Online security systems designed to protect the confidential bank details of millions of people are being copied by fraudsters, experts say.
Some 70 million cards are enrolled into the online security systems Verified by Visa or Mastercard SecureCode, according to the UK Cards Association, with both systems based on the same software and principles.
An increasing number of banks and retailers are obliging or requesting their customers to sign up for one or other, with customers told it offers an additional layer of protection from fraudsters.
But online security experts at Cambridge University say the systems encourage people to enter their confidential information into pages that they cannot be sure are genuine and customers could end up liable for the loss.
"Criminals are impersonating Verified by Visa and Mastercard SecureCode websites and collecting confidential customer data for example their password, their ATM pin [or] their card number," said Steven Murdoch of Cambridge University.
Bank customer Tina Billinge signed up to what appeared to be Verified by Visa while online, but the site she had been directed to was not genuine.
She entered her card details and set up a password, but fraudsters got hold of her confidential information.
Shortly afterwards, she noticed £90 had gone out of her account for a transaction from a website she had never visited. That purchase had gone through a Verified by Visa security process.
Mr Murdoch says after the launch of these security systems, the number of bogus sites dramatically increased.
However, Visa says this type of fraud is uncommon and it actively monitors and takes down bogus pages very quickly. The UK Cards Association, the body that represents the credit card industry, confirms that the total number of cases of fraud like this is not high.
But Mr Murdoch says if customers are victims of fraud, they could end up being liable for it.
"One concern we have is this might follow the same situation as Chip and Pin. The technology first gets introduced, the terms and conditions get changed and customers are held liable for fraud even though there's no way for them to effectively prevent it."
When Ms Billinge called her bank she was told that because the purchase was made and the buyer had entered all the information into Verified by Visa, they would not look into it.
"The bank absolutely flatly refused to investigate because it was Verified by Visa. Verified by Visa is the God that you're not allowed to question," she said.
The UK Cards Association says the existence of Verified by Visa and Mastercard Secure Code reduces fraud overall. It adds that banks should pay up unless they can prove the customer had been careless.
"We've never claimed that those systems are 100% secure," said Mark Bowerman from the association.
"However, if someone is a victim of fraud having signed up to those systems, then unless their bank has hard and fast evidence that they've acted negligently, then their bank should be making an immediate refund to them."
Ms Billinge eventually got her £90 refunded by her bank. The UK Cards Association says that where customers feel they have not been treated fairly, they can go to the Financial Ombudsman Service.
Visa says the best way to ensure a webpage is genuine is to register for Verified by Visa through a bank's website and set a personal assurance message.
This will appear each time details are entered into a bona fide Verified by Visa page. It also advises customers to check they are dealing with a reputable retailer.