It would appear to be because the specifications for the updated 3D Secure protocol don’t allow for it:
It may be worth reporting any issues you have with apps killing the session via the in-app chat so that Monzo can look into it and see if there’s anything they can do to work around it.
If you’re making payments on the same device as the one that has your Monzo app on - you should be able to opt for an SMS code if the Merchant allows for this type of verification.
If you’re still having issues try another device than the one your app is on?
Here’s the thing with rich notifications too, for those asking for a watch app, the functionality of rich notifications carries over to the watch, so, if supported, you’d be able to confirm these from your watch as well via the notification without needing a Monzo app on the watch. It would mean it would need to be possible to approve without having to launch the app though.
Technologically, this could be done. It would be compatible with Monzo’s security model too. But I’ve no idea if the rules would allow such an approach.
If the merchant supports the new system, monzo doesn’t offer this option, it’s not a case of the merchant needing to support it. If they support 3D Secure, they already will. It’s a case of Monzo continuing to support it, and for merchants that are ready for the new system, they don’t.
I’ve had to abandon a few checkouts because of this and go through it again with a different card that will still let me receive an SMS as a fallback.
Lloyds Banking Group have implemented the new version of 3D Secure to allow you to choose how to authenticate. Initially, it shows a page telling you to continue in app, but there is a link to press for something like “can’t use the app right now” which lets you select to get a text or call, all right within the 3D Secure iframe. It’s quite a good approach and, failing a rich notification, is what I would like Monzo to do. Then you could authenticate with SMS if you were on the same device as your Monzo app, ensuring you didn’t lose the transaction.
There was FCA Guidance released, I seem to remember, which indicated that the FCA don’t consider SMS to be secure enough to use for Secure Customer Authentication (which 3D Secure is part of). So, technically, I think Dan was right there but many banks seem to have simply ignored this guidance and the FCA doesn’t seem to have been bothered about it. In reality, it still seems like SMS is generally accepted especially as a fallback, with other methods preferred. Since it is not generally used if only a fallback, that is a good balance between security and convenience.
I think this is only to an extent.
So if your phone is with you, you get a rich notification, and respond on the watch - that all works even without a watch app.
But if you have a cellular Apple Watch and want to respond to a notification without having your phone nearby, I think that needs a watch app to be able to process it? I assume that’s why Microsoft Authenticator, for example, also comes with a watch app (otherwise there would be little point).
I was using Monzo for my daily Apple Pay spends for in-person shopping, and when I started using it online, I immediately became frustrated. Grabbing my phone means tons of distractions, and sometimes it’s not even nearby in my example. Not being able to receive SMS codes on my Mac is a terrible user experience.
The best “solution” to this, really, is if more websites support Apple Pay and Google Pay.
That way, you would have a much easier way to checkout and pay online - but unfortunately they haven’t really caught on for online payments in the way they perhaps could have done.
The other idea that could make 3D Secure better, which I would like to see Monzo implement, is some kind of “Express List” of approved merchants. American Express and NewDay credit cards do this. Basically, you go through 3D Secure once (fully verifying yourself) and after that you can add the merchant to an approved list using the app. This means you won’t need to authenticate again, and 3D Secure will automatically go through next time without further authentication because you’ve already pre-emptively approved transactions at that merchant. Of course, alongside this there are also spot checks and risk algorithms applied to the transaction, so you may still be asked to verify if the system identifies the payment as unusual - but it will be much less frequent and therefore much less disruptive, while remaining secure.
If you no longer want a merchant on your express list, it’s also easy to remove them using the relevant app in the case of both NewDay and Amex.
I can’t see any reason why Monzo couldn’t behave exactly the same way.
I know there was some discussion about this above but there was never any official word from Monzo either way on why they couldn’t/wouldn’t support it or whether they would look into it further.
I’m pretty sure years ago they used to support app or SMS verify? And the SMS option was phased out for ‘security’ reasons?
I wish they had an express list like Amex too.
The SMS option was phased out on the basis that:
It was part of “3D Secure 1.0” which was being replaced.
That replacement was due to EU-directive PSD2 which required Strong Consumer Authentication, basically meaning that 3D Secure needed to be upgraded to be PSD2 complaint. That led to 3D Secure 2.0 which complied with SCA. Single-factor transaction approvals - such as characters from a Mastercard Securecode password - are no longer acceptable. 3D Secure 2.0 needed to use genuine 2 factor authentication instead. Both the UK’s FCA and the EU’s EBA issued “advisory” notices that they deemed SMS to be insufficiently secure in meeting SCA obligations, so Monzo (correctly) didn’t implement an SMS fallback for 3D Secure 2.0 - however, many other financial institutions ignored this and continued to use SMS. As far as I’m aware, no action has been taken against them.
