[ahalam]

Man-in-the-middle attack are made less likely because the 3DSecure page where the user is asked to enter a password also contains challenge question that was originally added by the user at the time of setting up 3DSecure for his/her account. The user should be able to recognize that this is not the bank's website when the challenge question is not his/her own.

[roel_v]

The monkey could also fetch the secret question from the 3DSecure page and show it to the user, right? Or am I missing something here? How will adding more information to the login page make it more resistant against mitm?

[sankara]

In most cases the question is the default. The typical flow is the user tries to do a transaction - bank identifies they are not registered for 3D secure yet - a couple of questions and a OTP later - a 3D secure password is chosen. But the question remains the default one unless the user decides to take the effort of changing it.