Monzo Labs: Improved Card Security

I think there should be a “learn more” next to the “Please use Chip & PIN” to explain the SCA rules to people.

Love an interrobang. Use it wherever I can. Lol

Sorry - there’s one bit of history I forgot to mention!

In the countries where online PIN is common, this is often because the local card networks grew out of ATM networks. ATMs have always been online PIN

Historically the PIN was often stored (encrypted!) on the magstripe of the card - the processor (or even the network!) would extract that from the track data sent by the ATM.

Correct

But, to take the UK as an example (of a market that adopted offline PIN verification at point of sale), did UK issuers really not used to do online PIN verification at ATMs? (Or indeed are they still not doing so?) I find that hard to believe (though it could be true ).

Why can’t you use biometric authorisation in the app to approve a contactless transaction when you hit limits?

I’ve turned this on to take a look, but as described it sounds pretty awful and I’d probably just stop using the card if there are random declines all the time.

This was addressed upthread, I think. The EBA (the regulator in this instance) wants to ensure that physical cards are in possession of their owner. Being able to do this in the app wouldn’t support this outcome.

Time to stop using the physical card then I guess.

Monzo really should push back to the regulator about this (along with other banks), the reason given makes no sense IMO - proving you have two things and can mimic the users biometric identity is not enough proof of authorisation, instead the user must know an insecure 4 digit pin (which is much easier to defeat than biometrics by shoulder surfing) and possess a physical bit of plastic?!? If anything this makes things more insecure as users will get used to declines and get used to using their pin in insecure situations like coffee shops.

There’s biometric cards available now though - banks could easily switch to offering these and bypassing the PIN altogether.

We get about 1 second to reply to a transaction request, that’s not enough time for us to send a push notification, have someone pull their phone out their pocket and do biometric authentication.

The EBA require us to tie an authentication to the actual card payment. So in theory if you knew the merchant and amount ahead of time, you could do FaceID in the app and we could then approve that payment. But at that point, you might as well do Chip & PIN.

We are looking at doing something similar to this for payments where we you’ve hit the limits, but the terminal doesn’t support PIN entry at all (e.g. some Selecta vending machines). But it won’t be a good experience, because we would have to decline the first transaction, let you approve a future identical transaction in app, and then make you tap your card again.

Unfortunately our hands are tied on a lot of this stuff, we’ve worked really hard to minimise the impact, but there really isn’t much wiggle room for us.

The time to push back was about 5 years ago, when this law was being written. Monzo didn’t even exist then. The other banks have pushed back a bit, that’s why things like TfL are exempt, the original law would have treated them the same as any other transaction, leaving people stranded unable to pay to transport.

The law on the whole is quite well though out, and I do think it will have good impact on reducing fraud. But between the time it was written, and now, quite a lot of stuff has moved on and the law hasn’t quite kept up. I’m sure we’ll see some interesting new approaches to keeping peoples money safe appearing over the next few years.

Are the others banks actually doing this though? It seems to be something that’s going to be very frustrating. Can the other banks just choose not to at their own risk?

No, the law is very clear on this point, it’s written with the express intention of reducing fraud across the industry. Simply choosing to eat the costs of fraud isn’t enough, you have to take steps to eliminate it completely, non-compliance isn’t acceptable.

Why does Mastercards rules prevent contactless and PIN in the UK? It seems to be the perfect way to verify this with the least friction…

Instead of declining simply asking for a PIN seems to be something that would be much better for the customers and the network

See

Interesting, that makes sense, shame it is related to PIN as a verification model - as you say pretty outdated. Presumably you can’t reset the clock with a transaction using biometric identity, it has to be pin with the plastic card? If you can use biometric I’d prefer that personally - I’d rather just authenticate with the app (much more secure) after a failed transaction, than authenticate by entering a pin on a terminal. I just assumed Monzo would allow authentication with the app for transactions like this. I guess I could just use the phone to pay with contactless instead.

How does this apply to online transactions, will you be able to use the app to authenticate there where required (where presumably timings are less critical)?

Seems like it might cause the unintentional death of plastic cards as they’ll be far less convenient than they have been for contactless. Would be nice to see monzo exploring different payment methods that bypass card networks altogether eventually.

Re pushback, banks did push back on the deadline (fairly recently I assume?) and got a result, so they do listen, and perhaps they could rethink their position slightly to make it easier for customers (as long as it doesn’t compromise security).

PS Sorry to ask silly questions, you’ve probably been over this 100 times internally!

This you can do. Which would be the retry flow I mentioned about. The EBA seems to require that the authentication is tied to payment initiation. So based on that we believe we can do this:

• You attempt contactless, it’s declined
• Receive push notification and feed item telling you about the declined transaction
• In that feed item we can put a “Try again” button or similar
• You hit the button, do SCA in the app, we store the fact you did SCA against the Merchant and Amount from the transaction
• You do contactless again, we match the new contactless transaction against the thing we just stored, and thus match the SCA against the new transaction
• Because that transaction is now SCA’ed, we can reset the limits

This works because the customer has shown they want to do the transaction, and which card they want to use. We can then perform SCA and tie that to the next attempt (assuming it happens in a reasonable short period of i.e. 5 mins).

All of the above is very clunky for a users perspective, but we are looking at building it.

This was only in relation to e-commerce, and mostly driven by the fact the merchants didn’t know that SCA was coming and haven’t done any prep. If SCA for e-commerce was enforced on the 14th Sept, a big chunk of online payments would have just stopped working.

Hopefully the latter. First option sounds awful.

So could the transaction feed include information if a transaction was made with chip and PIN? Or could the app give some indication that chip and PIN might be needed soon?

Oh no. Is there no way to opt out of this?

This would be nice, regardless of SCA, to know how the transaction was made.