How we upgraded 3D Secure

Read the article

You’re binge-watching Netflix at home. You get a message from your bank saying, wait, when did I buy £3,000 plane tickets to the Bahamas?!

It’s a nightmare lots of people have sadly had to experience in the past: a fraudster got hold of your card details and used them to steal from you.

Monzo, like other banks, helps stop this from happening using something called 3D Secure.

What is 3D Secure?

3D Secure is a payment standard that aims to reduce e-commerce fraud by adding two-factor authentication to online transactions. 

When you buy something online, the merchant pop-ups with a window that asks you to confirm that it’s really you making the payment. 

That means if your card is stolen, unless the thief has your phone and PIN, they won’t be able to buy first class tickets anywhere.

Image of 3D Secure with Monzo

We want to keep your money safe, so we follow these standards with the help of Mastercard, who is the middle-man of transaction processing (also known as our network).

Why are we upgrading to 3DS2?

Right now most websites use 3DS version 1 (3DS1) for two-factor authentication. But Mastercard recently added support for a new version, known as 3DS2. This version has a few advantages, including:

  • Additional information: We can now take advantage of much more information to decide if it’s really you making the payment. We can now use your device details, merchant website/app details, authentication already performed by the merchant (like logging into an app with your fingerprint) to say more accurately whether it’s really you.

  • Frictionless authentication: We can decide not to challenge you if we decide the risk is very low. We can do this if the transaction value is low or based on your shopping habits. For example, if you already shop at Just Eat every Friday night, we don’t want to bother you every week asking if it was really you. This is something we’re still working on!

  • A better user experience: the Monzo pop-up window now has native Android and iOS support or as a modal on your web-browser. This will make for better-looking and smoother mobile checkouts.

...And much more!

How does 3DS2 actually work?

Understanding how 3D Secure works is fairly complicated, and involves reading a 255 page technical document.

It involves communication between:

  • 3DS client - the merchant website or mobile app

  • DS (Directory Server) server - the middle-man in charge of routing requests - in our case this is owned by Mastercard

  • ACS (Access Control) server  - the system owned by the issuer (Monzo) in charge of making the ultimate decisions regarding 3DS challenges

How 3D secure works

The 3DS flow involves the exchange of multiple messages, which goes as follows:

  1. Authentication Request: As soon as the customer reaches the check-out page of the merchant (ie. online shop), the merchant sends the DS Server a request saying “I want to challenge this customer” (known as an AReq or Authentication Request).

  2. Authentication Response: Mastercard forwards that request to Monzo (the ACS server), which will respond with an ARes (or Authentication Response). This will contain one of the following outcomes:

    1. Ok, I also want to challenge this customer 

    2. Sorry, this customer is not enrolled for 3DSv2 yet 

    3. No, let’s not challenge them and stop right here. Their card is frozen or blocked

    4. No it’s fine, we don’t need to challenge them. The transaction value is too low, it’s not worth bothering them (known as a frictionless flow)

  3. Challenge Request: If the merchant gets a response from Monzo confirming we want to challenge the customer, it’ll send Monzo (via the DS Server) a CReq (Challenge Request), meaning “Let’s start a challenge”.

  4. Challenge Response: Monzo responds with a CRes (Challenge Response) containing a pop-up window that asks the customer to confirm their identity on the app.

  5. Result Request: Once the customer confirms their identity, Monzo sends back to the merchant (via the Mastercard DS server) an RReq (Result Request) with the outcome. If the outcome was an approval, this result includes a cryptogram called IAV (Issuer Authorization Value). 

  6. Result Response: The DS server acknowledges the final results.

  7. Authorization: If the result was successful, the merchant can finally initiate the payment to take money from the customer’s account (known as an authorization), using the IAV cryptogram as proof that this user is definitely who they say they are!

How did we roll-out 3DS2?

Until now we (and every other bank) have been using 3D Secure version 1. And migrating to a new version is no easy task! Upgrading to 3DS2 involves a complete re-work from the back-end.

To motivate banks to move to the new version, Mastercard set a deadline in September 2019. After this deadline there’d be a “liability shift,” so if the merchant wants to try a 3DS2 payment and the bank doesn’t support it, the fraud liability would now be on the bank. So if there’s fraud, the bank has to pay the price! 

So our payments team started work on this version upgrade in the middle of 2019, with the help of a certification testing tool owned by Underwriters Laboratories. We also did one-off tests using Stripe 3DS2 validation.

Initially 3DS2 was only available to a hand-full of payments engineers, as it was in a very early alpha-stage. But after a few months of testing we were ready for real world transactions!

In November, we partnered with JustEAT and managed to successfully deliver 3DS2 kebabs to the office (victory never tasted so good!).

But one merchant isn’t enough! So in December we partnered with Skyscanner and this time bought 3DS2 flights to Korea! (This time we couldn’t justify the £1,000 expense and of course got an immediate refund).

At that point we were confident everything was working as it should, so we decided to enroll 1% of our customers (35,000 people) on the new version. That way we could analyse the data slowly and if something went wrong, there’d be little impact and we could roll-back easily. 

Over the holiday period, with a steady stream of successful transactions and after making monitoring improvements, we decided we were ready for more! So on the first week of January we rolled out 3DS2 to 10% of our user base, 350,000 people. 

At this point we had a lot of merchant acceptance issues. Because the 3DS2 standard is fairly new, so many merchants and acquirers have bugs in their implementations. 

So after some back-and-forth conversations with them, allow-listing certain merchants and working with our partners, we rolled out to 25% - 875,000 people. 

We’re in the process of making 3DS2 available to every single one of our customers very shortly! At that point we’ll be one of very few UK banks to support the new version and make online shopping a safer experience for our customers 😌