Real-time authorisations


(Jaroslaw Pawlak) #1

Goal

Prevent frauds rather than dealing with consequences after they happen.

Solution

When the card is being used, rather than just sending a notification about the fact, require a user to confirm that in the app.

That would probably have a time limit - when not approved in timely manner the transaction would fail.

What can be build on top of it

  • After the transaction failed because of timeout, it can be still approved - the next transaction for the same merchant for the same amount wouldn’t require approval again (probably with some time limit - 30m, 1h, 24h?)
  • White list - approval never required for merchants chosen by the user (just click on the transaction and add to the white list)
  • White list with limits - set a maximum amount for a white listed merchant, if exceeded the approval will be required
  • Opt-in/out - possibility to enable/disable this feature, when enabled that would effectively be a safe mode, drastically reducing a chance of fraudulent transactions
  • Automatic pattern analysis and recognition - even when disabled, you could still require authorisation from the user for suspicious transactions (based e.g. on location, amount, previous usage etc.)

Similar ideas



(Marcel Ruhf) #2

The problem is that when you / someone else presents your card to a card terminal (contactless or chip and pin), Monzo only has a few hundred milliseconds to decide whether to accept or decline a transaction. So this would only work for online transactions, which Monzo is planning on implementing via 3D Secure (which is on the near-term roadmap).


(Jaroslaw Pawlak) #4

I admit I don’t know technical details behind payments, but are you sure it’s only a few hundred milliseconds? I have sometimes seen “authorising” on the terminals for 5-10 seconds, which would be enough to approve it in the app.


(Marcel Ruhf) #5

The card terminals need to connect to their acquirer, who then have to connect to the buyer’s card network (Visa/MasterCard/Amex), who then forward the authorisation request to the buyer’s bank (in our case, Monzo).

I remember seeing this “a few hundred milliseconds” figure being posted somewhere by a member of staff somewhere here. I’m sure @HughWells can give more info.


(MikeF) #6

In my head it’s 200ms, far too short for any sort of user interaction but take that with a pinch of salt unless I can find a source somewhere.


(Marcel Ruhf) #7

That’s the figure I remembered, but wasn’t sure.
Can’t remember on which thread I read it though.
There are several threads where this figure is mentioned.


(Jaroslaw Pawlak) #8

Hmmm… It could still be done by approving it upfront - e.g. if you are about to buy your lunch, you could specify in the app that the next transaction for up to £10 in the next 15 minutes is ok.

Or just letting the first transaction fail, so that in the app I could just select it and click “approve it next time”.

That might be less convenient, but with a white list, this is the extra security that I would definitely sign up for.


(Ian Lyon) #9

That’s correct - it’s 200ms :slightly_smiling_face:


(Jaroslaw Pawlak) #10

@ianlyon Developer’s curiosity - where does this limitation come from? I assume that something, somewhere has 200ms timeout and will fail the transaction if there is no response in that time?


(Change Works) #11

I think that freezing the card and defrosting it prior to each transaction would achieve a sufficiently similar result.


(Alex Sherwood) #12

Yes, the problem there of course is what if you don’t have a data connection.


(Jaroslaw Pawlak) #13

Not exactly, there are a few main differences:

  1. Approval before the transaction and nothing afterwards VS defrosting the card before and freezing it after
  2. Other (fraudulent) transactions could go through in this short window of time - selecting rejected transaction to allow it next time would prevent that
  3. This approach will not work with automatic payments that could happen at any day and time (e.g. TfL’s Oyster auto top-up)
  4. White list could practically eliminate need for approvals depending on the use case - I can only speak for myself, but I have a bunch of online services which I use regularly and a couple of places where I go for lunch. That’s about 20-30 items on the white list that would completely eliminate the need for approving transactions for me, with the exception of when I am on holidays.

#14

I have never had a fraudulent transaction on any of my cards. It’s such a tiny percentage that I’m not sure there’s a need. If it does happen Monzo refund within an hour.
What happens if you have no data/signal/battery and want to buy something you happen to see on sale?


(Jaroslaw Pawlak) #15

Until another data breach of a service where you have your card remembered (like Ticketmaster recently).

Preventing it would save time and effort for both sides and potentially a lot of money for Monzo in case of fraudulent transactions that cannot be reverted (e.g. ATM withdrawal)

That’s a risk you might or might not want to take. Again it depends on the use case - I rarely fall for such sales and rarely have no data/signal/battery.


(Alex Sherwood) #16

No it’s not. Even if you only have that problem 1% of the time (which is optimistic) you have a real problem when you do.

I appreciate the fact that you have good intentions here but it seems like you haven’t really thought this through. As you’ve mentioned, issuers have an incentive to reduce fraud so if this was a good idea, it would have been done already, it’s not hard to implement.


(Alex Sherwood) #17

6 posts were split to a new topic: User confirmation when fraudulent transactions have been flagged


(Richard Cook) #18

8 posts were split to a new topic: Removed Posts - 3/7/18


(Jaroslaw Pawlak) #19

And what about that 1% of times when the merchant has problems with their terminal or connection is down and you cannot pay with card at all? Or what about stalls on the food market which often accept cash only? Should we all give up our cards and go back to cash only, because in 1% of cases you cannot use your card anyway?

Then help improve this idea.


(Jolin) #27

This is an old blog post, but shows the different stages of a transaction:

My memory from previous discussions on this forum is that the 200ms requirement comes from the card network (Mastercard in this case). I assume this is so that transactions don’t take too long end-to-end.

Often the long time you see the card machine ‘authorising’ for is because that initial connection from the shop to the acquirer takes a while. Some shops still use dial-up modems for this. :open_mouth:


(Alex Sherwood) #28

Yes as far as I know, it’s only Monzo that has to respond within the 200ms window, presumably because other steps of the process can take such a long time :grimacing: