Prevent frauds rather than dealing with consequences after they happen.
Solution
When the card is being used, rather than just sending a notification about the fact, require a user to confirm that in the app.
That would probably have a time limit - when not approved in timely manner the transaction would fail.
What can be build on top of it
After the transaction failed because of timeout, it can be still approved - the next transaction for the same merchant for the same amount wouldnāt require approval again (probably with some time limit - 30m, 1h, 24h?)
White list - approval never required for merchants chosen by the user (just click on the transaction and add to the white list)
White list with limits - set a maximum amount for a white listed merchant, if exceeded the approval will be required
Opt-in/out - possibility to enable/disable this feature, when enabled that would effectively be a safe mode, drastically reducing a chance of fraudulent transactions
Automatic pattern analysis and recognition - even when disabled, you could still require authorisation from the user for suspicious transactions (based e.g. on location, amount, previous usage etc.)
The problem is that when you / someone else presents your card to a card terminal (contactless or chip and pin), Monzo only has a few hundred milliseconds to decide whether to accept or decline a transaction. So this would only work for online transactions, which Monzo is planning on implementing via 3D Secure (which is on the near-term roadmap).
I admit I donāt know technical details behind payments, but are you sure itās only a few hundred milliseconds? I have sometimes seen āauthorisingā on the terminals for 5-10 seconds, which would be enough to approve it in the app.
The card terminals need to connect to their acquirer, who then have to connect to the buyerās card network (Visa/MasterCard/Amex), who then forward the authorisation request to the buyerās bank (in our case, Monzo).
I remember seeing this āa few hundred millisecondsā figure being posted somewhere by a member of staff somewhere here. Iām sure @HughWells can give more info.
Thatās the figure I remembered, but wasnāt sure.
Canāt remember on which thread I read it though.
There are several threads where this figure is mentioned.
Hmmmā¦ It could still be done by approving it upfront - e.g. if you are about to buy your lunch, you could specify in the app that the next transaction for up to Ā£10 in the next 15 minutes is ok.
Or just letting the first transaction fail, so that in the app I could just select it and click āapprove it next timeā.
That might be less convenient, but with a white list, this is the extra security that I would definitely sign up for.
@ianlyon Developerās curiosity - where does this limitation come from? I assume that something, somewhere has 200ms timeout and will fail the transaction if there is no response in that time?
2 Likes
Anarchist
(Press āHelpā search āContact usā or email help@monzo.com or call 0800 802 1281)
11
I think that freezing the card and defrosting it prior to each transaction would achieve a sufficiently similar result.
Approval before the transaction and nothing afterwards VS defrosting the card before and freezing it after
Other (fraudulent) transactions could go through in this short window of time - selecting rejected transaction to allow it next time would prevent that
This approach will not work with automatic payments that could happen at any day and time (e.g. TfLās Oyster auto top-up)
White list could practically eliminate need for approvals depending on the use case - I can only speak for myself, but I have a bunch of online services which I use regularly and a couple of places where I go for lunch. Thatās about 20-30 items on the white list that would completely eliminate the need for approving transactions for me, with the exception of when I am on holidays.
I have never had a fraudulent transaction on any of my cards. Itās such a tiny percentage that Iām not sure thereās a need. If it does happen Monzo refund within an hour.
What happens if you have no data/signal/battery and want to buy something you happen to see on sale?
Until another data breach of a service where you have your card remembered (like Ticketmaster recently).
Preventing it would save time and effort for both sides and potentially a lot of money for Monzo in case of fraudulent transactions that cannot be reverted (e.g. ATM withdrawal)
Thatās a risk you might or might not want to take. Again it depends on the use case - I rarely fall for such sales and rarely have no data/signal/battery.
No itās not. Even if you only have that problem 1% of the time (which is optimistic) you have a real problem when you do.
I appreciate the fact that you have good intentions here but it seems like you havenāt really thought this through. As youāve mentioned, issuers have an incentive to reduce fraud so if this was a good idea, it would have been done already, itās not hard to implement.
And what about that 1% of times when the merchant has problems with their terminal or connection is down and you cannot pay with card at all? Or what about stalls on the food market which often accept cash only? Should we all give up our cards and go back to cash only, because in 1% of cases you cannot use your card anyway?
This is an old blog post, but shows the different stages of a transaction:
My memory from previous discussions on this forum is that the 200ms requirement comes from the card network (Mastercard in this case). I assume this is so that transactions donāt take too long end-to-end.
Often the long time you see the card machine āauthorisingā for is because that initial connection from the shop to the acquirer takes a while. Some shops still use dial-up modems for this.
Yes as far as I know, itās only Monzo that has to respond within the 200ms window, presumably because other steps of the process can take such a long time
