Presently one of the main draws (at least I find) of using the monzo card for online shopping is not having to input that 3d secure code every time you use the card.
Does monzo plan to keep it that way with the launch of the current account?
Presently one of the main draws (at least I find) of using the monzo card for online shopping is not having to input that 3d secure code every time you use the card.
Does monzo plan to keep it that way with the launch of the current account?
This happens with my MetroBank card as well
also lol @ your pic and profile
For me MasterCard SecureCode is my prefered option and on another forum I visit there are regularly complains about verification by text codes when there is network issues, and I know from experience with T-Mobile they can often arrive many minutes late and sometimes hours and occassionally days late when their system suddenly release a delayed batch of messages. MasterCard I can trust and rely on plus there is the security of seeing a system you are familiar with rather than different systems for different issuers or different retailers
Thereās been a bit of discussion on this under the different names of 3D Secure. I think this is the latest word from someone on the Monzo team.
Many cards that āskipā 3DS (especially credit cards) are actually using techniques such as browser fingerprinting to determine if the transaction is likely to be legitimate. I would love it if Monzo could use this same technique up to a point and then jump to something like a slide to verify within the app when the transaction is more questionable.
Some companies specifically decline a transaction if a card is not signed up to MasterCard Secure code or the Visa equivalent. An example is AliExpress (a part of the massive Alibaba Group) who say:
"Please make sure that:
Without it you can not purchase anything on their websites.
Im not a big fan of using things like 3rd letter of your secure password. What barclays does is check the billing poste code with the on that you have on their account.
If transactions donāt seem legit they send you an SMS asking to approve them.
No, itās silly, itās insecure, (since it means theyāre storing the password in plaintext) which is why thereās always another one too. Then thereās inevitable confusion about which is which, and the whole thing would have been simpler and at least as secure with just a single long, strong password entered in full.
Regarding your plaintext remark, Iām afraid you might be wrong. While I canāt vouch for all banks using this method, there are definitely ways to deal with it without storing anything in plaintext. Most popular is probably HSM and reversible encryption.
Full password is stored in db encrypted with something secure (AES?). Website asks you for one full password and then specific characters from secondary password. Specific characters are fed into HSM along with the encrypted password.
I think what happens next, HSM can decrypt secondary password with main password, then perform validation of specific characters inside HSM. I think industry perceives this as safe, what happens in HSM, stays in HSM.
There is some method to go for reversible encryption by application, but from various articles I got the idea that itās not as secure.However, it was PCI compliant, last time I checked it out.
So, nothing is stored in plaintext. Of course, websites can ignore it all, but I think that banks receive a lot more scrutiny over that and storing anything in plaintext would be found really quickly.
Iām still not a fan of random chars from secondary password. If I had password like āumbrellaā, I can then easily give 2nd, 5th and 6th letter. Passwords like 69Lfnb*BU make it a lot more troublesome to isolate correct ones.
Metro Bank uses digits in secondary password, not good either. I bet that many people have this password set up as 12345678, so 2nd digit is always 2ā¦ Others use dates 01.01.1999 = 01011999, making it easier to guess. And if secondary password only allows numbers (sometimes lowercase a-z, or a-z+0-9), number of possible passwords is significantly lower. And that fixed lengthā¦
I hate Metro Banks use of the secondary password for this reason. I find it promotes having either a really weak and short password or actively having to write it down on paper.
I also assume it may be stored in plain text somewhere too when Iāve asked the staff have no clue what Iām even talking about with one staff member even referring rudely to me as a geek; just because I care about security.
Overall Iāve been VERY unimpressed with Metro Bank recently but over other matters than security too.
Sure, but itās not encrypted with any secret of mine. I meant itās plaintext in the sense that the bank knows my password. Of course thereās all sorts of layers in place to ensure that bad actors donāt get access to it, but itās less secure than a system that doesnāt require that access.
Anyway, I didnāt mean to take this off-topic.
within the EU everyone will be using 3DS by the end of next year as PSD2 says that transactions must have strong customer authentication. The EBA has said there will be some exceptions to this (including where a transaction is under Ā£30) but it should be assumed the most transactions will require it.
Earlier in the thread someone mentioned about āskippingā 3DS. Itās most likely that what youāre experiencing here is risk based 3DS whereby the issuer has performed risk analysis and has decided to allow your transaction.
There are 3 ways an issuer can do 3DS:
Traditional- all transactions are challenged
RIBA - 5-6% of transactions will be challenged (requiring interaction)
RIBA passive - issuer will accept/reject without challenge
Danielās just shared some more details about how Monzo will make 3D Secure much easier to work with than your favorite () legacy bankās implementation
What problems will we as customers face when a retailer will only accept cards that are enrolled in MasterCard SecureCode or Verified By Visa?
I have experience 3 different attempts by banks to do their own thing and as a consumer I have much more confidence in a card when I can use SecureCode as I know it is going to work
My interpretation is that Monzo will be using MasterCard SecureCode, as 3D Secure is an umbrella term which covers this scheme -
http://www.mastercard.com/gateway/implementation_guides/3D-Secure.html
How does Mondo deal with this? Does sites with it work or are the payments automatically declined?
This is the 3D secure system.
Payments should go through for now, but the team are currently building a system for this as they advised me at the preview event. Something pretty cool is in the works for that.
Iāve moved your post here, as all of the details about Monzoās support (or current lack of) & plans for 3DS are in this thread. I hope that helps
TL;DR - as far as I know, the current accounts donāt yet work with 3DS but they will & hereās a taster of how the flow will work.
Thanks a lot. Thatās no problem.
I really canāt wait for 3D secure, so many sites I cannot use my Monzo card on because Monzo prepaid card doesnāt support it. Only reason I keep looking at other cards similar to Monzo as I really need this feature
This is one thing that Starling seem to be on the fence about and one thing I would find very useful.