Launching 3D Secure!


(Beatrice Borbon) #1

3D Secure is now available for everyone! So you’ll have extra security when making online purchases on supported websites!

Check out the blog post for details on how it works, and how we built it:

Thanks to everyone who gave us feedback on 3D Secure in Monzo Labs! It really helped us make sure the feature was the best it could be :hot_coral_heart:


3D Secure - Mobile Purchases
3D Touch for 3D Secure
3D Secure
Labs Feedback: 3DS 🔓
We’re working to improve the performance of our iOS app
Paying car tax using Monzo
Verify Monzo WebPage Prevents Offline topup
(Alex Ryder) #2

Just realised it wasn’t in labs lolll


#3

Does this mean it’s compulsory for everyone?


(Daniel Chatfield) #4

Yes


(Jack) #5

Great work from the team here! So so much better than any other banks implementation :clap:t3:


#6

Really liking the “What we learnt from testing” sections in these blog posts.


(If there's the wrong end of a stick, you'll find me holding it.) #7

Anyone would think Monzo keep adding features solely in the hope that I’ll run out of reasons not to go #FullMonzo :joy:


(Jack) #8

That’s their plan :wink:

Make is so good that it’s an obvious choice.


(If there's the wrong end of a stick, you'll find me holding it.) #9

Fiendish and cunning!


(Kolok) #10

Can we also add an option to receive the code by email so we can still buy things when phones are lost etc I feel there has to be a contingency for emergencies.

At least with the regular implementation you could at least enter your password in this case.

I was also thinking of an implementation of maybe something like if the servers see the app has been offline for some time then allow a password or email code.

Edit : as @Rjevski said below SMS authentication isn’t secure, I feel we should at least have the option of turning it off, alternative options for apps that you can’t leave mid transaction could be email codes which is the same security the monzo app login has.

Also why can’t we just press allow in the notification swipe down, this will save leaving the app and is essentially as secure as reading an SMS in the notification bar and typing it in the payment page.


#11

Glad to see it launched and no issues with it.


(Andre Borie) #12

Would I please be able to get an answer to this? Already asked before and no response either.

As it stands the implementation is quite annoying while adding zero extra security as any fraudsters would just use the SMS fallback; so either enforce the extra security by nixing SMS fallback, or stop the security theatre and don’t require PIN/Touch ID for in-app approvals.


(Rika Raybould) #13

The honest answer is that the attack I believe you’re implying isn’t the major concern in the 3D Secure threat model.

The main thing 3D Secure attempts to protect against is mass usage of stolen card numbers such as the kind we saw in the Ticketmaster breach. In almost all of these cases, a fraudster would not know the cardholder’s phone number so would not be able to perform this attack.

Even if phone numbers were included in a breach and connected to the card information, it would still require a comparatively enormous step up in complexity and cost to perform an account takeover of all of the phone numbers in an automated way to make fraudulent payments.

3D Secure 1.0 is not perfect by any stretch of the imagination (no security ever is!) but it is still a monumental improvement in protecting Monzo users against large scale merchant breaches.


(Andre Borie) #14

But if targeted attacks aren’t the main thing you’re aiming to protect against, why enforce PIN/Touch ID for in-app approvals?

3DS 1.0 is not perfect but frankly I don’t see what can be done better - for me it seems like you’ve done everything right and the only minor issues are on your side which can be fixed independently of 3DS 2.0.

At the moment the in-app approval flow is absolutely awful. Coupled with the app’s slowness it takes a good 5-10 seconds to get to the transaction approval screen, then type your PIN, then wait another few seconds for it to confirm and then you can get back to the merchant. It turns many one-click purchases into a good 30 seconds of messing around and I’m really not happy about that.


(Richard Bairwell) #15

A better case would be ‘Lost my phone, and trying to buy a new one online…’: perhaps add an option on https://web.monzo.com where Approvals can be granted.


(Kolok) #16

If that’s the case why enter the app to approve, just approve in a swipe down.


(Rika Raybould) #17

If anybody ends up in this situation, they should contact support who will be able to help. :slightly_smiling_face:


(Peter Shillito) #18

wow. I guess people are really hyped/upset about the 3D Secure launch :rofl:

EDIT: Also, why do we have to enter the card PIN in the app to approve 3D Secure? I already have to do Face ID/Touch ID to get into the app, which also proves I have access to the phone, then tap on the feed item, then tap approve. It seems completely unneccessary.


#19


(Daniel Chatfield) #20

In the future certain transactions will not have the SMS OTP fallback option.