Online Credit/Debit Card Security Failure

Ross Anderson reports:

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.

In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?

Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.

Tags: academic papers, banking, credit cards, debit cards, economics of security, incentives, laws, phishing

Posted on February 1, 2010 at 6:26 AM • 50 Comments

Comments

Paul Renault • February 1, 2010 6:42 AM

I just read this great paper this morning: it’s an excellent overview (so even your boss could/might read it) of what’s wrong with many of these schemes.

And it confirmed a paranoid suspicion or two. To wit:
“The result is that customers receive little benefit in security, while suffering a huge increase in their liability for fraud. They are also trained in unsafe behaviour online.”

fraac • February 1, 2010 6:55 AM

I never remember my password for Verified by VISA but it never matters! Two simple security questions and we’re in business.

Twylite • February 1, 2010 7:17 AM

The paper has numerous factual errors. Some examples:

It claims that OpenID (2005) existed before 3DS (2002), which is just plain wrong.
In section 2.6 “Inconsistent authentication methods” the authors criticise 3DS without acknowledging that OpenID has exactly the same weaknesses.
OpenID is cited as an example of “good engineering”. Sorry Ross, that just flushed all my respect for you. OpenID is great for SSO for low-value accounts; but it has an extensive range of vulnerabilities that make it completely inappropriate for secure applications.

Mauro S • February 1, 2010 7:43 AM

Just do like we do in Brazil: stick the bill with the credit card company and banks and let them figure out how not to get coned.

The burden of proof for any bill is with the creditor; it’s not up to the debtor to proof that he/she does not owe something. This proof is usually in the form of a signed piece of paper like a contract, credit card slip or merchandise delivery receipt. Courts here do recognize digital signatures, but only if it involves a very trusted and independent third party to do the record keeping. Computers records at the creditor’s own computers are close to worthless in court.

There’s no “minimum charge” for fraudulent use of credit cards in Brazil. Zero. Nada. That would have been obviously illegal – why would you pay for something you didn’t buy? AFAIK, neither VISA nor MasterCard are planning to abandon Brazil. AMEX did sell its operations to a local bank, but I don’t know the causes for that; could have been AMEX own problems.

It never ceases to amaze me how the society and legal system in the USA yield to the big corporations and its abuses. It’s like the old adage “what is good for General Motors is good for the USA”; only now the beneficiaries are not wealth and job creating manufactures like GM but Wall Street – which creates little of both.

Clive Robinson • February 1, 2010 8:09 AM

It is not just this but a whole host of things that make me not in any way use online banking or purchases.

In the UK Marketing gives the impression you are safe. The bottom line is the banks say you owe the courts kiss their feet, due to the incorrect assumption “banks must be honest”…

I’m with Bruce on the idea of stoping banks externalising risk onto the customers and merchants.

It’s their shody system that they will not fix so just let them take the cost of their failures.

The worst part is the Police in order to reduce their own cost send people who have been subject to bank fraud back to the banks for the banks to investigate.

The banks then mislead the courts and others and refuse to divulge any information that would help stop fraud.

So yes I would welcome real legislation that put them banks back in their place even if it did push the existing encumbrents with their outrageous business models into extinction.

Neil • February 1, 2010 8:42 AM

It is voluntary, at least here in the UK. Although its an opt out on part of the customer. A quick call to my creditcard company asking for it to be removed and it was done so.
My reason for this was I didnt want another password to remember and it wasnt really needed as long as you had the DOB as far as I can remember anyway

MemVandal • February 1, 2010 9:12 AM

As a merchant I would really like to shift the burden on to banks/customer, its really hard to deal with chargebacks. But it would be really nice and practical if they implement RSA tokens for authentication in combination with this 3DS thing.

Nobdy • February 1, 2010 9:29 AM

It’s not just online.
The banks introduced chip+pin with a load of ads about how secure it was – and some small print about how you were now liable because it was so secure.

Of course the pin was the same as the ATM pin, and they kept the ATM magnetic strip so they didn’t have to build new ATMs.

So you now hand over your card to be swiped through the retailer’s terminal, (copying the strip) and then type the corresponding pin into their handset – brilliant !

kashmarek • February 1, 2010 9:29 AM

It is all about marketing, public image (propoganda), and push accountability elsewhere. The credit card companies (Visa, MasterCard, etc) are middlemen that collect a fee regardless (akin to lawyers). On the marketing aspect, why it works is explained in the BBC series “Century Of The Self”.

