3DS on card top-up


#1

Does Revolut have any control over whether 3DS (VbV in this case) is used when I top up, or is that decided solely by the bank?

I am not completely comfortable that VbV is no longer being used when I top up my Revolut card using my bank account debit card, and would like to have it always on.


#2

It’s the merchant that decided this. Like the daily limit, CVC and 3DS necessity changes after a while, when a source is considered trustworthy. At this point, also auto top up should be possible for this card.


#3

I think we are at crossed purposes, Frank. There is no merchant here - just using my debit card to top up my Revolut account (from my bank account).
I would like to be able to enforce 3DS on every top up, if possible. I certainly have no interest in automatic top ups!


#4

3DS is handled by the issuer of the card. So it’s not Revolut’s decision.

My Portuguese banks always require 3ds… Maybe it’s something you can talk about with your card issuer


#5

In this case, Revolut is the “merchant” of this card transaction. With a top up, you “pay” money from your card account to Revolut. And they credit it then to your wallet.


#6

@megamaster you’re right. Sorry.

I am not sure what’s going on here, but for non 3DS cards, the app stops asking for the CVC after a while. This might be true for 3DS as well. This might cohere with cards becoming available for auto top ups. So Revolut might process payments differently after a while.


#7

So, what is the conclusion here - is it my bank (The issuer of my debit card) or Revolut that I need to ask to turn on 3DS for top-ups by card?


#8

To the best of my knowledge, the cvv is on Revolut’s end, so they decide when you ask or not to ask for cvv.

The 3ds is your issuer bank. As I stated before my Portuguese banks always ask, however as an example, n26 only asks sometimes.

3ds is an anti fraud measure the issuer bank has before it authorises the charge


#9

Yes, you’re right. It’s up to Revolut to ask whether they want the CVV or not. When you make a purchase through Amazon they do not ask for a CVV, for example.

Most merchants require a CVV to avoid fraudulent transactions and consequently a chargeback. I also think there’s a higher transaction fee when there’s no CVV involved which makes the transaction more expensive for the merchant, but I’m not entirely sure.


#10

I’ve also heard that a transaction without CVV is more expensive.

However I honestly don’t see the purpose of cvv with 3ds nowadays. 3ds was created exactly because cvv didn’t curtail fraud too much. When you have 3ds, cvv doesn’t serve much purpose


#11

Thanks, all. I will contact my bank and ask them if they can have 3DS always on for Revolut top-ups. As The bank is HSBC, I am not hopeful that they will understand or care.


#12

Argh … it just got worse. As you guys predicted, Revolut has now stopped asking for CVV when I top up from my debit card. When my current question to support has cleared, I shall raise a new one to have them make CVV mandatory for my top-ups.


#13

Probably revolut will just suggest that you delete and add the card again as a top up method so that it starts asking for CVV again…

I would actually like to have the opposite option, disabling CVV as I have a debit card that doesn’t have CVV on the back and always asks for 3ds anyway :wink:. As it is I can’t use it for top ups


#14

Revolut “Support” are just telling me to talk to my bank for both CVV and 3DS.
I am increasingly worried about the security of this. With no two-factor authentication on card top-up, and the app protected only by a very weak 4-digit PIN, the potential for my bank account haemorrhaging money to fraudulent Revolut transactions if my my phone is stolen seems quite high.
What am I missing?


#15

First, your smartphone needs to get unlocked with your PIN/fingerprit/face scan and then someone needs to know your Revolut app PIN. This will take some time to crack, probably enough to wipe your phone data remotely from other device.

You can always go back to the old days of legacy banking with multiple passwords, physical key devices and somewhat unsafe browser logins, if you consider currents solutions unsafe. Or even better, don’t sign up for online banking and visit your local branch for everything :grin:


#16

All it requires is someone to unlock my phone and then also hack the very weak Revolut PIN. With no 2FA on the top-ups, that person can then spend freely, until I notice the theft and am able to contact Revolut.
I would feel more comfortable if there were a way to enforce 2FA on a top-up by debit card.


#17

Unlocking your smartphone and then unlocking your Revolut app is in fact 2FA. If you are so concerned about the safety of your data use long password with various symbols and numbers instead of PIN to secure your phone. You will be safe.

You can also top up by transfer from your legacy account instead of card top ups. This way, you wil be REALLY safe as no card details will be stored in your app.


#18

Well, that seems to be a bit arse about face - to put very inconvenient strong security on my phone just because the one app that needs high security won’t do it properly itself.
Having to do an Internet transfer a few times each week is also not the right answer - by making it more inconvenient for me to top up I will either just stop topping up and so stop using Revolut at all, or I will top up larger amounts less frequently, which also makes for a higher risk of losing.money when my card is stolen.

The right answer is to allow enforcing 2FA on the in-app top-up.


#19

There are problems where the only solution is to stop using the service to stay safe.

I offered you a solution to your concern. If that is not enough in your eyes, stop using the service.


#20

Unfortunately it seems that you have a very strong personal opinion and are not open to suggestions. I think noone can help you here.