[3DS] 3D Secure merchant issues

I keep getting SMS verification codes during the 3D Secure phase of paying American Express - even though the transaction was via a laptop on their website: all other merchants have been needing to be approved within the Monzo app.

This is sadly intended as it’s a slightly better user experience than people using the American Express mobile app switching to Monzo and getting logged out of American Express, therefore failing the payment entirely. :grimacing:

Having said that, I’ve recently gotten myself an American Express card to probe at their flow and see if we can be smarter about this.

I assume the Amex app uses the phone inbuilt browser for 3D Secure flow so detecting on the user-agent won’t be possible (I don’t know if you can use Javascript on the 3d secure page itself to detect screen resolution and report back if it is likely to be mobile or in app).

Let me know if I can help in anyway (I can intercept requests on my laptop/desktop - even under SSL - not tried on mobile though but should be possible - so I can provide http headers etc).

1 Like

The past few times I’ve needed to use 3D secure, I’ve tapped the notification I receive which takes me into the app, but I’m then presented with a white screen. For me to approve the transaction I then have to click ‘back’ to see my feed, where I can then click on the approval no problem.

1 Like

This was fixed a few days ago :tada:

1 Like

I fixed this one earlier in the week. :+1:

Let me know if you’re still seeing it as of now though!

I wouldn’t recommend relying on screen resolution or user-agent… any of this could be faked by a fraudster if they want to get around 3DS.

I’m not talking about disabling/bypassing 3DS: just whether or not the authentication is perform either ‘in Monzo app’ (as it is most of the time) or if it is via SMS (as it is done for payments to Amex).

Ah, yes. So it has, I’ll get back in my box

Hi @Rika

Did any issues around Scottish Power come across your path? Both times I tried, a couple of months back, the money came out (authorised), but Scottish Power website said it failed. Work around was to use different card

I reversed one myself and the Cops reversed the other after I sent screenshots, but not sure anything happened more generally on that front as to future attempts

Since then I have been using SMS option in all cases with no issues, but going to be using Scottish Power later this month again…

Not so much an ‘issue’, but has the 3D Secure setup been tweaked Monzo’s end? There’s a merchant I spend with regularly and ever since 3D Secure launched I’ve had to approve every transaction. However, I just spent with them today and the payment auto-approved without me having to hit the magic button in-app to do so. I assume if something has changed this would be on Monzo’s end?

It’s certainly possible the merchant has changed something. They might have removed the requirement completely or just for certain amounts.

But Monzo have said they want to auto-approve transactions that would normally require it as long as Monzo are certain it’s you initiating it. No idea if that is being worked on. Has that happened now, @Rika ?

2 Likes

Crossposting this here for @Rika’s attention because the more I think about it, the more showing the wrong merchant on the 3D Secure screen seems like an issue.

1 Like

Could you send me a direct message with your Monzo login email? I’ll grab the identifiers I need to add it to the blacklist for this. :+1:

1 Like

It seems the Argos app crashes when switching out of the app during the 3DS flow. Is it possible for that to default to sms?

1 Like

I’ve just had this issue it’s been that long since I’ve needed to pay off additional funds rather than just the direct debit that I tried it twice before remembering Argos Card website will fail the payment when going through the 3d secure page.

Get the prompt on the website from monzo to authorise the payment in app, do this and then the website errors out saying localhost not available, tried it incognito too so it’s not any extensions etc causing it.

If you select send a text message it works perfectly. 🤦🤣

Pretty sure I’ve reported this to Argos before but as it’s very rare I’m making additional payments I’ve not chased it up with them.

I experience issues using 3D Secure with the UK national lottery website top-up procedure.

Steps to repeat:

  1. Go to add funds in my account on national lottery website.
  2. After choosing the amount, the 3D secure iframe/window loads on lottery website and I receive push notification on my phone (Pixel4a / Android 11 / Monzo App version 3.69.1).
  3. Sign in to app using fingerprint and then on the approve payment screen that shows, authorise again with fingerprint.
  4. The website pauses, reloads, but the iframe containing the 3D secure window, instead of showing a success message, instead logs me out of lottery website and shows a the national lottery sign-in screen, inside the iframe window. The payment is not taken.

I’ve tried variations of this e.g. not tapping the push notification but going into the app separately, navigating to the ‘approve message’ in the transaction feed which occasionally seems to do the trick, but that might be because I’ve already got an active session or something? Feels like it takes two goes to get the approve message working.

Managed to capture what it looks like when it fails.



Switching to using SMS verification instead of the app verification worked.

I had this on my conveyancers website, switching to incognito allowed the payment to go through fine. So as a guess one of my extensions was messing up the way the webpage worked.