Richard’s just shared some more details about the improvements that’re on the way, when the debit cards are rolled out along with the current accounts. There isn’t a dedicated topic with the details of what’s changing so I thought I’d create one
Offline support means no more declined payments for things like car park / railway station ticket machines & Pay at the Pump
I’ve been told by @richardr that the contactless Magstripe support should result in significantly fewer declines in the US
I assume that data storage means the capability to do things like storing season tickets on your Monzo card (bearing in mind that the storage space is relatively limited)
it looks like they’re not far from being ready either
To add to this, @anon91067538 has confirmed that the new cards will stop the ATM message appearing that says “Please note that your card issuer may apply a cash advance charge”
Furthermore, I experienced a few issues in the USA with the Monzo CA where the POS device would say “EMV transaction not allowed”. Manually entered, the card worked fine. However, this new chip should also fix that issue.
Possibly it’s where the card broadcasts the mag stripe data over contactless (instead of doing an EMV transaction like they do now). Extremely insecure but that seems to be common in the US.
In general there are two classes of contactless bank cards: magnetic stripe data (MSD) and contactless EMV.
Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the U.S. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer’s systems.
Contactless EMV cards have two interfaces (contact and contactless) and work as a normal EMV card via their contact interface. The contactless interface provides similar data to a contact EMV transaction, but usually a subset of the capabilities (e.g. usually issuers will not allow balances to be increased via the contactless interface, instead requiring the card to be inserted into a device which uses the contact interface). EMV cards may carry an “offline balance” stored in their chip, similar to the electronic wallet or “purse” that users of transit smart cards are used to.
The first part of this is correct. However the later part is not. Replay attacks are protected against because they use a dynamic CVV3 instead of the regular CVV from the magstripe.
However, doesn’t this mean that any card with this feature can trivially have its card number and expiry date skimmed? Will there be a way to disable this on our cards if we’re not using it?
There’s a few more security features as described in the posts above mine but effectively, it is magstripe over the contactless interface. American Express use it and it’s easy for merchants who used to only accept magstripe to upgrade to.
This is not to be confused with MST (Magnetic Stripe Transmission). The technology that Samsung Pay originally used and still uses in certain markets. That’s literally magstripe data being blasted out of an electromagnet.
We’re adding Magstripe Contactless to our cards to reduce the number of declines we see from users traveling in the US. It’s near-impossible to tell what a terminal is using until you’re already declined.
Perhaps, but then they’d typically need the CVV2 from the signature strip which won’t be in the skimmed data. That’s why I hate the US restaurant practice of the server taking your card away for authorisation. All they need to do is take a photo of the card back/front and Card Not Present fraud is now your risk.
You can already get the PAN and expiry date with any contactless card. If you’ve got a card reader you can see for yourself using Cardpeek (make sure you check the binary on Virustotal as the download is not HTTPS, or compile it yourself).
Sometimes, POS terminals aren’t able to establish a data connection to their Merchant Acquirer. Typically, this happens on aeroplanes and trains. In such a case, the card chip can be programmed to work in “offline” mode for a limited number of transactions. When the POS re-establishes a data connection (eg the aeroplane lands), the payments are uploaded to the Acquirer. The first the Issuer sees of this payment is in the “Presentment” file, which may be a day or two later.
It does mean that even if your card if frozen or you have insufficient funds, the payment will still be authorised - or rather, Monzo will not authorise the transaction at all - (I’ve checked this with the support team) but Monzo will be liable for the charges if you have frozen your card so they’ll reimburse you.
Fortunately, as the blog mentions, there are not many merchants with offline terminals so even in the short term, your exposure to fraud here is small.
We know that the debit cards will be more likely to work with terminals (when you pay at the counter) that only accept magstripe payments. That’s what Richard was referring to when he mentioned ‘contactless magstripe’ support.
If you enable Magstripe withdrawals though, it should work with Magstripe only ATMs.
I’ve moved your post here, as your question applies to using the debit card in every country & it’s useful to keep all of the information about the debit cards in one place.