JRR • February 1, 2010 9:46 AM

I had to switch to using the PayPal button when making purchases to avoid VbV. When my favorite online retailer started forcing VbV, I would just opt out of using it (I hit Cancel when the “sign up now” box came up) – the charge went through anyway, but then Visa Fraud Prevention would call me up about an hour later, every time. They would always try to convince me that it was a great system and I should use it. I’d tell them “no, but if it makes you feel better to waste your time and blow your profit calling me every time I make a purchase online, knock yourself out.”

They’d ask why, and I said “Look, I was shopping at newegg.com. Suddenly during checkout, a (really pretty amateurish looking) box from another site pops up and asks me to enter personal information.

Do you think I’m a MORON? I’d have to be to enter data there. Is this really the kind of online behavior you want to encourage your cardholders to start engaging in?”

The last time they called, I said “OK, I’m getting tired of this. From now on I’ll use your card via PayPal.” The caller just said “Thank you” and hung up. I don’t think that answer made her very happy.

Chasmosaur • February 1, 2010 10:16 AM

I only encountered Verified by VISA once – at newegg.com when the service first came out. They had a good price on a projector I needed for my business, and when I went through the checkout process, the Verified by VISA screen came up.

It looked nothing like newegg’s UI – indeed it looked like a phishing scam – who the hell else was going to ask for my SSN? I discontinued the order and sent them an e-mail asking what the hell was going on.

They told me it was indeed kosher and I should complete the process. I told them no and they could consider this e-mail verification or I wouldn’t shop with them again. They pushed through the order – a few months later I bought another piece of hardware, and the service had been removed.

I’m guessing their tech-savvy target customers weren’t appreciating the crap security 😉

Chasmosaur • February 1, 2010 10:19 AM

JRR – is newegg still using it then? I must have hit it on an off day.

Bugger.

OpenID Failure • February 1, 2010 10:22 AM

I can’t believe he lists OpenID as a solution.

OpenID provides no guarantees of anything and easily MITM’d.

Peter • February 1, 2010 10:39 AM

@twylite: It is very hard to give your remarks credibility when you refuse to sign your own name and state any implied affiliation.

Based on your remarks, and the mentioned failing, you sound like a party to the matter at hand or are a troll being employed by the same people who refuse to change the system.

Misc. • February 1, 2010 10:46 AM

Yeah, anyone can be an OpenID producer if they want to, so it’s useless for anything except confirming that you control some specific OpenID identity on one OpenID provider. It’s not a solution to this problem.

Yuliy • February 1, 2010 11:29 AM

What’s wrong with OpenID for this? If Visa were an OpenID provider, they could assert that you control some identity that’s attached to your account.

Doug • February 1, 2010 11:41 AM

I was recently asked by Verizon Wireless’ website to validate my verified by visa, which included putting in my social security number. The frame that popped up, was from a different site (the bank), that had an invalid security certificate. I contacted Verizon and informed them that I would be paying via American Express in the future (which would cost them an additional 3-4% in fees) if they didn’t remove the requirement. I also contacted the bank and was told that there is no means to ‘verify’ except from the merchant site. That was the final straw, and I called Verizon back to complain again. I must not have been alone, because verified by visa is no longer on their site. The banks pitch this as consumer protection, but it does absolutely nothing for the consumer – we’re already limited in our liability by law. This is strictly their attempt to absolve themselves of that liability, and shift it to the consumer. It’s a bad deal, bad design and bad implementation. This is exactly why I never use a debit card – I want the protection that current law and agreements provide. Verified by visa is an attempt to void both those.

PackagedBlue • February 1, 2010 11:48 AM

Another case where, INsecurity economics, trumps security economics.

Ponzi methods, call it what they are. Found in legal, finance, political, security, and our defacto globalization game, shell game.

JRR • February 1, 2010 11:48 AM

@Chasmosaur – I don’t know, I stopped using the regular checkout a month or two ago and started using the PayPal button.
PayPal at first tried to discourage me from changing my payment option from direct debit to credit card, but after a few purchases like that, they don’t bug me about it anymore.

Joe Buck • February 1, 2010 1:09 PM

OK, many commenters here are worried about whether online credit card transactions are safe. Do any of you use credit cards in restaurants? When you do, you turn your card over to an unknown person, who then has access to all the information he/she needs to buy things using your account.

