Two Factor Authentication on transactions


(Mark) #1

For each transaction that is verified by a pin require the user to acknowledge the transaction through the mobile app. If the card was stolen or cloned it would not be possible for the attacker to use the card without the user’s mobile phone. This should be a configuration option (off by default). I have no knowledge of the banking sector, but this would increase the card’s security as a four digit pin is too each to break.


(Alex Sherwood) #2

This is a cool idea but unfortunately it isn’t viable. Since he’s online @daniel might like to share a more detailed explanation but basically, the problem is, Monzo has to authorise the transaction very quickly - too quickly to wait for the purchaser to approve it in the app.

There’s been some more discussion about this idea here -

You may also be interested in this explanation of what happens when you make a payment, using a Monzo card here -


Our Approach to Overdrafts
(Marta) #3

I’m not sure if @smokedice had online or POS transactions, 3d-secure for online payments is “solution”,

3D secure itself is rubbish, same short code over and over, not friendly, on top of that has huge impact on conversion rates. If Monzo went for 3d secure, I feel like it would be 3 steps back technology wise. :scream:

Online authorisations in Poland are done by text message. In same moment when in UK you are asked for 3d secure code, in Poland you get one-time text message with 6-8 digit password. You can get scratch card with codes as an alternative, it will ask to scratch off and provide code number X; text codes are the most popular. I think you can also ask for emergency set of codes too and store them securely in digital version (lastpass). Problem of chargebacks simply doesn’t exist, because code each time verifies online transaction. :slight_smile: This eliminates majority of frauds and friendly frauds.
Even if some rubbish company completely ignores PCI compliance and stores my card details, in case of a data breach, I’m like “mwahaha, good luck stealing my phone, you hackers”.
I’m used to this model to a point of taking phone with me to PC when planning buying something. :slight_smile:

Polish 2nd text code beats 3d secure, because codes are not reusable. Minus is the need to have phone or scratch card with me. If my phone is stolen with my wallet, due to length of the text, it’s not possible to read code even from notifications and ofc you can hide it from notifications in general.

I wonder why nothing was improved and pesky 3d secure is still a king… Protecting merchants in some cases (if card was enrolled in 3d secure and check was a pass) and hitting banks with refund costs instead. Costs of course are passed to end-customer… Wait… this means me! Yay for 3d secure.

Maybe Monzo creates new standard? That would be good for PR. :stuck_out_tongue:


#4

But with MasterCard SecureCode I can access from my phone or desktop via a browser…getting texts is a stupid system as if your phone battery dead you can’t use it and if text messages delayed as sometimes happens with T-Mobile you can’t use it.


(Alex Sherwood) #5

To be fair, you’d potentially have issues with SecureCode authorisation via push notification on your mobile too. So Monzo will need to think of a way to manage that (it’s not as if they won’t have realised that already of course)…


(Marta) #6

I see what you mean, but there’s still one major flaw. I believe it is the merchant who has to enroll 3d secure in their payment systems. I recently had dreadful project for it at my company. We faced problems because our infrastructure was 64bit, while Cybersource’s ‘Secure Acceptance’ (=3d secure) was theoretically only for 32bit. Cybersource advised to integrate anyway and somehow it worked. We didn’t have 3d secure for over a year on my company’s website because we assumed it was not doable. I still have nightmares from this project.

Anyway, why thief should use your card on website that requires 3d secure when there are many that do not… I don’t think that Mastercard can force implementing 3d secure on merchants, right?


(Mark) #7

Is the solution to allow the users to block all transactions until they
take the lock off? That way the user can control when the transactions can
occur. This way Monzo can keep to their 200ms response times and the user
has more control.

I have seen that there is a temporary block that can be applied to the
account, but I am unsure to what extent to lock is applied (time, user
control, does it automatically unlock, etc).


(Mark) #8

Secure push mechanisms are not too hard. Monzo shouldn’t use SMS as the
industry is retiring SMS for 2FA due to how insecure the mobile network is
(lookup Google 2FA for instance).

Using something like the protocoled used for Google authentication would
work perfectly, just as many have demonstrated (Google, github, Dropbox,
Amazon, etc). I.e. the phone would demonstrate that it has authority by
supplying he generated code.


#9

Or something like Symantec’s Verisign Identity Protection (VIP) which can either be an app on your phone for those who happy enough to trust the battery life or on a card or keyfob for those of us too often caught out by battery drain.


(Alex Sherwood) #10

I’ve thought of a few potential problems with this idea, which I’ve listed here -

given the fact that you will be refunded for any payments that are made fraudulently and that you receive instant notifications & can freeze your card as soon as the first is made, plus you’ll have the added friction of unfreezing the card for every transaction you want to make, this seems like overkill to me.

But there’s nothing stopping users trying it & seeing how many issues this does / doesn’t cause :slight_smile: if you do, it would be great to hear how you get on!


(Adam Streeter) #11

2FA is a great idea for most normal banks but Monzos instant notifications give you a way to report fraudulent activity.
Personally I would like to see Monzo tackling fraud in a different way.
Any merchant confirmed as a fraudulent payment being process through, should be flagged as potential fraudulent and send a notification to other users that have made a payment to that merchant to ensure they confirm the transactions are genuine

Payments made to a new online merchant not used before above a set amount (say £100) should be declined initially, with a confirmation notification on the app to confirm it’s a genuine payment, once ok pressed, user processes the payment again and it goes through.

This is of course until card issuers force 3D secure or suitable alternative.


#12

THAT IS A TOTAL PAIN. They have something similar at Fidor and people hate it so much they either stop using the card or beg for MasterCard SecureCode


(Not Theresa May) #13

Just my thoughts: literally transferring money over to monzo to shop online because it’s so much less of a pain to tap top up instead of digging out the securecode


#14

you have the securecode in your head…something others unlikely to guess but easy enough to remember…you don’t make it so obtuse you can’t remember it…doh