It definitely doesn’t look pretty, but again, a card should work even at the ‘not pretty’ sites. At least within reason, I think supporting the outright rubbish you see in America (contactless magstripe mode, actual magnetic stripe, etc) might be a bridge too far.
Personally I want any bank card to work independently of any mobile so you can use it anywhere, in a remote village with no mobile signal or while working in a basement. Being tied to using an app or SMS is a limitation that restricts when and where you can use it
I’ve worked with Braintree payments API before and we didn’t force 3DS at all. The client decided that the UX of having 3DS was much much worse than the benefit/protection they gained by implementing it as a merchant.
3 Likes
Sure in case of custom integration like with Braintree there will be no problem disabling 3DS. I was talking about the legacy bank garbage some small merchants are conned into using as they don’t know any better or don’t have the resources to integrate with a better payment processor like Stripe or Braintree.
1 Like
I think the main reason merchants like to force 3D-Secure is that it causes a liability shift - the card issuer has to refund any fraudulent purchases, rather than the merchant.
According to the Stripe docs, the same liability shift occurs even if the card isn’t registered for 3D Secure, but does support it. Shame plenty of issuers require you to sign up (like one of my credit cards, it’s a pain in the arse and I hate it).
With that in mind, I can see why some merchants may want to require it - especially smaller ones.
2 Likes
Given that Monzo has a much lower risk of fraud due to the instant notifications, they could “support” 3D-Secure so liability shifts while not actually attempting it and so still keeping great UX. Maybe they can decide on a case-by-case basis which cards mandate 3D-secure and which ones get a pass without it (depends on the account’s fraud history - how many fraud chargebacks did you make, etc?).
That’s what a lot of banks already do. American Express (UK, US doesn’t support it at all) will text and email you a code occasionally, but it’s been two years for me and I use my Amex often. Chase (US) ‘supports’ it by sending you right back. Metro Bank (UK) appears the same but there are few enough online reports and I may have simply never hit the trigger to get any further checks.
Yeah, Halifax redirects you back immediately as well. I’ve only had to type in the 3-D secure validation once, when I was paying from my work computer, I think it can recognize the previously used devices, as follow-up payments from that machine through the years have also always went through without need of further verification.
Lloyds will sometimes redirect me back immediately. But sometimes they’ll ask me to type in all the info from the card (fairly pointless) and sometimes they’ll decline and ask me to text them back.
Fidor UK today announced support for Mastercard SecureCode. Instead of using a memorable password it uses mTan codes to your mobile phone. So even if your card is in your posession and there are funds on your account, if your battery is flat or mobile reception is intermittent you will not succeed in making the payment.
2 Likes
I suspect it’s just the way the world is going. Eventually the idea of not having a working mobile will be unthinkable and many services will be unavailable to you without one.
2 Likes
Thanks for the update. Will there be a reversionary process if the app is not reachable? (I might have no signal on my phone and using a different connected device to make a purchase, for example, in which cases a reversion to the ‘3 digits from your password’ would be better than a declined transaction).
1 Like
Based on the documents and designs I’ve seen so far. We should have more than just one way of authenticating, though this isn’t a promise yet. 
5 Likes
Cool beans, sounds like you’re on it like a bonnet. 
Natwest Do the same sms thing too.
I have Amex and occasionally I’m sent a code by SMS - I really like that system. It could only be bettered in my opinion by it being a phone notification with, ‘approve, yes/no’ like Microsoft/Google authenticator.
Technically you could have no signal, no WiFi and no battery. But really, what’s the likelihood of that when you’re already sitting at a computer or on your phone buying something online?
1 Like
I haven’t got a code on my Amex in ages but last time I did it sent by both SMS and email. I’m very against SMS as an authentication mechanism given how easy it is to attack, and that it doesn’t work when away from your mobile network.
Simultaneous email+push notification would be ideal I think.
2 Likes
So am I, though for other reasons. Email is preferable IMHO. SMS is restricted to having a phone powered and with signal. Email can be access thru a PC or phone.
Email itself is hopefully protected by 2FA. SMS… By almost nothing. It is control channel traffic, easy to spoof, and in some countries (like the US) it is ridiculously easy to steal phone numbers (not here tho, but Monzo is building a global platform).
Both are normally insecure and vulnerable. Email can be encrypted in transit if both ends support it, however. SMS can’t be secured at all.
Access to email accounts can be better secured as well, as most email providers support 2FA. It’s easier to steal a phone number than to access someone’s email. This has got too common (rare but enough that I’ve read more reports than I’d like) lately in the US with people stealing phone numbers to reset online banking and initiate transfers. It’s a bit harder to get a PAC and steal a phone number here, but still far easier than accessing my email would be (plus Monzo is building a global platform).
3 Likes
You don’t need to a PAC code to steal a number here either. If you’ve got access to the SS7 network you can basically “borrow” any mobile number in the world. 
1 Like