✅ [3DS] PrivacyBadger blocked SecureCode

richyb · 28 September 2018 09:48

Issue:
I just tried to pay my MBNA credit card using my Monzo debit card (previously used direct debit/bank transfer, but wanted to use card this time) using MBNA’s payment portal on https://www.bankcardservices.co.uk/ . However, when I was redirected to the Securecode/VbV page, things just seemed to stop (page just sat waiting there, no prompt from app etc)

Investigating the Chrome browser tools network tab showed:

Outbound:

POST https://verify.monzo.com/3ds/payer-authenticate?did=3dsauth_00009bAsj1Y[omitted]
Content-Type: application/x-www-form-urlencoded
DNT: 1
Origin: https://www.bankcardservices.co.uk
Referer: https://www.bankcardservices.co.uk/NASApp/NetAccessXX/PayerAuthPaymentScreen?type=bottom&acctID=XW[omitted]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

But Monzo’s server returning:

307 Internal Redirect
Referrer Policy: no-referrer-when-downgrade

I saw no ‘Location’ header in the response.

Details to reproduce:
Try and make a Secureccode payment possibly using MBNA I guess?

OS:
Entirely on desktop, macOS High Sierra 10.13.6

Device:
Macbook Pro running Chrome 69

App Version:
n/a

anon29276674 · 28 September 2018 11:20

Hi Richard, thanks for reporting! I’m an engineer currently working on the 3D Secure project. We’re trying to track down this issue.
Do you have any chrome extensions that might trigger this behaviour? I see there’s a DNT header so I assume you have something installed that sends it.
Could you try making the payment in an incognito session?

Cheers
Dovydas

uncle_fungus · 28 September 2018 11:25

DNT is probably sent directly by chrome, as it is an option in settings.

richyb · 28 September 2018 11:50

Hi @anon29276674

I’ve just done a test payment with Charles Proxy installed and checked PrivacyBadger (got that and Adblock Plus installed) and it seems like it was PrivacyBadger blocking things - it can be quite aggressive on third party sites which use cookies (I can understand why, with the optimizely, ga, cfduid 5 cookies it flagged the iframe as an adserver - especially after observing the same on previous purchases).

I should have checked my extensions - sorry. Whitelisted now. Might be worth asking EFF to add verify.monzo.com to the whitelist ( as per https://github.com/EFForg/privacybadger/pull/712 )

anon29276674 · 28 September 2018 12:13

Great! Thanks for linking the PR I’ll look into fixing issues with the PrivacyBadger

Topic		Replies	Views
Royal Mail "Fee to Pay" Help	15	1850	5 May 2018
3DSecure Fails on Coinbase Help	19	10853	4 December 2017
Debit card weirdness Help	11	1565	12 July 2021
Trying to make a payment online Help	9	6697	19 February 2018
3D Secure error using Monzo.me URL Monzo Chat	3	1188	1 January 2019

✅ [3DS] PrivacyBadger blocked SecureCode

Related topics