3DS MasterCard identity check first by SMS instead of by push notification since 31/07/2021

I make large online payments several times per week, which I need to verify each time using 3D-Secure MasterCard identity check. Until recently, Curve’s implementation of 3DS caused a push notification to my iPhone, which I would then accept in the Curve app. In the very rare event that there was a problem receiving the push notification, I could opt instead to receive a 6-digit code by SMS.

Since 31st July 2021, Curve has started sending the 6-digit code by SMS by default, with a link within the 3DS MasterCard identity check window stating “Having trouble? Use my Curve app”. I then have to click on this link to receive the push notification. Curve has reversed the two verification methods.

This is annoying because:

  • It creates an unnecessary additional step in the MasterCard identity check process to avoid the tedious process of switching between apps to enter a 6-digit code.
  • I subsequently have to read the SMS to get rid of the red unread message indicator on my iPhone’s Messages app, even though I verification the transaction by push notification.

How can I go back to the previous configuration whereby push notification to the Curve app is the default 3DS vertification method?

7 Likes

I presume you don’t have a choice since Curve swithced to SMS verification for logins. Curve is now SMS first for authentication and authorisation so whether you are trying to login to app or trying to authorise a payment, Curve will use SMS as default.

I do not agree with this approach either but it is what it is.

1 Like

I am aware that Curve switched to SMS for logging into the app. This was well publicised by Curve. But there was no such publicised change for 3DS. In any case, when I log into the app to authenticate 3DS by push notification, I do so with Touch ID, not by SMS.

I noticed that in France as well
Interestingly enough, some transactions that were refused before by some retailers such as Intermarché Drive (see posts) (without any challenge at all) are now accepted with this sms challenge.
Is it related to this change, is it chance only, I would not know.

I had some issues with push in the past few months. SMS has been not just more reliable but faster too so far (thanks to iOS autofill feature).

2 Likes

I find it quite inconvenient too. I prefer the push notification. Hope to receive some official response from Curve. @Curve_Marie or @Curve_Sam

3 Likes

I see no autofill functionality. The only time that I experience iOS automatically reading an incoming SMS and populating a code into another app is when adding a card to Apple Pay. This does not happen with 3DS.

That’s interesting. It works for me perfectly in (almost) every application.

2 Likes

Hi everyone, just to give some context here: we recently made a change to prefer SMS as the initial method. The reason for this was to avoid issues for some people who were unable to receive notifications (e.g. because they have disabled the permissions in device)

We appreciate the push notification is a better experience for a lot of people because it can give you context in the app (e.g. listing the merchant name + value) so we are working on a better long term fix which will show you pending 3ds challenges in the app even if you are unable to receive a notification or SMS which should help for all cases (we will still send the notification or SMS if you prefer). I don’t have a timeline for this since we are focused on some major feature releases currently, but I’ll update here when I can

5 Likes

Thanks. This is good news. I usually have the app open before executing a large transaction, just to check that I’m using the correct underlying card.

1 Like

2 Likes

Thanks for the update @Curve_Sam. My suggestion would be to give users the choice to either select SMS or push notification as their preferred option with SMS being the default.

2 Likes

This is what we have now. You can choose the app for the authentication.

No, you can choose the app only after receiving an SMS. There is no way of choosing the app as the preferred/first option.

2 Likes

All the checks are annoying, but I guess a fact of life in the new world where we have to be protected from everything and treated like babies!

For the attention of Curve though, in the app authorisation process there was an issue where you were already in the app (perhaps changing your card ready to make the payment) then you get the request to authorise in the app but you have to close the app down and reopen it to be able to do so.

For me, Curve App push notification/confirmation doesn’t work well. When I receive notification, I made click on it, open Curve app, login trough fingerprint and that’s all. No confirmation shows, nothing, so must click to send SMS.
But there is some workaround. Before making payment (and this is must), Open curve app, log in, do not close app, then make a payment and when you receive push notification, click on it and ta daaa, it’s working. And yes, Curve app has every permissions.

Android version of Curve app

1 Like

same on iOS for me. Thats why i like SMS and because i can receive all my SMS on my MacBook which makes it easier because i dont need my phone.

#TeamSMS

2 Likes

Using Android, the app notifications weren’t working for me until recently, so I always had to fallback to SMS (apart from one or two cases) where the dialogue didn’t allow that option.

Ironically, the app notifications started working a couple of weeks before this change!

Changing authentication to a much less secure method to appease a minority who don’t want to do what’s required is bad security practice. It’s like saying you allow people to set easy-to-guess passwords because some people can’t set something secure they can remember.

And then going on to develop more features while brushing the important security issues under the carpet for who knows how long.
It should really be the other way round.

2 Likes

This is just poor app design though isn’t it?

I’m one of the minority that’s disabled notifications as I don’t want to get spammed by the app on every transaction. Ideally the app needs to support more granular notifications so that some can be turned off and others not (I created an idea/suggestion for this ages ago).

The 3DS prompt shouldn’t be directly tied to a notification though should it. Yes, the app can show a notification about it and tapping it will load the app etc. However, the app should know on opening whether an outstanding 3DS prompt is there or not and allow you to action it irrelevant of whether a notification was displayed.