✅ [3DS] PrivacyBadger blocked SecureCode

Issue:
I just tried to pay my MBNA credit card using my Monzo debit card (previously used direct debit/bank transfer, but wanted to use card this time) using MBNA’s payment portal on https://www.bankcardservices.co.uk/ . However, when I was redirected to the Securecode/VbV page, things just seemed to stop (page just sat waiting there, no prompt from app etc)

Investigating the Chrome browser tools network tab showed:

Outbound:

POST https://verify.monzo.com/3ds/payer-authenticate?did=3dsauth_00009bAsj1Y[omitted]
Content-Type: application/x-www-form-urlencoded
DNT: 1
Origin: https://www.bankcardservices.co.uk
Referer: https://www.bankcardservices.co.uk/NASApp/NetAccessXX/PayerAuthPaymentScreen?type=bottom&acctID=XW[omitted]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

But Monzo’s server returning:

307 Internal Redirect
Referrer Policy: no-referrer-when-downgrade

I saw no ‘Location’ header in the response.

Details to reproduce:
Try and make a Secureccode payment possibly using MBNA I guess?

OS:
Entirely on desktop, macOS High Sierra 10.13.6

Device:
Macbook Pro running Chrome 69

App Version:
n/a

Hi Richard, thanks for reporting! I’m an engineer currently working on the 3D Secure project. We’re trying to track down this issue.
Do you have any chrome extensions that might trigger this behaviour? I see there’s a DNT header so I assume you have something installed that sends it.
Could you try making the payment in an incognito session?

Cheers
Dovydas

DNT is probably sent directly by chrome, as it is an option in settings.

To add, that on the 14th September, I paid my MBNA credit card, using my card without a problem :thinking:

Hi @dovydas

I’ve just done a test payment with Charles Proxy installed and checked PrivacyBadger (got that and Adblock Plus installed) and it seems like it was PrivacyBadger blocking things - it can be quite aggressive on third party sites which use cookies (I can understand why, with the optimizely, ga, cfduid 5 cookies it flagged the iframe as an adserver - especially after observing the same on previous purchases).

I should have checked my extensions - sorry. Whitelisted now. Might be worth asking EFF to add verify.monzo.com to the whitelist ( as per https://github.com/EFForg/privacybadger/pull/712 )

Great! Thanks for linking the PR :pray:I’ll look into fixing issues with the PrivacyBadger