MasterCard SecureCode / 3D Secure

(Not Theresa May) #1

Presently one of the main draws (at least I find) of using the monzo card for online shopping is not having to input that 3d secure code every time you use the card.

Does monzo plan to keep it that way with the launch of the current account?

3DSecure Fails on Coinbase
3D scan for crypto
3D scan for crypto
(Danny) #2

This happens with my MetroBank card as well

also lol @ your pic and profile :joy:


For me MasterCard SecureCode is my prefered option and on another forum I visit there are regularly complains about verification by text codes when there is network issues, and I know from experience with T-Mobile they can often arrive many minutes late and sometimes hours and occassionally days late when their system suddenly release a delayed batch of messages. MasterCard I can trust and rely on plus there is the security of seeing a system you are familiar with rather than different systems for different issuers or different retailers

(Rika Raybould) #4

There’s been a bit of discussion on this under the different names of 3D Secure. I think this is the latest word from someone on the Monzo team.

Many cards that “skip” 3DS (especially credit cards) are actually using techniques such as browser fingerprinting to determine if the transaction is likely to be legitimate. I would love it if Monzo could use this same technique up to a point and then jump to something like a slide to verify within the app when the transaction is more questionable.


Some companies specifically decline a transaction if a card is not signed up to MasterCard Secure code or the Visa equivalent. An example is AliExpress (a part of the massive Alibaba Group) who say:

"Please make sure that:

  1. Your credit card should be authorized by your credit card issuer to make an online payment by activating 3-D Security Code.
  2. Your credit card has activated 3-D security code. If you have not activated 3-D Security Code, please contact your card issuer with this issue.
    The 3-D Security Code for Visa is called Verified by Visa (VBV) and for Master Card is called MasterCard Secure Code."

Without it you can not purchase anything on their websites.

(Marcel W.) #6

Im not a big fan of using things like 3rd letter of your secure password. What barclays does is check the billing poste code with the on that you have on their account.
If transactions don’t seem legit they send you an SMS asking to approve them.

(Oliver Ford) #7

No, it’s silly, it’s insecure, (since it means they’re storing the password in plaintext) which is why there’s always another one too. Then there’s inevitable confusion about which is which, and the whole thing would have been simpler and at least as secure with just a single long, strong password entered in full.

(Marta) #8

Regarding your plaintext remark, I’m afraid you might be wrong. While I can’t vouch for all banks using this method, there are definitely ways to deal with it without storing anything in plaintext. Most popular is probably HSM and reversible encryption.

Full password is stored in db encrypted with something secure (AES?). Website asks you for one full password and then specific characters from secondary password. Specific characters are fed into HSM along with the encrypted password.

I think what happens next, HSM can decrypt secondary password with main password, then perform validation of specific characters inside HSM. I think industry perceives this as safe, what happens in HSM, stays in HSM. :wink:

There is some method to go for reversible encryption by application, but from various articles I got the idea that it’s not as secure.However, it was PCI compliant, last time I checked it out.

So, nothing is stored in plaintext. Of course, websites can ignore it all, but I think that banks receive a lot more scrutiny over that and storing anything in plaintext would be found really quickly. :smiley:

I’m still not a fan of random chars from secondary password. If I had password like ‘umbrella’, I can then easily give 2nd, 5th and 6th letter. Passwords like 69Lfnb*BU make it a lot more troublesome to isolate correct ones.

Metro Bank uses digits in secondary password, not good either. I bet that many people have this password set up as 12345678, so 2nd digit is always 2… Others use dates 01.01.1999 = 01011999, making it easier to guess. And if secondary password only allows numbers (sometimes lowercase a-z, or a-z+0-9), number of possible passwords is significantly lower. And that fixed length… :tired_face::sweat:


I hate Metro Banks use of the secondary password for this reason. I find it promotes having either a really weak and short password or actively having to write it down on paper.

I also assume it may be stored in plain text somewhere too when I’ve asked the staff have no clue what I’m even talking about with one staff member even referring rudely to me as a geek; just because I care about security. :frowning:

Overall I’ve been VERY unimpressed with Metro Bank recently but over other matters than security too. :frowning:

(Oliver Ford) #10

Sure, but it’s not encrypted with any secret of mine. I meant it’s plaintext in the sense that the bank knows my password. Of course there’s all sorts of layers in place to ensure that bad actors don’t get access to it, but it’s less secure than a system that doesn’t require that access.

Anyway, I didn’t mean to take this off-topic.

(Chris) #11

within the EU everyone will be using 3DS by the end of next year as PSD2 says that transactions must have strong customer authentication. The EBA has said there will be some exceptions to this (including where a transaction is under £30) but it should be assumed the most transactions will require it.

Earlier in the thread someone mentioned about “skipping” 3DS. It’s most likely that what you’re experiencing here is risk based 3DS whereby the issuer has performed risk analysis and has decided to allow your transaction.

There are 3 ways an issuer can do 3DS:

Traditional- all transactions are challenged
RIBA - 5-6% of transactions will be challenged (requiring interaction)
RIBA passive - issuer will accept/reject without challenge

(Alex Sherwood) #12

Daniel’s just shared some more details about how Monzo will make 3D Secure much easier to work with than your favorite (:grimacing:) legacy bank’s implementation :tada:


What problems will we as customers face when a retailer will only accept cards that are enrolled in MasterCard SecureCode or Verified By Visa?

I have experience 3 different attempts by banks to do their own thing and as a consumer I have much more confidence in a card when I can use SecureCode as I know it is going to work

(Alex Sherwood) #14

My interpretation is that Monzo will be using MasterCard SecureCode, as 3D Secure is an umbrella term which covers this scheme -


This. The password storage problem has been solved for years now, this other scheme is simply stupid.

(Leon) #16

How does Mondo deal with this? Does sites with it work or are the payments automatically declined?

(Simon Turp) #17

This is the 3D secure system.

Payments should go through for now, but the team are currently building a system for this as they advised me at the preview event. Something pretty cool is in the works for that.

(Alex Sherwood) #18

I’ve moved your post here, as all of the details about Monzo’s support (or current lack of) & plans for 3DS are in this thread. I hope that helps :slight_smile:

TL;DR - as far as I know, the current accounts don’t yet work with 3DS but they will & here’s a taster of how the flow will work.

(Leon) #19

Thanks a lot. That’s no problem.

(Heather) #20

I really can’t wait for 3D secure, so many sites I cannot use my Monzo card on because Monzo prepaid card doesn’t support it. Only reason I keep looking at other cards similar to Monzo as I really need this feature