It’s the merchant that decided this. Like the daily limit, CVC and 3DS necessity changes after a while, when a source is considered trustworthy. At this point, also auto top up should be possible for this card.
I think we are at crossed purposes, Frank. There is no merchant here - just using my debit card to top up my Revolut account (from my bank account).
I would like to be able to enforce 3DS on every top up, if possible. I certainly have no interest in automatic top ups!
I am not sure what’s going on here, but for non 3DS cards, the app stops asking for the CVC after a while. This might be true for 3DS as well. This might cohere with cards becoming available for auto top ups. So Revolut might process payments differently after a while.
Yes, you’re right. It’s up to Revolut to ask whether they want the CVV or not. When you make a purchase through Amazon they do not ask for a CVV, for example.
Most merchants require a CVV to avoid fraudulent transactions and consequently a chargeback. I also think there’s a higher transaction fee when there’s no CVV involved which makes the transaction more expensive for the merchant, but I’m not entirely sure.
Argh … it just got worse. As you guys predicted, Revolut has now stopped asking for CVV when I top up from my debit card. When my current question to support has cleared, I shall raise a new one to have them make CVV mandatory for my top-ups.
Revolut “Support” are just telling me to talk to my bank for both CVV and 3DS.
I am increasingly worried about the security of this. With no two-factor authentication on card top-up, and the app protected only by a very weak 4-digit PIN, the potential for my bank account haemorrhaging money to fraudulent Revolut transactions if my my phone is stolen seems quite high.
What am I missing?
First, your smartphone needs to get unlocked with your PIN/fingerprit/face scan and then someone needs to know your Revolut app PIN. This will take some time to crack, probably enough to wipe your phone data remotely from other device.
You can always go back to the old days of legacy banking with multiple passwords, physical key devices and somewhat unsafe browser logins, if you consider currents solutions unsafe. Or even better, don’t sign up for online banking and visit your local branch for everything
All it requires is someone to unlock my phone and then also hack the very weak Revolut PIN. With no 2FA on the top-ups, that person can then spend freely, until I notice the theft and am able to contact Revolut.
I would feel more comfortable if there were a way to enforce 2FA on a top-up by debit card.
Unlocking your smartphone and then unlocking your Revolut app is in fact 2FA. If you are so concerned about the safety of your data use long password with various symbols and numbers instead of PIN to secure your phone. You will be safe.
You can also top up by transfer from your legacy account instead of card top ups. This way, you wil be REALLY safe as no card details will be stored in your app.
Well, that seems to be a bit arse about face - to put very inconvenient strong security on my phone just because the one app that needs high security won’t do it properly itself.
Having to do an Internet transfer a few times each week is also not the right answer - by making it more inconvenient for me to top up I will either just stop topping up and so stop using Revolut at all, or I will top up larger amounts less frequently, which also makes for a higher risk of losing.money when my card is stolen.
The right answer is to allow enforcing 2FA on the in-app top-up.