Full disclosure: We are currently working very hard on building all the things necessary to launch as a full bank and we aren’t currently actively exploring ideas such as this.
I’m a Security and Fraud engineer here at Monzo. I’m really excited by all the cool things we can start experimenting with once we have everything up and running.
Here’s a flavour of some of the things I consider when evaluating ideas like this one:
It’s important to consider what problem you are trying to solve. This particular idea (at least how you presented it) would give some protection against the following type of fraud:
- Fraud committed online with a merchant that requires the CVC2 to be entered.
It doesn’t protect against:
- Fraud committed online with a merchant that doesn’t require the CVC2 (sending the CVC2 is at the discretion of the merchant)
- Card present fraud (typically magnetic stripe)
- Online fraud where the fraudster guesses the CVC2 (usually by trying each possible value)
So one of the first things I would do is try and work out how much fraud actually sits in that first bucket, if it turns out that it is only £1 in every £99 of fraud then it may not be as high a priority.
You also have to consider the increased complexity in the app and the potential for misunderstanding this will introduce (users can be really bad at understanding things).
It could, potentially, be better to allow the user to generate full one time PANs (primary account numbers i.e. the 16 digit card number) from within the app. One of the things I find quite frustrating about fraud is the lack of visibility we have (as a bank) into what facilitated certain instances of fraud. For example, we know that a criminal somehow got a copy of someone’s card details and did an online payment but we have no visibility into how they did that, did they skim the contactless? Did they breach the database of an online retailer? Did they have an ATM skimmer? Did they just guess the details? If we can use different PANs for different things then we get more visibility into how the criminals are getting the card details and know where to focus efforts.