There is, perhaps, debate about whether Express List is SCA complaint or not. It’s not exactly been tested in court, but Amex and NewDay don’t seem to have got in trouble so far! Even if it is allowed, it would potentially open the bank allowing it up to a higher risk of fraud - so Monzo may not want to support it.
Everybody moaning that it’s annoying, dont moan when your card gets cloned and you get a bunch of Fraudulent transactions.
Doesn’t bother me. I don’t shop online much though to be fair.
IMO, the fact this is annoying means they absolutely should moan if that happens under the protection of such a system. Because it means the protections they find annoying hasn’t protected them at all.
What’s the point in protections, if they don’t protect you? You’d be well justified in moaning in that instance. More so, even.
Indeed.
I’m not that annoyed by it, but I recognise that there are various situations where 3D Secure can cause a problem and obviously if/when that happens, it can be a major source of frustration for people.
The 3D Secure window, even now with version 2.0, is not very well optimised and often appears as a small box. This makes it difficult to read and engage with for people with disabilities, partially sighted, etc. A lot of elderly people, in my experience, don’t really understand what 3D Secure is or how it works and struggle with the extra steps to make a payment. They also worry that the 3D Secure process itself could be part of an elaborate scam.
The other big problem, which generally applies to everyone, is making payments on mobile devices. As I said before, the 3D Secure prompts are generally not well designed across the board (all banks) and are often difficult on a small screen as they don’t scale properly - being reliant on iframes. Additionally, there is the problem on a single-task-at-once device, such as a phone, of needing to switch back and forth between the app/browser where you are making the payment and the banking app you need to use to approve it. Often, the low RAM on mobile devices results in a difficult experience or a timeout of the payment while trying to open the bank app.
Basically, there are several ways it could be improved so why not consider those improvements?
Nobody here is complaining for the sake of it, these are real concerns and issues.
Not saying that it could never happen, as some websites seem dedicated to dubious design, but I thought, and tend to find, that version 2.0 was essentially without a timeout
I believe it is, yes.
The normal timeout now is around 10 minutes.
However, what I was really alluding to was more the fact that if you switch apps, then go back to the browser, it may not be held in RAM and the page may not resume properly once you go to refresh it. So effectively a timeout through a dropped web session, rather than 3D Secure enforcing a timeout (if that makes any sense).
I think you and @penner324 are violently agreeing.
I took his message to mean that folk would either moan about the protections or moan about the loss of money if those protections were removed (presumably due to the moaning).
Yup, this is exactly what happens to me a fair bit. I can’t pay Barclaycard via a card payment with Monzo anymore for instance. Because when I leave the app to authenticate, Barclaycard will half the time send me back to the Home Screen of the app, or just get stuck. This isn’t overtly uncommon via web browsers either.
SMS avoided this, thanks to the code both being in the notification text, and able to be autofilled.
Another solution would be the ability to authenticate directly from the notification. Monzo have so far supported the quick action, but they don’t yet do what other apps are now doing. Prompting for FaceID there and then to perform the action directly from the notification as opposed to sending you to the app.
Support for third party authenticators would be sufficient too. There just needs to be some kind of fallback. I don’t care much what form it gets taken in. But we need one.
It’s frustrating though that we have a security solution so cumbersome, and it hasn’t actually solved the problem. My brother sent me this text just yesterday:
second time he’s been out clubbing (last time was with Monzo and suffice to say that experience led to him closing his Monzo account) that someone’s managed to compromise his phone’s passcode, bank card pin and card details. I this case, they got his Chase card number from his chase app. (Or it was leaked somewhere and the night out was just coincidental timing) Chase have since refunded the fraudulent transaction and replaced his virtual card number.
He needs to start being more careful.
Maybe?
I interpreted it differently to you. If your interpretation is the correct one, then yes I agree (to an extent, because it’s predicated on the assumption that this approach actually puts an end to such fraud; it doesn’t besides removing a very specific attack vector and only where supported).
It doesn’t need to be tested in Court - its perfectly legal and the option of white listing merchants is included within the SCA regime.
