issued me a new card at no cost. I’m impressed and happy with the level of service and response from my bank, AIB.

I learned a few things from this experience:

1. I was able to use the card legitimately after it was flagged as compromised and two further charges were denied. I like this, it shows a smart fraud prevention algorithm, which doesn’t negatively impact the customer.
2. I had no idea so much information was transferred between businesses when payments are made on-line.
3. I signed up for Mastercard’s SecureCode service, but individual website’s must opt-in. This makes the service next to useless in preventing on-line fraud, but adds an extra burden to customers who want to protect themselves when shopping on-line.

I’m a little worried about how my credit card information ended up on (presumably) an Eastern European black market. I’m cautious with on-line purchases, and only use my own laptop, meaning either:

1. I have a virus on the Windows partition of my laptop
2. An on-line retailer I’ve used in the past stored my information in the clear and was compromised.

Neither is a very nice situation. I might re-purpose the Window’s partition to be sure. If it’s the other option, e-commerce has much bigger problems.

How could the current system be improved to help customers? Modify the CCV system to use TOTP codes. Here’s how it would work:

1. Customer rings bank, asked to move to “Two-factor system”. Bank asks if customer needs to be sent a fob or wants to use smart-phone application. If fob activate system on bank’s end when fob arrives; if smart-phone, activate now.
2. Presuming smart-phone: Ask customer to download phone app and give shared secret to customer. This is entered into the authenticator app.
3. The authenticator (app or fob) generates two 3 digit CCV codes every 90 seconds. One is to be used for payments processed immediately, one for preauth payments.
4. In the case of preauth payments, the bank keeps track of which seller the customer has assigned this preauth CCV to, and allows further payments to be charged from that card with that CCV, from that seller for up to 30 days. This would be used for hotel room charges and the like.
5. In the case of immediate charges, the CCV is only valid for 90 seconds and will expire after that.

Two-factor authentication isn’t for everyone as it add’s an extra step to on-line transactions (pulling out your phone/fob to check the code). However, it does offer a greater level of protection to customers who opt-in, and doesn’t require seller adoption as their systems (should) already handle CCV codes. With SecureCode criminals only need to avoid the on-line sellers using SecureCode, and customers can still be defrauded.