MasterCard SecureCode / 3D Secure

Presently one of the main draws (at least I find) of using the monzo card for online shopping is not having to input that 3d secure code every time you use the card.

Does monzo plan to keep it that way with the launch of the current account?

2 Likes

This happens with my MetroBank card as well

also lol @ your pic and profile :joy:

1 Like

For me MasterCard SecureCode is my prefered option and on another forum I visit there are regularly complains about verification by text codes when there is network issues, and I know from experience with T-Mobile they can often arrive many minutes late and sometimes hours and occassionally days late when their system suddenly release a delayed batch of messages. MasterCard I can trust and rely on plus there is the security of seeing a system you are familiar with rather than different systems for different issuers or different retailers

1 Like

Thereā€™s been a bit of discussion on this under the different names of 3D Secure. I think this is the latest word from someone on the Monzo team.

Many cards that ā€œskipā€ 3DS (especially credit cards) are actually using techniques such as browser fingerprinting to determine if the transaction is likely to be legitimate. I would love it if Monzo could use this same technique up to a point and then jump to something like a slide to verify within the app when the transaction is more questionable.

1 Like

Some companies specifically decline a transaction if a card is not signed up to MasterCard Secure code or the Visa equivalent. An example is AliExpress (a part of the massive Alibaba Group) who say:

"Please make sure that:

  1. Your credit card should be authorized by your credit card issuer to make an online payment by activating 3-D Security Code.
  2. Your credit card has activated 3-D security code. If you have not activated 3-D Security Code, please contact your card issuer with this issue.
    The 3-D Security Code for Visa is called Verified by Visa (VBV) and for Master Card is called MasterCard Secure Code."

Without it you can not purchase anything on their websites.

1 Like

Im not a big fan of using things like 3rd letter of your secure password. What barclays does is check the billing poste code with the on that you have on their account.
If transactions donā€™t seem legit they send you an SMS asking to approve them.

2 Likes

No, itā€™s silly, itā€™s insecure, (since it means theyā€™re storing the password in plaintext) which is why thereā€™s always another one too. Then thereā€™s inevitable confusion about which is which, and the whole thing would have been simpler and at least as secure with just a single long, strong password entered in full.

1 Like

Regarding your plaintext remark, Iā€™m afraid you might be wrong. While I canā€™t vouch for all banks using this method, there are definitely ways to deal with it without storing anything in plaintext. Most popular is probably HSM and reversible encryption.

Full password is stored in db encrypted with something secure (AES?). Website asks you for one full password and then specific characters from secondary password. Specific characters are fed into HSM along with the encrypted password.

I think what happens next, HSM can decrypt secondary password with main password, then perform validation of specific characters inside HSM. I think industry perceives this as safe, what happens in HSM, stays in HSM. :wink:

There is some method to go for reversible encryption by application, but from various articles I got the idea that itā€™s not as secure.However, it was PCI compliant, last time I checked it out.

So, nothing is stored in plaintext. Of course, websites can ignore it all, but I think that banks receive a lot more scrutiny over that and storing anything in plaintext would be found really quickly. :smiley:


Iā€™m still not a fan of random chars from secondary password. If I had password like ā€˜umbrellaā€™, I can then easily give 2nd, 5th and 6th letter. Passwords like 69Lfnb*BU make it a lot more troublesome to isolate correct ones.

Metro Bank uses digits in secondary password, not good either. I bet that many people have this password set up as 12345678, so 2nd digit is always 2ā€¦ Others use dates 01.01.1999 = 01011999, making it easier to guess. And if secondary password only allows numbers (sometimes lowercase a-z, or a-z+0-9), number of possible passwords is significantly lower. And that fixed lengthā€¦ :tired_face::sweat:

2 Likes

I hate Metro Banks use of the secondary password for this reason. I find it promotes having either a really weak and short password or actively having to write it down on paper.

I also assume it may be stored in plain text somewhere too when Iā€™ve asked the staff have no clue what Iā€™m even talking about with one staff member even referring rudely to me as a geek; just because I care about security. :frowning:

Overall Iā€™ve been VERY unimpressed with Metro Bank recently but over other matters than security too. :frowning:

Sure, but itā€™s not encrypted with any secret of mine. I meant itā€™s plaintext in the sense that the bank knows my password. Of course thereā€™s all sorts of layers in place to ensure that bad actors donā€™t get access to it, but itā€™s less secure than a system that doesnā€™t require that access.

Anyway, I didnā€™t mean to take this off-topic.

1 Like

within the EU everyone will be using 3DS by the end of next year as PSD2 says that transactions must have strong customer authentication. The EBA has said there will be some exceptions to this (including where a transaction is under Ā£30) but it should be assumed the most transactions will require it.

Earlier in the thread someone mentioned about ā€œskippingā€ 3DS. Itā€™s most likely that what youā€™re experiencing here is risk based 3DS whereby the issuer has performed risk analysis and has decided to allow your transaction.

There are 3 ways an issuer can do 3DS:

Traditional- all transactions are challenged
RIBA - 5-6% of transactions will be challenged (requiring interaction)
RIBA passive - issuer will accept/reject without challenge

1 Like

Danielā€™s just shared some more details about how Monzo will make 3D Secure much easier to work with than your favorite (:grimacing:) legacy bankā€™s implementation :tada:

1 Like

What problems will we as customers face when a retailer will only accept cards that are enrolled in MasterCard SecureCode or Verified By Visa?

I have experience 3 different attempts by banks to do their own thing and as a consumer I have much more confidence in a card when I can use SecureCode as I know it is going to work

2 Likes

My interpretation is that Monzo will be using MasterCard SecureCode, as 3D Secure is an umbrella term which covers this scheme -

http://www.mastercard.com/gateway/implementation_guides/3D-Secure.html

2 Likes

How does Mondo deal with this? Does sites with it work or are the payments automatically declined?

This is the 3D secure system.

Payments should go through for now, but the team are currently building a system for this as they advised me at the preview event. Something pretty cool is in the works for that.

Iā€™ve moved your post here, as all of the details about Monzoā€™s support (or current lack of) & plans for 3DS are in this thread. I hope that helps :slight_smile:

TL;DR - as far as I know, the current accounts donā€™t yet work with 3DS but they will & hereā€™s a taster of how the flow will work.

1 Like

Thanks a lot. Thatā€™s no problem.

1 Like

I really canā€™t wait for 3D secure, so many sites I cannot use my Monzo card on because Monzo prepaid card doesnā€™t support it. Only reason I keep looking at other cards similar to Monzo as I really need this feature

3 Likes

This is one thing that Starling seem to be on the fence about and one thing I would find very useful.