Card/payment protection

(mike barnett) #1

I don’t know about anyone else, but our company credit card has had money fraudulently taken off several times in the last few years.

We make sure we always enter are card online into secure websites with padlocks. However as we are an commerce business we have to buy a lot of plugins for websites all the time. With the amount of credit card hijacking scripts SQL injected into sites, there are a lot of site owners unknowingly having credit numbers and details hijacked by fraudsters.

This got me thinking if there was a service that could alert you as soon as your card is used that you can verify by hitting a No or Yes button on a app. A bit like how you currently use Monzo, but for all payments you are sent a message first to approve the payment. This would be an amazing feature and what better than Monzo to do this!

In addition to put restrictions on the card usage:
i.e. allowed countries, maximum spend on any purchase, allow online or offline payments.

In can’t believe this doesn’t exist on all card providers and banks. With the amount of fraud or their own blocking systems which you have no control over, where they still allow some fraudulent payments but yet seem to block legitimate ones at the most inconvenient times.

I think his feature would be a real game changer for consumers and banks.

Monzo what are your thoughts on this? Or does anyone else have any thoughts?

If you can tell me a system out there that currently does this, id love to hear what it is as it certainly isn’t well advertised.

(Mike Fuller) #2

Approval of individual transaction like you suggest would need to be done at card scheme level (Mastercard or VISA) rather than by an issuer like Monzo. It would be a major change to how the networks operate so is unlikely to be implemented.

Card not present fraud remains an issue for which the main ‘solutions’ are either 3D secure or tokenisation. The latter means you are issued with an individual card number for each online transaction. This is sometimes referred to as a virtual card.

I think it’s likely that a token system (something the networks increasingly support) would be the solution and some issuers of corporate cards already provide this.

(Marcel W.) #3

It might be a good idea but I am not sure how this could be implemented. At the moment transactions in-store or online are approved/rejected within a few seconds. With a feature where transactions have to be pre-approve by the card owner the process would be delayed and it would make it more complicated.

As there is always the possibility to request a chargeback and :mondo: currently sends instant notifications I think it might a bit redundant.

(mike barnett) #4

thanks for your replies guys.

Pre approval
Why is the approval of a transaction done at master card or visa level? Maybe I don’t enough about how it works but are you not making the request to mono who already is holding your money? Moon is not a virtual card as you have to debit money into it, its a more of a pre paid card.
I imagine this may well be more complicated that it seems to me who doesnt fully understand the process.

Pre authorised criteria.
Perhaps the real time pre authorisation is too advanced for where the banking systems are. But what about a pre set criteria. For example the maximum spend per payment which can be altered via the users app. if I know I’m going to make a purchase of £200 then i up the maximum limit. Other than that I could keep it around £20. Its not a big deal if a someone unauthorised takes £20 from me. I would know about it from the app notification and then block the card immediately. The idea is that when i go to make a purchase i increase the limit. Thinking about this for safety I could always set the limit to £1 and then change it as soon as I make a purchase.

If monzo can stop payments where you don’t have sufficient funds it can surely be able to allow you to set a limit per spend too?

To also reject payments that don’t meet the pre set criteria would be very useful. For example I know I’m not going to be making any payments outside of the UK.
Or even blocking by industry. I know I’m not going to be using my card for, taxi’s, restaurants, gambling etc.

There are some cards (not in the UK) I have read you can do this through i.e. Discover which is a US card.

(Alex Sherwood) #5

Monzo (who do authorise every payment you make on your card) shared an explanation of how the payment process works here -

I’m pretty sure this is possible. The company that I work for, which issues virtual cards (for business use unfortunately) currently enables customers to manage this risk by generating a virtual card for each payment that the customer wants to make. That card can only be used to make a payment for the amount that the customer specifies.

Having said that, it makes sense to offer that feature because my company’s customers make so many transactions that even low levels of fraud add up. As a consumer, I’ve only experienced fraud once & that was because I tried one of Barclay’s ‘innovative’ payment features, how about you?

What you’re describing adds quite a lot of friction for seemingly not very much benefit. After all, Monzo are liable for any fraudulent transactions that are made using your card (assuming that you comply with their T’s & C’s) so they will reimburse you.

This sort of thing is difficult to manage, as you’ll see from your Monzo transactions, merchants for online / in-app transactions will end up charging you from seemingly random locations. It can be managed much more easily using the types of techniques that Monzo employs now - checking the location of your phone vs where your card is being used. Checking whether you made a transaction in an airport, just before you make a transaction in another country etc.

Again, this is definitely possible by checking the MCC code for a merchant as part of the authorisation process. But sometimes a merchant’s terminal is programmed with the wrong MCC code. I suspect that this would cause more confusion & hassle for users, who don’t know a lot about how payments work, than it’s worth.

And lastly, to pick up from on your point in your first post

this definitely isn’t possible, Monzo have a limited amount of time to approve a transaction (within the 3 second sandwich process) so it can’t wait for a user to approve each transaction from their phone. That would also cause issues if a user had left their phone at home or their battery is dead.

I promise I’m not being vindictive by pointing out these issues, all of your ideas are good in theory, it’s just the benefit : friction ratio is a little bit off :scales:

(mike barnett) #6

Hi Alex, no not at all. I love trouble shooting ideas. I dont know a huge amount about the behind the scenes.

