Launching 3D Secure!


(Andre Borie) #21

Still, if the SMS fallback is allowed then I would prefer if you allow approving the transaction directly from the notification without having to open the app and enter PIN/Touch ID.


(Carl) #22

I tried to top up my phone earlier today (completely out of credit) and went through the usual motions.
On attempting to pay, the interface tried redirecting me to my banks security check page.
This was not whitelisted by my provider and so I could not access the verify.monzo.com web page. Preventing me from topping up…
I could not contact the help desk or get the sms fallback or call :monzo: etc.

Thankfully, WiFi was a short walk away.

I realize this is, at least partially, the responsibility of my provider.
That being said, rolling out to everyone before the edge-cases have become visible is a little bold.

On the bright side - when I did get WiFi, it worked perfectly :+1:


3D Secure merchant issues
#23

Hmm. Were you using your phone’s internet connection to top-up?

I wonder which websites your provider has whitelisted for use when out of allowance, for 3D Secure…


(Andre Borie) #24

Yet another example of mobile carrier incompetence. Why would you ever require 3DS (a feature requiring unrestricted network access) when the user is out of credits and their connection has been restricted?


(Carl) #25

When card details are stolen, one of the first checks a scammer can do is a phone top-up.
These usually (at least they used to) have minimal security and check the card details are valid before selling them on? (idk what they do with the details after, I canceled my card before I found out. This happened to me once ~5 years ago)

More modern implementations check that the billing address matches that on record with the bank - though both of these details are readily available in a stolen wallet.

For this reason, I would actively encourage mobile carriers to enable this by default.
Whitelisting is the best approach imo, though requires actively adding new banks.


(Carl) #26

Yeah, strong 4g connection and retried multiple times. Always failed on the Monzo page.
I have not had this issue with other bank accounts since their websites (at least the 3DS parts) were whitelisted.
As far as I know, only the top-up website, payment site and external 3DS sites are whitelisted.
That being said, I haven’t tried running Angry IP Scanner. Maybe an experiment for next time :grin:


(Allie) #27

Agreed it sounds like the approval flow isn’t ideal and goes against the idea the phone itself is a trusted device. Maybe allow phone approvals if a setting is enabled to allow Monzo to require a secure lock screen? Just like Google Pay, so following the precedent set by those who run the platform.

Also, agreed SMS fallback isn’t ideal. Would much prefer to see an authenticator app as fallback.


(If there's the wrong end of a stick, you'll find me holding it.) #28

Nationwide told me this. They used to block my card every time I tried to top up my O2 phone online. Every time :face_with_symbols_over_mouth:

I gave up in the end and topped up by voucher at a local shop; at least that way the shopkeeper made a few pennies out of it.


(Allie) #29

This reminds me of what has to be one of the most awful 3D Secure transaction flows I’ve ever seen. Chase US. I was helping a new staff member at work, who moved here from the US for a job, get her phone setup with a GiffGaff SIM.

Now, normally Chase allows 3DS with no user input at all. But when they do decide to verify a transaction, like a £20 GiffGaff top-up, they REALLY verify it. She had to call Chase and attempt the transaction again while on the phone with them for them to approve it. Absolutely awful UX.

This is not some low end card that would rarely see foreign use, either. It was a Chase Sapphire Reserve - a very expensive ultra-premium card marketing at jetsetters.


(Andre Borie) #30

In that case they should unrestrict the connection temporarily while the top-up is processed. Whitelisting isn’t a solution as there are thousands of banks worldwide and they are free to change their URL anytime they want.


(Carl) #31

I absolutely agree that there is a better solution out there. I thought you meant that the carriers shouldn’t enable 3DS.

If I were to implement it, I’d probably do a check on the server side to see whether the user can actually access the page before redirecting them. If not, add it to the whitelist then redirect.
(Or an iframe with button below asking if they can see the page etc.)

It took me around 30mins to cancel my contract with them. I daren’t think how long it would take to get to speak to someone technical.


(Stephen Spencer) #32

Let me add another voice to “please make the app start up faster” - I’m currently using a midrange 2017 Samsung (sorry) and it takes between 3 and 6 seconds to get to the point the app is ready to accept my fingerprint. Is it storing and doing … something? … with every transaction since ever in a local database? Or querying a series of endpoints to find out what features I’m entitled to - nope still takes ages in flight mode. What is it doing? It used to be much quicker I’m sure!

…Or put the approval as a quick action in the 3DS notification - not sure if this has the same technical holdups on Android as it does on iOS?


(Carl) #34


(Rika Raybould) #35

I wish this was the case. :joy:

There’s a major effort in play to improve the performance of the iOS app. Not sure what’s happening over on the Android side though!


(Peter Shillito) #36

Slow app and unnecessary PIN entry are the main things I don’t like about the implementation.

Either way, with the incredibly low bar set by everyone else, this implementation of 3D Secure is very good. Not perfect, but very good.


(Is Santa here yet?) #37

When it said enter pin I thought it meant the pin for the card I was paying money off, not the Monzo pin :see_no_evil:


#38

If it is the app PIN then I don’t understand why Touch/Face ID (+Android equivalents) can’t be used. Card PIN I understand as it’s not stored on the device.


(Is Santa here yet?) #39

I don’t have my app locked, never have and never will


#40

Oh, well fair enough then. Each to their own.


(Peter Shillito) #41

That’s the thing, I don’t understand why the card PIN is being used for this, or any other further authentication than just opening the app up. You don’t have to do this for any internet transaction that doesn’t use 3D Secure, why now?