[opheliate]

I’ve personally always found 3DS a bit worrying from a security POV. I’m sure much smarter minds than mine designed it, and had reasons for doing so, but I’ve seen it implemented in iframes on websites I use before. It really doesn’t seem to encourage good security practices in normal users where they’re being encouraged to enter their bank password when the URL they see doesn’t match. Plus the URL itself often refers to Arcot, the company who make 3DS, rather than the bank whose branding is all over the page. Very weird.

[Aerroon]

If I were cynical I would say that the purpose of 3DS is to make it easier to scam people. It trains users to input their bank login details into third party apps and websites - something that you were told not to do over and over again in the past. I'm also sure that banks will be far less happy to refund fraudulent charges in these cases.

[lixtra]

I agree with you that it’s bad practice to enter your login date into an arbitrary app.

However, you and the gp should complain to your bank because it’s their job to provide a secure confirmation method. My banks push the confirmation to their app that has separate without the possibility of stealing my bank credentials (in trivial ways).

[AnssiH]

I've noticed that domestic Finnish online stores (most of which have had 3DS for over a decade now) generally do not use iframes and I can see my bank's domain on the address bar when performing 2FA for card transactions, whereas most international stores (most of which only recently have started using 3DS) seem to almost always use iframes, hiding my bank's domain.

However, it doesn't matter that much with my bank nowadays since I don't have to enter anything on the browser - I just accept the transaction details shown by the bank app on my phone.

[daveoc64]

With SCA, it seems rare now to be asked to set up a password or PIN for 3DS in the UK.

It's more common to get a one-time-use code via SMS or a notification in an app for transactions with a higher risk.

Both of those make it possible for the bank to provide the consumer with information about the transaction that should be hard to spoof.