This part got me intrigued
"After all, Monzo are liable for any fraudulent transactions that are made using your card (assuming that you comply with their T’s & C’s) so they will reimburse you."

I dont know on business level how much this costs banks, card providers. To us as a business, card fraud is a huge inconvenience. Someone somewhere is pay the price for this. Half a billion was lost on credit card fraud in just the united kingdom. Im not sure who pays for this.

Perhaps the figure is too relatively low to be concerned about. However the time lost for businesses reported the fraud and waiting for the reimbursement, a new card issued is a significant cost im sure, as it to us.

From the stats we see card fraud is increasing despite the preventions banks are putting in place such as 3d secure. The issue we see alot of is more that card numbers are being hijacked online and used offline.

Would be great to know a forward thinking company like Monzo sees this as an issue and has ideas to counteract it.

(Alex Sherwood) #7

I agree with your comments there but just to be clear, while this type of fraud can be a significant pain for business users, in my opinion, it’s generally not a major issue for individual consumers (though there will be exceptions of course).

I’d be interested to hear more from Monzo on how transaction fraud (as opposed to fraudulent top ups which they’ve blogged about), impacts them too!

(mike barnett) #8

yes fair point. Im sure Monzo must know how many reimbursements they issue or reported suspicious activities that are reported to them. As you say, if its very low then perhaps gain to be had from this is not enough to warrant the development time. However with similar ‘safe features’ would be a great selling point though to those people reluctant to use their card online.

Monzo is great service for business mainly becuase of the reporting on spending it can do. Wether it makes up a significant percentage of its users is another thing.

(Alex Sherwood) #9

It would be, unfortunately Tom’s said that Monzo’s not meant for business use but there are a couple of alternative providers who should be just as good, in terms of their reporting which he’s mentioned listed here -

(mike barnett) #10

ok great il check it out. user stats for fraud would be very interesting still.

(Mike Fuller) #11

The approval of a transaction is by the issuer but the process for approvals is determined by the card network.

It is certainly possible to restrict expenditure to merchant types and limit approvals to particular financial values. This is intended more to restrict employees from spending outside their authority rather than to prevent fraud.

Restrictions on merchant categories and transaction limits could be applied to minors or those with reduced capacity but generally users on personal accounts want unrestricted spending limits and the issue is more about authentication not expenditure size.

(mike barnett) #12

I personally think a dynamic maximum spend which can be controlled from the app would be an amazing feature. It means it could be used in these two ways:

Parents who give their monzo card to their children to track spending. They could top up the card and then limit the maximum purchase amount. I know this would work very well with my children who take their card out at the weekend and we dont want them to be making large purchases.
Users can reduce the maximum spend to £1 using the app when the card is not in use. When a purchase is going to be made it can be adjusted back up on the app. This would answer all the questions about fraud too as the most the fraudster can get is £1 or repeatedly failed purchase attempts

(Jolin) #13

@mikeybarn, you can already do this with Monzo – just freeze your card and only unfreeze it when you’re going to make a purchase (remembering to freeze again afterwards). This is better than lowering the amount to £1, as it is clear that the card is ‘out of use’.

(Alex Sherwood) #14

But bear in mind that there’s a good chance that you’ll get caught out by delayed transactions if you do this…

(mike barnett) #15

DOH!!! yes of course! thanks guys!

(Jolin) #16

Yes, I’m not saying I’d necessarily recommend doing this, just that it would have the same practical effect as the “lowering limit to £1 unless making a purchase” strategy, and is available now. :smiley:

(Spanner Spencer) #17

I just received my Monzo current account card, and I was thinking that a two-factor authentication option would be good (both for the current account and the top-up card).

Something that, when active, works like Google’s security measure, where a simple “Yes/No” screen pops up on your phone’s screen when you sign in to Google on a different computer or browser.

So let’s say you use your Monzo card for a contactless payment in a shop, before it authorises the payment you have to tap the “Yes” (or “No”, if it wasn’t you) button on your phone. This could be turned on and off in the app just like freezing the card.

It’d be great for nights out, holiday, or new places you don’t entirely trust yet, while offering a little more flexibility than repeatedly freezing and unfreezing a card.

(Max Walker) #18

Good Idea and if it worked I’d give it a go but I have some thoughts…

a) From a technical standpoint it might be difficult as you’d effectively have to pause the transaction mid-way through processing to wait, I’d imagine that these things time out after a while so this could be an issue.

b)Yesterday I went to a kind of Victorian working museum in shropshire which had no phone signal and used my card, what happens when you can’t be contacted. Another example would be paying for petrol at a rural petrol station which again raises legal questions about not being able to pay.


(Spanner Spencer) #19

It would certainly rely on having an internet connection, I agree. And it’d need to be an almost instantaneous notification, just as Google’s is. But I suppose the same is true of having your card frozen within the app – if there’s no connection, there’s no way to unfreeze it.

That’d be something out of Monzo’s control, so as user’s we’d have to be aware/cautious of that should we choose to turn this function on, yeah.

(Max Walker) #20

I would suggest some kind of fall-back i.e when you aren’t connected it would authorise but then I’m not sure if that would make the whole idea invalid