[codethief]

I absolutely hate 3DS, for two reasons:

1) I now have to do the 3DS procedure for amounts as small as 1,80€

2) My bank's 3DS "website" requires me to enter my online banking PIN (the one for my entire account, not just my credit card PIN!) and since that website gets opened in an Android WebView I can't even be sure that the app invoking the WebView doesn't actually obtain my PIN through a key logger. Fantastic.

[opheliate]

I’ve personally always found 3DS a bit worrying from a security POV. I’m sure much smarter minds than mine designed it, and had reasons for doing so, but I’ve seen it implemented in iframes on websites I use before. It really doesn’t seem to encourage good security practices in normal users where they’re being encouraged to enter their bank password when the URL they see doesn’t match. Plus the URL itself often refers to Arcot, the company who make 3DS, rather than the bank whose branding is all over the page. Very weird.

[Aerroon]

If I were cynical I would say that the purpose of 3DS is to make it easier to scam people. It trains users to input their bank login details into third party apps and websites - something that you were told not to do over and over again in the past. I'm also sure that banks will be far less happy to refund fraudulent charges in these cases.

[lixtra]

I agree with you that it’s bad practice to enter your login date into an arbitrary app.

However, you and the gp should complain to your bank because it’s their job to provide a secure confirmation method. My banks push the confirmation to their app that has separate without the possibility of stealing my bank credentials (in trivial ways).

[AnssiH]

I've noticed that domestic Finnish online stores (most of which have had 3DS for over a decade now) generally do not use iframes and I can see my bank's domain on the address bar when performing 2FA for card transactions, whereas most international stores (most of which only recently have started using 3DS) seem to almost always use iframes, hiding my bank's domain.

However, it doesn't matter that much with my bank nowadays since I don't have to enter anything on the browser - I just accept the transaction details shown by the bank app on my phone.

[daveoc64]

With SCA, it seems rare now to be asked to set up a password or PIN for 3DS in the UK.

It's more common to get a one-time-use code via SMS or a notification in an app for transactions with a higher risk.

Both of those make it possible for the bank to provide the consumer with information about the transaction that should be hard to spoof.

[bjohnson225]

1 could be a bad implementation from the merchant. There is an exemption for low value (<€30) transactions and you can do five low value transactions before needing re-authentication.

[988747]

Before 3DS I had my credit card details memorized, so I could shop online conveniently. Now I have to keep my phone around and type in SMS passwords everywhere.

[robert_foss]

It doesn't have to be SMS password. Some banks are way more convenient. I only need my phone+fingerprint.

[estaseuropano]

3DS should do the exact opposite, away with SMS.

[mattmanser]

In the UK they introduced it ages ago, and have now changed it so it remembers your IP and browser, so it never, ever asks for the pin now.

Kinda defies the point, and makes it very easy to forget the code as I put it in like once a year.

But there is less friction, you click buy, it redirects somewhere else (fairly slowly, perhaps by design), then done.

[estaseuropano]

For me it opens the bank app which shows amount, seller, subject line and asks me to confirm with pin or fingerprint, taking all of 2 seconds. No more entering bank card numbers. Not sure what bank youi are using but this seems like bad implementation not bad idea.

[robert_foss]

Switch to a more modern bank. I've got both a crappy German one and a good one. The difference in friction is big.

[Jolter]

Does your bank not have a phone app? Consider switching to one that has.