Why is Mastercard 3D secure so inconsistent in when it’s applied? How can I turn it off or stop it from coming up on sites I frequent regularly?
It’s really frustrating having to use it on frequently used websites I go on (Deliveroo, train tickets, some other regular shops I use etc.) which I must use 10-20 or so times a week. I’m not glued to my phone all the time, it’s often on charge, in my bag or not always immediately near me when I’m making purchases.
Has also caught me out on a couple of occasions when I’ve gone out only with my secondary phone. I know I’m probably in the minority who own two phones, but I don’t take my primary phone out all the time as it has a lot of personal information stored on it, loads of 2FA apps etc that are a pain to re-set up and when I’m out I don’t really want access to e-mails, messengers, social media, etc…
So there’s been a couple of times when I’ve tried to order food at a pub or restaurant on their website/app and been prompted… only to remember that the sodding app is on my primary phone… and then having to faff about downloading the app, downloading e-mail app, logging into my e-mails to login to the app with…
I’d be OK with it if I felt like it was actually helpful - but I don’t feel it is - the other day it didn’t come up on a new website I’ve never visited before for what to me is an unusually large purchase? So… what’s the point if it’s only going to annoy me on places I visit frequently and not unusual purchases?
Yes, and also an Apple Watch app to be able to approve from your unlocked Watch if you have not taken your phone out with you.
Microsoft Authenticator, for example, allows you to approve logins directly on your watch straight from the notification.
American Express also allow you to do this and, as @ndrw said, were actually first to do so.
I am not quite sure how it would affect refund eligibility if genuine fraud occurred. Would the bank try to say it was your fault (you’d “been negligent”) by trusting a retailer?
I doubt that’d wash anywhere. They’d have a hard time saying that using a feature they’ve built in to the app themselves is ‘grossly negligent’ on the users part.
Yes, I imagine they would if you escalated it into a complaint, but at least initially they may try to fob you off?
3D Secure creates a liability shift from the retailer to the bank and this feature effectively auto-approves a transaction at the bank side with no intervention, so the retailer has done their bit, 3D Secure wise, by triggering the check in the first place. Therefore the burden of fraud would be with the bank, or the customer potentially if they failed to notice the transaction and query it. In that scenario, it’s easy to see why most banks don’t want to implement the feature as it would open them up to greater potential for losses for basically no benefit to the bank.
Customers might not like it, but every bank uses 3D Secure so they aren’t going to switch over this anyway - I would think.
We use an authenticator at work to get into systems and honestly the ability to approve a notification from my watch is a game changer. Would love for Monzo to offer similar
I haven’t been on this forums for ages, but the way Monzo handles 3d secure transactions is really frustrating. I wish Monzo added the approve button as a rich notification.
SMS codes were great, they integrated really well with Safari and the iOS keyboard, but they seem to be no more. Some applications kill the session if you go off them and you end up having to use a different card. Amex do it really well, they have trusted list, and they still send you a text message code.
I get that merchants decide on when to use 3d secure, but why can’t Monzo give us a choice on how to handle it on the other end?
It would appear to be because the specifications for the updated 3D Secure protocol don’t allow for it:
It may be worth reporting any issues you have with apps killing the session via the in-app chat so that Monzo can look into it and see if there’s anything they can do to work around it.
If you’re making payments on the same device as the one that has your Monzo app on - you should be able to opt for an SMS code if the Merchant allows for this type of verification.
If you’re still having issues try another device than the one your app is on?
Lloyds Banking Group have implemented the new version of 3D Secure to allow you to choose how to authenticate. Initially, it shows a page telling you to continue in app, but there is a link to press for something like “can’t use the app right now” which lets you select to get a text or call, all right within the 3D Secure iframe. It’s quite a good approach and, failing a rich notification, is what I would like Monzo to do. Then you could authenticate with SMS if you were on the same device as your Monzo app, ensuring you didn’t lose the transaction.
There was FCA Guidance released, I seem to remember, which indicated that the FCA don’t consider SMS to be secure enough to use for Secure Customer Authentication (which 3D Secure is part of). So, technically, I think Dan was right there but many banks seem to have simply ignored this guidance and the FCA doesn’t seem to have been bothered about it. In reality, it still seems like SMS is generally accepted especially as a fallback, with other methods preferred. Since it is not generally used if only a fallback, that is a good balance between security and convenience.
I think this is only to an extent.
So if your phone is with you, you get a rich notification, and respond on the watch - that all works even without a watch app.
But if you have a cellular Apple Watch and want to respond to a notification without having your phone nearby, I think that needs a watch app to be able to process it? I assume that’s why Microsoft Authenticator, for example, also comes with a watch app (otherwise there would be little point).
