Revolut (Multinational* Card Masking Financial Service)

All of this is also very USA/Canada-specific. We have none of that in EU.

I understand, I also use gas station apps (Waylet & Moeve) because I also like money

In the EU and UK (and possibly elsewhere) card fees are restricted by law. Cashback/rewards cards aren’t some kind of special discount. They’re part of a broken system where anyone not using one of these cards is subsidising those that do. Whilst also making fat profits for the card companies.

Sorry if I barge into this discussion. But as an European, I am having an hard time to find a reliable banking service that doesn’t profile its customers. All majors banks and neobanks rely on this technology, nowadays.

For that reason, right now I am considering Revolut because at least it would be able to help me mask my payments from Ecommerces like Amazon, Zalando and so on. Since we don’t have a good option in the EU, I guess.

I wouldn’t use it as my first bank account but I hate the fact I would need to give my data up to another banking service, as well. So there is that to consider.

so your bank doesn’t have its own virtual card functionality?

Sadly, no. I mean I can use a prepaid virtual card but of course I cannot create other virtual cards to mask my payments.

I’m in the same situation as you right now.

And I decided to installed Revolut and make an account, while I’m not happy with Revolut, and it is definitely not a good service. It is the only option that really works.

ngl as a few years old customer revolut is decent and their plus plan had value
but yeah gradually they shoved their AI customer support which is fine for simple questions like “Is cashback gone”, but when I wanted to sent my complaint and then feedback to developers about GrapheneOS to customer support, I explain the AI that this is not something you can get involved and it was like “Not let me help you”
Kept begging so I did give in, told it, got the expected outcome then finally I wss able to get to actual customer support, this was never an issue btw.

I also cancelled my plus plan right after the price increase.

Now is it perfect? No, had an old discord friend got their revolut account suspended for iirc unknown or otherwise unjustified reasons and that was a wake up call for me that It may be fine for but not everyone is gonna have a great experience.

I think if you’re like me, you should be fine but I guess nothing is guaranteed

ngl as a few years old customer revolut is decent and their plus plan had value

You sure about that?

Buttons seem do work only after a few clicks, passkeys are not working at all, basic features are locked behind a paywall, no MFA support, only AI support, apps crashing and so on.

I use the latest Revolut app from the Google Play store with Google Play Services inside the private space on an Google Pixel 8a with GOS.

Read below it

So, the question is still the same: do we want to get profiled by our bank or by other entities (Amazon and other e-commerces). It appears there is no escape. I guess I’ll start using more cash.

There are four possible options you have:

• never pay anything online anymore
• Use a single cc/dc from your bank to pay things online
• Use Revolut to pay things online
• Use PayPal to pay for things online (doesn’t work on all places)

There is also crypto payments like bitcoin and online cash payments like Mullvad offer, but these are to rare, so I don’t count them.

For IRL payments I always use cash – as long as I have cash with me ofc.
So my talk here is ONLY about online payments.

A simpler approach would be to create a dummy online shopping identity and rotate it annually or biannually if necessary:

• Establish a plausible dummy name that doesn’t raise too many eyebrows in your area

• Get a dedicated and email and phone number (either by renting another line from your carrier or getting a pay-as-you-go eSIM)

• Ship directly to postal nearby lockers or rent your own forwarding address/box, depending on what works best in your location. Alternatively, you can make arrangements with friends/neighbors, or you can ship to your place or work

Most people realistically have a threat model where the presence of KYC requirement (for extra line or postal locker) shouldn’t matter, although not having it is nice.

You can use your existing debit card just fine. 3DS is ubiquitous, if not mandatory, in the EU, and banks rely on it rather than on AVS. Individual merchant forms are also very lax. You can likely use any name or postal code you need. Unless multiple parties collude to determine exactly which Uniqlo shirts you like the most, it’s as good as it gets.

The ability to create per-merchant virtual cards is a marginal improvement over this at best, and on its own, it doesn’t do anything at all. You likely share other stable identifiers alongside each of your virtual cards.

There are dozens of supplier types that Revolut shares your data with, in part to supercharge their aggressive growth, while your existing brick-and-mortar bank is likely to be more conservative in that regard.

My personal favorite is walking into a store, paying in cash, and walking out, although I understand that it’s not always practical or available.

A simpler approach would be to create a dummy online shopping identity and rotate it annually or biannually if necessary:

I defined my threat-model above, and it is not about privacy rather than security.
"My goal would be to protect my real debit card from getting in a data breach […].”

Establish a plausible dummy name that doesn’t raise too many eyebrows in your area

Doesn’t work anymore.
Due to the fact that the whole banking system is pretty lame in security (I mean my fucking Google account is more robust against attacks) many people get phished and my bank (and nearly all other banks) came up with a new security model. The name of the cardholder and the name of the billing needs to be the same, otherwise it will be declined.

If I gave them a fake name, the payment might get declined. This is pretty new – ~2 months olds – so not everywhere rolled out.

Ship directly to postal nearby lockers or rent your own forwarding address/box, depending on what works best in your location. Alternatively, you can make arrangements with friends/neighbors, or you can ship to your place or work

This is only necessary if you buy things for the physical world. If you buy subscriptions, software licenses or digital information, this vector can be ignored.

You can use your existing debit card just fine. 3DS is ubiquitous,

3DS is just a medium secure form of MFA. For my it is a Push MFA to the banking app or SMS code.

The ability to create per-merchant virtual cards is a marginal improvement over this at best, and on its own, it doesn’t do anything at all. You likely share other stable identifiers alongside each of your virtual cards.

That’s not my intent or goal.
My intent is not to hide, rather than just not to give them the real cc, since I don’t trust the system we have right now to be secure enough for online payments.

There are dozens of supplier types that Revolut shares your data with, in part to supercharge their aggressive growth, while your existing brick-and-mortar bank is likely to be more conservative in that regard.

I read through the whole data policy.
The “only thing concerning” is the data sharing with social media (opt-out) and that the data is analyzed through an LLM on a third party provider.
All other things are nearly the same as my bank.

Don’t get me wrong here. It is fucking creepy what they collect and share and this shouldn’t be normal, sadly nearly all other banks (I read through other privacy policies of banks in my near) are not really better.

My personal favorite is walking into a store, paying in cash, and walking out, although I understand that it’s not always practical or available.

That’s for me normal. I only pay in cash.

If I see a Stripe iframe, it typically puts my mind at ease, as raw payment data is not stored or processed on the merchant’s servers. I’m not too worried about merchant-side attacks or Stripe breaches, but fair enough if that’s your threat model.

I don’t know what you’re using, but that typically isn’t even true in the US, let alone in the EU. If a EU-based card issuer uses 3DS, they might still consider the name and postal code you provide. However, these are tertiary factors compared to your ability to receive time-based push somewhere and verify yourself in that way. This is also corroborated by the some of people above in this thread.

I’ve been using this approach forever and have accumulated low single-digit rejections that I can’t even entirely attribute to fake names or numeric AVS. But it can happen based on combination of issuer/merchant requirements. It’s not a foolproof system.

Revolut virtual cards function almost identically to regular debit cards for online shopping. I think they even market them as merely budget/security" tool because they’re not more private than your cards issued by brick-and-mortar bank. Revolut is not unique in not performing strict AVS. It’s because in Europe, the strict name-matching burden has moved to a completely different type of transaction: bank transfers.

Even better, but most of us also buy socks and shoes. I make vastly more physical purchases than digital ones.

3DS/3DS2 is a protocol used to implement the SCA requirements in the EU. It is typically a push, but it can also be SMS or it can frictionless if the device is recognizable.