3D secure via SMS not always shown? (e.g. Three)


99% of the time, when I get a 3D secure dialog I get something like this:

Where I’m prompted to approve in-app or with a fallback to SMS. Sometimes when I’m out of mobile credit, I want to top-up my phone. Three (my carrier) let you use the internet just on their website when you’ve no credit — so you get as far as the payment page and get the “Approve in-app” dialog, but this time there’s no link to “Send SMS”.

Because I don’t have any credit, I can’t approve in-app so this is the time SMS would be the most useful. Is this something that:

  1. I can configure somehow (presume not, I’ve searched for an ‘always show SMS’ link or similar but can’t find anything)
  2. Something that Three need to pick up about their 3D secure integration?
  3. Something that Monzo can enable so that it’s always there?

Not sure if this is a feature idea or a bug report or what, so said I’d just put it in general help :sweat_smile: Please feel free to move if there’s a more suitable home.

1 Like

SMS is going to be removed as an option in the near future. It already has been removed for a lot of transactions

1 Like

Ah that’s a shame — I guess this is one of the scenarios it’s already been removed so.

It’s one thing that I find more awkward via Monzo than another bank (which I no longer have!) as it means if you run out of credit while out & about you need to find some public WiFi to top-up. Nice to have a back-up auth method in these situations, though appreciate SMS validation is a security risk so it’s probably doing me a favour here :slightly_smiling_face:

An alternative could be having the app generate a one-time password as a back-up auth mechanism — that way you wouldn’t need internet to approve it (app can keep generating them even if offline) & you avoid the security issues of SMS.

Just to fill in what might be happening here (I work for a mobile network). Three will likely be using something called ‘zero rated’, where certain traffic - ie the Three website is accesible even without any data or credit left on the account. This is for exactly this reason.

The challenge with the Monzo 3D secure window, is this will likely be some form of embedded iframe - which will be a different Mastercard or Monzo website. Ie this traffic will not be zero rated, therefore this will not load (unless you have date, credit or WiFi).

Hey Aaron, cheers for that insight — I noticed that previous before — that Monzo iFrame wouldn’t load at all at this stage. They seemed to fix that awhile ago though (I guess from Three’s side to zero-rate the frame), but now the SMS option is missing (so it affectively makes it pointless :sweat_smile:)

1 Like

I think this is because 3DSv2 doesn’t support SMS but retailers have to enable 3DSv2. In this case Three haven’t so it defaults to 3DSv1 which still supports SMS.

1 Like

Hey Dan,

Ah OK that makes sense. I guess in this case Three have enabled the v2 then as they don’t have the SMS option (the screenshot above is another vendor just to illustrate what I was looking for).

I guess that answers my question so, thanks! As I say, if there is an alternative option for some out-of-band authentication that doesn’t require internet access (e.g. OTP generated on device) that would be amazing. Can appreciate it wouldn’t be high priority for many people though.

Alternatively, IIRC, I think I had Amex ask me if I wanted to pre-approve some vendors before as part of the 3D secure flow to lower their risk score so I’d be less likely to hit verification at all.

Now moving this very in the direction of feature request, but would something like that be possible? E.g. a way to say “If it’s Three UK and the value is below £20” don’t challenge? Not sure if that’s something for Three or Monzo though to be honest.


Looking at this from another angle, is it worth suggesting to Three that they zero-rate Monzo.com so that the app verification will work? I realise this is unlikely to be a successful approach, but you never know they might consider it (especially as they have sorted out the 3D secure iframe issue).

1 Like

It pulls the 3D secure ‘application’ externally, so they’re probably trying to use data for it, but can’t because you’re out of credit

Recommendation - if this is your primary number, get a cheap contract (they can literally be as low as £2 a month

Compare The Best SIM Only Deals 2021 | MoneySuperMarket

I’m reminded of a local pub that installed a wifi hotspot that authenticated using facebook… and forgot to whitelist facebook, so it couldn’t be used. It was like that for weeks (presumably because they’d just bought a package and didn’t have a clue how it actually worked).

It’s a problem for three to fix - all banks will have the issue in some form… probably they should just open the connection to everywhere during the authentication phase, which is likely to be only a minute.

1 Like

yeah that’s a good shout actually — worth trying! Zero-rating the iFrame itself has shown that they’re willing to accommodate this to some degree so maybe they will go the extra mile & do it.

1 Like