Brian • February 1, 2010 1:32 PM

I personally use paypal for everything online. The main reason is they never get my credit card info, even when I use my credit card. Every transaction needs to be approved, and it automatically switches to my other accounts if one is empty (hasn’t happened, but they claim it does). To make a purchase, I just need my email, password, and secure token ($5, seriously cheap). I don’t enter any personal info for the security questions (psuedo random strings, stored on an encrypted flash drive and hard drive). To those who try and defraud me via paypal, good luck.

I can’t trust any system that requires zero authentication of the transaction. Chip cards really are the only salvation for credit cards (I assume, and I hope not wrongly, that they are actual crypto chips and not just pure memory devices). Per-transaction authentication means an extremely limited attack timeframe. They simply cannot take my number and ring up a bill. Instead, they can only take it while its inserted at wherever I am. Then the banks can call if 2 transactions are done within a minute.

Someone mentioned chip cards use the stripe, but thats not true. I always correct vendors who try that, and don’t give them the card if I don’t have to.

moo • February 1, 2010 1:57 PM

@Joe Buck:
I never buy restaurant meals (or gas) with a credit card. I always pay cash.

The only purchases I’ll make with a credit card are (1) in large brick-and-mortar stores where the card doesn’t leave my sight, and (2) online (but I’ve mostly stopped doing that since they started trying to jam Verified by Visa down my throat; I read the fine print and it said I would now be liable for an fraudulent VbV transactions using my credit card… no thanks!)

I don’t use internet or phone banking, either. I never ever swipe my debit card to make a purchase, I only use it for actual banking. And I never use dodgy ATMs, I only use the ones at branches of my bank, or another reputable major bank.

Of course no one is entirely safe from being targeted for fraud (identity theft or whatever). But I try to avoid most of the high-risk behaviours that I see people around me engaging in every day. So my chance of being victimized in that fashion, is hopefully as low as I can make it.

BF Skinner • February 1, 2010 4:48 PM

Still going through the report (okay after home work) but it seems to me based on the remarks…isn’t this all just Risk Transference?

When we buy insurance on our house we put the burden of paying off for a fire on the insurance company. While it is wrong to burn down our own house … should someone else decide to play arson the burden is theirs (even if the arsonist is caught).

While it may make poor ethical logic isn’t it really sound security logic from the vendor/banks point of view? They do/have/can treat security risks as a sub-category of their risk management program.

Andrew Stephen • February 1, 2010 5:03 PM

@JRR:
You think it’s bad having a shopping site pop up a dialog from another site asking for personal information?

Try looking at the official New Zealand Government Login Service (now igovt apparently): http://www.e.govt.nz/services/authentication/gls

It does exactly the same thing when authenticating to government services!

The only saving grace is that it is so ill conceived, and virtually useless that almost no government agency uses it despite it having been made mandatory.

elgeebar • February 1, 2010 5:49 PM

I personally use a Mastercard pre-pay credit card for all on-line transactions and load it with limited amounts to complete the transaction I’m about to make and no more.

If it gets compromised, they do not have access to my account like a debit card and they can not run up a huge credit bill.

I believe I also have the same fraud protection of a standard credit card (correct me if I’m wrong).

I deliberately avoid McSc and won’t use sites that force it on me. I’m finding very few site still try to!

Seems like a simple solution to me.

Clive Robinson • February 1, 2010 6:13 PM

@ BF Skinner,

“When we buy insurance on our house we put the burden of paying off for a fire on the insurance company.”

Yes we pay the company a premium to take on the risk that they are capable of covering.

“While it may make poor ethical logic isn’t it really sound security logic from the vendor/banks point of view?”

Hmm you pay the bank to put their and the merchants risk onto you.

Does not quite seam the same to me…

“They do/have/can treat security risks as a sub-category of their risk management program.”

Yes the “banks” can (and do) abuse their monopolistic position to force customers to take on unacceptable risk, by acting as an illegal cartell to restrict fredom of choice.

I just wish various Governments would wake up and realise it is not possible to realisticaly survive in the modern world without having a bank account. Further that the account is effectivly usless without an ATM card, which means you have to accept the Bank/card issuers TOC’s as there is no real competition in this area.

Atleast you have a limited amount of legal protection on a Credit Card.

