Anti Fraud Ideas - No CVV + Country Blocking + Metal Virtual Cards


#1

Hey,

Today I too have been a victim of debitcard fraud with my Metal card. I was at a club in Spain and suddenly a bunch of online transactions came through from online merchants in the Dubai area.

The card automatically froze after a few declined payments, but unfortunately they had already managed to steal some of my cash.
I’m in the process of doing a chargeback, so I’m confident that this issue will be resolved sooner or later.

This incident actually got me thinking a lot about the security of my cards. On the one hand, I totally would want to block online payments on my metal card for security purposes, but on the other hand I don’t want to lose my cashback which is often 10x higher when shopping online, than when shopping offline in Europe. (0,1% in Europe, 1% outside Europe)

For security purposes I would like to propose the following ideas/changes:

1) METAL VIRTUAL (DISPOSABLE) CARDS
The virtual (disposable) cards are awesome, but we are forced to choose between security and cashback. I would like to propose that all Metal account holders have cashback on all virtual cards too. This way we can turn off online shopping on our Metal card, and we can use our virtual (disposable?) cards for that purpose, while still getting the same cashback as with our metal cards.

2) COUNTRY BLOCKING
I travel A LOT and also like to do a lot of online shopping, but… I’m always travelling inside Europe and all my online shopping is either in Spain or USA.
I propose that we can choose in which countries our cards can be used (just like the Dutch bank BUNQ does). There is no reason for my card to work in Vietnam, Somalia or UAE, if I’m never going to visit those countries. And if I’m ever in an other country like France or UK and my card has blocked that country, I can turn it on via my Revolut-app in an instant, so that wouldn’t be a problem either.

3) NO CVV PRINTED ON THE CARD
Unfortunately our cards do not have 3D-Secure (yet). Anyone knowing our cardnumber, could go online and fraudelently use our cards. I know almost all banks do this, but why do we keep printing the CVV code on the card? Revolut is an online bank. We all have the Revolut app. Can’t we just show the CVV code in the app only?
All that a fraudster needs right now is to place a hidden camera near an ATM or POS terminal and capture all digits on the back of my card for 1 second, to be able to loot my entire Revolut bankaccount.
Plus: As we want to discourage online use of the physical Metal card, you would force people to go to the app any time they want to pay online to find the CVV code, and you could suggest from within the app to use a (more secure) disposable card instead.

My last 2 suggestions should be relatively easy to implement. I don’t know how difficult it would be to implement cashback on all virtual cards of Metal users, but for the sake of security, I would really hope Revolut gets that idea implemented too.


#2

Actually Metal cashback operates across ALL cards, real or virtual. As long as you have a metal account then all cards are eligible.

So you could freeze your Metal card until you need to use it.


#3

Excuse my French, but FUCK !!! I didn’t know that!!
I actually thought that only Metal card transactions earned cashback. Revolut doesn’t make it clear anywhere and instead they write things on their own site like “Spend with your Metal card and earn 0.1% in Europe and 1.0% outside of Europe on your card payments” (source) that suggest that you need to pay with the Metal card to get the cashback.

Well, if you are right about the cashbacks on virtual cards, @Doppjunat, then I would suggest they explain that WAY BETTER than they do now, by maybe giving a popup with information somewhere where it says that there is 0 need to use your metal card online, as you get cashback on all cards. And that for security reasons, Revolut suggests to keep online transactions disabled on the physical cards.


#4

Not “if”. He is definitely right about this. Works for ALL your cards.


#5

I support the idea of country blocking. My traditional bank offers this and Revolut should too.

About the CVV, as I am not familiar with the premium/metal cards, is the card number on the backside of the card?
I thinks it’s fine for the normal cards as it would take photos of both sides to abuse.


#6

Further to @henrikbjorn and @Doppjunat’s replies above, I was recently working in the UAE after upgrading my plan to Metal, but before my new card arrived. I used my standard (Visa) card and was awarded 1% cashback into my Metal Vault :+1:


#7

Metal cards have all numbers on the back, next to each other: the card number, the date AND the CVV.


#8

He is definitely right. I receive a cashback with all my Revolut cards: metal, plastic, virtual, disposable, etc.


#9

Hi,
I think the 2nd point a REALLY nice idea!!! @AndreasK can Revolut team do it, please?


#10

To point 2 : Why not enabling location based security? So you card works only if you’re close to your phone (doesn’t counts for online payments as far as I know) but disabling online payments for your metal card, while you allow it for virtual/ disposal cards should keep you very much safe combined with the location based security feature.


#11

To me it is quite hit or miss, so i turned it off.


#12

Country Blocking sounds awesome.

For CVV, you can always cover it with something or scratch it.


#13

What do you mean? I never had problems with it so far :smile:


#14

I had a transaction declined a few months ago, due to the location based security setting. It was late at night in Singapore and I had just finished work, so was going to grab a quick bite to eat before bed.

My phone was switched on and in my hand, yet the transaction failed again at the second attempt.

Maybe this was Revolut’s way of telling me that I should have found somewhere healthier to eat :laughing:


#15

This apparently happens at a few McDonald’s in Osaka too as the merchant reports itself to be in Tokyo. Maybe it’s something like that? Personally I’ve turned location based security off to avoid the embarrassing situation where my card declines. (even though you know there’s cash on it)

I’ll just freeze the card if I lose it and chargeback, I’m sure Revolut knows in a foreign country where internet access isn’t guaranteed that you can’t rely on location based security.

Are you sure you had internet though by the way? If you were in Singapore for a visit if you didn’t have a local SIM I’d hate to see the roaming charges.


#16

Yes I’ve done the same, it’s pretty embarrassing not being able to buy a hamburger :laughing:

I didn’t have internet at the time, but had been connected to the WiFi at work all day. It wasn’t until I got back to the hotel that I received the notifications from the app, explaining the reason for the declined transactions.


#17

It will randomly decide I am not in the same place as where I am using the card. So one day it works, next day it doesn’t (same place, same terminal).

Support answer was that the terminal location was probably misconfigured or something. So I just turned it off, instead of getting my card declined at random times.


#18

And what do you think about the option to block the cards for all countries other than the ones we choose?

Thanks


#19

He’s not a Revolut employee so you’d probably be better off asking @AndreasK or @DavidRevolut


#20

My initial idea for the country blocking was that by default all countries would be blocked except the user’s country of residence.
After that the user could enable countries one-by-one.