I was using Monzo for my daily Apple Pay spends for in-person shopping, and when I started using it online, I immediately became frustrated. Grabbing my phone means tons of distractions, and sometimes it’s not even nearby in my example. Not being able to receive SMS codes on my Mac is a terrible user experience.
1 Like
The best “solution” to this, really, is if more websites support Apple Pay and Google Pay.
That way, you would have a much easier way to checkout and pay online - but unfortunately they haven’t really caught on for online payments in the way they perhaps could have done.
The other idea that could make 3D Secure better, which I would like to see Monzo implement, is some kind of “Express List” of approved merchants. American Express and NewDay credit cards do this. Basically, you go through 3D Secure once (fully verifying yourself) and after that you can add the merchant to an approved list using the app. This means you won’t need to authenticate again, and 3D Secure will automatically go through next time without further authentication because you’ve already pre-emptively approved transactions at that merchant. Of course, alongside this there are also spot checks and risk algorithms applied to the transaction, so you may still be asked to verify if the system identifies the payment as unusual - but it will be much less frequent and therefore much less disruptive, while remaining secure.
If you no longer want a merchant on your express list, it’s also easy to remove them using the relevant app in the case of both NewDay and Amex.
I can’t see any reason why Monzo couldn’t behave exactly the same way.
I know there was some discussion about this above but there was never any official word from Monzo either way on why they couldn’t/wouldn’t support it or whether they would look into it further.
2 Likes
I’m pretty sure years ago they used to support app or SMS verify? And the SMS option was phased out for ‘security’ reasons?
I wish they had an express list like Amex too.
1 Like
The SMS option was phased out on the basis that:
-
It was part of “3D Secure 1.0” which was being replaced.
-
That replacement was due to EU-directive PSD2 which required Strong Consumer Authentication, basically meaning that 3D Secure needed to be upgraded to be PSD2 complaint. That led to 3D Secure 2.0 which complied with SCA. Single-factor transaction approvals - such as characters from a Mastercard Securecode password - are no longer acceptable. 3D Secure 2.0 needed to use genuine 2 factor authentication instead. Both the UK’s FCA and the EU’s EBA issued “advisory” notices that they deemed SMS to be insufficiently secure in meeting SCA obligations, so Monzo (correctly) didn’t implement an SMS fallback for 3D Secure 2.0 - however, many other financial institutions ignored this and continued to use SMS. As far as I’m aware, no action has been taken against them.
-
There is, perhaps, debate about whether Express List is SCA complaint or not. It’s not exactly been tested in court, but Amex and NewDay don’t seem to have got in trouble so far! Even if it is allowed, it would potentially open the bank allowing it up to a higher risk of fraud - so Monzo may not want to support it.
3 Likes
Everybody moaning that it’s annoying, dont moan when your card gets cloned and you get a bunch of Fraudulent transactions.
Doesn’t bother me. I don’t shop online much though to be fair.
2 Likes
Indeed.
I’m not that annoyed by it, but I recognise that there are various situations where 3D Secure can cause a problem and obviously if/when that happens, it can be a major source of frustration for people.
The 3D Secure window, even now with version 2.0, is not very well optimised and often appears as a small box. This makes it difficult to read and engage with for people with disabilities, partially sighted, etc. A lot of elderly people, in my experience, don’t really understand what 3D Secure is or how it works and struggle with the extra steps to make a payment. They also worry that the 3D Secure process itself could be part of an elaborate scam.
The other big problem, which generally applies to everyone, is making payments on mobile devices. As I said before, the 3D Secure prompts are generally not well designed across the board (all banks) and are often difficult on a small screen as they don’t scale properly - being reliant on iframes. Additionally, there is the problem on a single-task-at-once device, such as a phone, of needing to switch back and forth between the app/browser where you are making the payment and the banking app you need to use to approve it. Often, the low RAM on mobile devices results in a difficult experience or a timeout of the payment while trying to open the bank app.
Basically, there are several ways it could be improved so why not consider those improvements?
Nobody here is complaining for the sake of it, these are real concerns and issues.
2 Likes
Not saying that it could never happen, as some websites seem dedicated to dubious design, but I thought, and tend to find, that version 2.0 was essentially without a timeout
1 Like
I believe it is, yes.
The normal timeout now is around 10 minutes.
However, what I was really alluding to was more the fact that if you switch apps, then go back to the browser, it may not be held in RAM and the page may not resume properly once you go to refresh it. So effectively a timeout through a dropped web session, rather than 3D Secure enforcing a timeout (if that makes any sense).
2 Likes
I think you and @penner324 are violently agreeing.
I took his message to mean that folk would either moan about the protections or moan about the loss of money if those protections were removed (presumably due to the moaning).
It doesn’t need to be tested in Court - its perfectly legal and the option of white listing merchants is included within the SCA regime.
4 Likes