However in the UK the banks issue combined debit/credit cards. And guess what the merchant terminals default to…

Yup “debit” and you try switching it over to “credit” most of the EPos terminals I’ve seen in use don’t offer you the choice…

anton • February 1, 2010 8:05 PM

Unfortunately governments are busy tyring to find terrorists, when should be imposing some rules here to tame such unruly behaviour by the corporates

Oscar Blyth • February 1, 2010 10:21 PM

I’ve been watching and waiting for this technology to catch on: http://passwindow.com

Seems like once this kind of secure authentication methodology gains acceptance, we can expect a pretty high level of security and protection against fraud without having to pay through the nose..

Mjit RaindancerStahl • February 1, 2010 10:58 PM

I had to go through the whole VbV thing for my last purchase with Tiger Direct. It was very annoying to have to go through this extra step. I’m even more pissedoff that it did nothing to increase the security of my online purchasing experience.

I wish I could avoid online shopping all together, but the shops aren’t open when I’m awake.

DaveC • February 1, 2010 11:50 PM

@Oscar: umm, no dude. It’s just another gimmick.

Oscar Blyth • February 2, 2010 12:33 AM

@DaveC

Hmm you think? It seems like it’d be the cheapest way of authenticating both ways (client/server server/client).. I can’t see how you would phish it as mentioned in the article…

I agree, it appears unconventional, but I just can’t think of any plausible way of attacking it online..

Yuliy • February 2, 2010 1:29 AM

@Oscar: How does it prevent a MitM/online phishing attack? I present phishing site to user. When user enters credentials, I pass those along to actual site, and get back a passwindow key image. I pass this image/animation to the user, who enters a sequence which I pass back to the site. Voila. Phisher is logged in as you.

Plus, how do they deal with differing pixel density?

Oscar Blyth • February 2, 2010 2:16 AM

@Yuliy: They deal with pixel density through a x/y resizable pattern image.. just a GIF… there’s a demo on the site that shows it

mitm/phishing is prevented by combining a known value (e.g. account destination value etc.) with a password in the pattern, so I can see what I’m authenticating when I authorize the transaction…

BF Skinner • February 2, 2010 6:43 AM

@Clive “…Governments would wake up and realise it is not possible to realisticaly survive in the modern world…”

Given the amount of proofs of identity I had to give at my last financial transaction I think they have; least as far as money laundering goes. When I asked why I was told Patriot Act.

I know they have difficulty dealing with the Hawala banks.

Hmmmm…do we gain more with our credit cards than we lose in our anonymity of cash?

I remember back in the 90s during the Clipper Chip fight some PITA (some guy he wrote ciphers) kept making the point that the encryption scheme’s the Federal Gov’t was willing to authorize civilians while strong enough for casual use wasn’t a protection against other governments or the Fed and their code-breakers.

He questioned their motives and speculated what the Fed really wanted was weak crypto so they could monitor transactions to off-shore banks.

Clive I think likely some in Government want us off banknotes and coin as fast as possible. One of our local toll rodes has exits that, save one, are Ezpass or credit card only. I’m pretty sure this is due to the cost of human labor but it’s a trend to watch.

Paeniteo • February 2, 2010 7:35 AM

@Oscar: “mitm/phishing is prevented by combining a known value (e.g. account destination value etc.) with a password in the pattern, so I can see what I’m authenticating when I authorize the transaction…”

From the demo it looks like it is sufficient to enter a 4-digit PIN to authenticate.
They could transfer things like some digits of some transaction details along with the actual PIN, but at the very least it makes the process really slow (I already found the demo somewhat inconvenient, having to wait for their slow changing of digits).

Also, sending more information does not really protect against phishing. Say, the phisher wants to transfer $5544 to account …2211 and the PIN for that would be 9988.
Now, simply send the user to a site with the statement “for your added security, this transaction requires a 12-digit PIN: 5-5-4-4-2-2-1-1-9-9-8-8”
Voila.

cu, Paeniteo

Oscar Blyth • February 2, 2010 8:19 AM

@Paeniteo

What you have described is a social engineering attack. In the case of this method, according to this part of the website http://www.passwindow.com/security.html the transaction auth code would be in a format like AxxxPxxxx where A indicates the start of the destination account verifier and P indicates the password. I doubt a phisher could convince me that A2211 was an account I wanted to transfer money to…

From the FAQ, it appears that the animated GIF intervals can be customized – probably even at the user level – e.g., fast for the young and tech savvy

Daniel Lohin • February 2, 2010 8:20 AM

Bruce,
What do you think of the SET system? Why couldn’t they give the same incentives to SET to push its adoption?

Randy • February 2, 2010 9:30 AM

Whatever happened to “single use” credit card numbers?

I use the CC# once and then it’s no good…ever.

I heard about them being developed a few years back, but then silence.

Randy

Clive Robinson • February 2, 2010 11:38 AM

@ Daniel Lohin,

“What do you think of the SET system?”

It had a couple of major problems from the outset.

The first and JCB sized shovel that buried it was it offered the customer less than they already had.

That is for a CC Transaction the customer can say “not this was not me” but with SET they could not argue that. Also it cost big time back in the 1990’s to generate and check the digital certs so that cost the customer and the merchant.

Back in 2000 I identified a problem in that nobody could trust the software that you would have used to make your certificate (those I reviewd gave little entropy).

At that time Adam Young and Moti Yung where going on about “kleptocryptography” and it was easy to show how this could be used when generating the users P&Q.

Then of course there was a paper by D Copperfield (he of DES fame) who showed that if you knew as little as 25% of the bits in the P or Q then it was effectivly game over for the certificate.

Then of course was the nigh on thousand A4 page specification with a huge chunk of ASN.1 descryptors. If I remember correctly there where iffy bits that could be exploited.

As a general rule don’t use somebody elses software to make your PQ pair for you, do it yourself there are plenty of checked bits of perl code for verifing a Prime of the right form that most people can check, and it’s not overly difficult to make a random number generator with a couple of dice and a beer glass and beer mat.

Then atleast you know what you are getting unlike black box software which could be hiding a back door in your certificate, that they know but you cannot find except by disassembling their code which we all know is a “serious” crime in the US…

Nick P • February 2, 2010 1:00 PM

@ Clive

That kind of situation actually occurred with the Microsoft Windows Vista Elliptic Curve random number generator. One prominent cryptographer showed that, for the default numbers, a corresponding set of numbers existed that could decrypt communications. The concern was that those who picked the default numbers may have had the others’ and intended to snoop in a clever way. That NSA consulted on their security and source came from NIST, under NSA influence, I don’t blame people for not using that ECC system. Personally, I try not to use ECC at all: too esoteric and RSA is well-understood and easy to implement.

Clive Robinson • February 2, 2010 2:25 PM

@ BF Skinner,

“Hmmmm…do we gain more with our credit cards than we lose in our anonymity of cash?”

Worse many times over. A theif can only steal the cash in your wallet so you know you have only lost 100 buck’s, they steal your cards and they can clean out your bank account whilst you are lying on the ER bed waiting to tell a disintereseted cop that “no you did not see who hit/knifed/shot/etc you from behind”…

“He questioned their motives and speculated what the Fed really wanted was weak crypto so they could monitor transactions to off-shore banks.”

If the banks used it. They had and still have one heck of an investment in DES which has not yet gone away in various guises (3DES etc).

However for many transactions they have no incentive to use encryption at all. As long as the authentication is strong….

“I think likely some in Government want us off banknotes and coin as fast as possible.”

Yes they do but in general not for the “Big Brother” option (although I’m sure they are happy with that side effect ;). Put simply “cash” is expensive, coinage doubly so. It is easy to forge both notes and coins, and in some places people have been known to smelt down old (pre 1980) copper coins as they are worth more as scrap than their face value.

The problem the government had was seniorage, that is effectivly the interest on the money in circulation which goes to the person who prints the money (US Treasury in US, but the Five Banks in Scotland).

Not so long ago when interest was above 5% then the costs of printing transportation forgery and end of life destruction where covered with a little profit left over.

Now however with interest rates at 0.5% there is no profit. However the Governments are making large amounts on “Quantative Easing” in essence they just print money and spend it, thus devaluing the rest of the money in circulation as well as all that money in peoples savings accounts etc etc etc.

Now if you or I where to print money or similar we would be looking at a very very long time in an orange jump suit with nice steel accessories, but atleast the bed and board is free (Not sure about non Fedral Prisons these days as I’m not a US citizen, nor have any interest in going to the US any longer, as the price, in loss of dignity and privacy is way more than I’m prepared to pay).

@ Bruce,

Oh and guess what in the UK we have installed the “nearly naked” scanners at London Heathrow, and they where showing the pictures on the news last night, and yes you can see the outline of the sex organs if those images are anything to go by not clearly but certainly enough to re-build with photoshop etc.

And the best bit Lord Adonis (yes you cannot make it up if you tried) has said if you refuse to be scanned then “you will not fly” which as far as I can tell is actually illegal under EU legislation so expect to see the UK Gov get it’s face slapped in the ECHR in about 2 years time. However how many people will they have needlessly abused both physicaly and mentaly in the meantime…

Oh and also on illegal activities by the UK Government, even though having been told that “random stop and search” is illegal thay are still doing it, oh and also having been told “control orders” are illegal they are still using them. So even if the ECHR does tell the UK Gov it’s illegal to say “no fly” I fully expect them to ignore it as normal.

And we the British people are expected to have respect for these idiots…

pradeep • February 2, 2010 11:24 PM

Paypal and few other places (Wachovia Bank) offer a built in security card key, which generates and displays a six digit security code every 30 seconds. This device is tied to your account.

http://www.claritech.ca/wp-content/uploads/2009/09/PayPal1.jpg

So when I log in to my Paypal account, aside from my login ID and password, I provide another factor of authentication by entering this security code. Paypal now even has it set up that you can do this on your mobile phone, in that, they text this security code to your phone and it changes every 30 seconds, so it can’t be re-used. This seems to be a safe and easy to implement method for credit cards.

Clive Robinson • February 3, 2010 3:01 AM

@ Nick P,

Hope all is well at your end of the world which reminds me EMail… I must sort it out.

With regards,

“That NSA consulted on their security and source came from NIST, under NSA influence, I don’t blame people for not using that ECC system.”

Yes I’m told ECC has some oddities in it, which could easily be missused by those supposadly in the know.

“Personally, I try not to use ECC at all: too esoteric”

I’ll put my hand up to having not got a real grip on the math of it (mind you I don’t know if anybody I know personaly has either 8(

“RSA is well-understood and easy to implement.”

Yes it is getting that way (still issues to do with P&Q selection though 😉

Best of all is the patent time issue 8)

However deep down the problem that both RSA and ECC have is what you might call “redundancy”. They both have one heck of a lot of it in one way or another.

As a friend who (does “math” 😉 is involved with TRNG design says “The devil can hide a universe behind an atom, and there’s on heck of a lot of them, thus we are all living in a state of sin”

It’s why I like OTP’s and symetric ciphers as an engineer it feels like you can get a good grip on the “greasy pig” if you have “the right tools for the job” and have a chance of wining.

Mind you I still cann’t tell you if a number is “random” or not as they all look the same to me 😉

k price • February 3, 2010 11:42 AM

I had a problem with it, last week!
the bank refused to admit that was even possible GRRRRRRRRRRRR!

Twylite • February 5, 2010 9:41 AM

Based on your remarks, and the mentioned failing, you sound like a party to the matter at hand or are a troll being employed by the same people who refuse to change the system.

@Peter: I established an Internet identity using a pseudonym over 15 years ago, and use it consistently. My e-mail address is readily available via my web site (just click on my name, I make the URL public) and my “real” identity is in the domain records (because that’s the legal requirement in my country).

Although I work in the payment security industry, I don’t disclose my affiliation because I do not speak on behalf of my employer. This is standard practice for most people. My company is not directly involved in Internet-based payments and we don’t work with 3DS, but a draft did cross my desk in 2001.

The credibility of my claims is easily verified via publicly available data. Apparently you couldn’t be bothered, and would prefer to simply question my credentials. So, for the lazy:

Wikipedia will tell you that OpenID was developed in 2005. A google search on ‘visa “3d secure” history’ will give hits claiming implementations as far back as 2003.

A bit of reading of the specifications for both OpenID and 3DS will tell you that in both cases you will be redirected to a provider, the authentication mechanism (strength, type, etc.) is between you and the provider, and the provider confirms the authentication back to the originating site. So the interface to 3DS verification and its strength is under the controller of the issuer, not VISA or the 3DS spec.

As for OpenID, search for ‘openid problems’ or read my blog entry (http://www.crypt.co.za/post/62) or one of many other pages on the issue (http://www.readwriteweb.com/archives/the_troubles_with_openid_20.php).

Alm • February 9, 2010 6:40 AM

This is a blemish on much of the cyber security community. They (we?) cannot get the basic administrative details right, never mind advanced protocols.

Their irresponsible actions include: Use of pop-up / iframe; Not using their own, “trusted”, domain names (ie. visa.com nor bank’s domain); Using an unknown, phishing-like domain name “securesuite.net” (At least for Capital One, RBC, Barclays, ING, Bank of America, Chase, US Bank, CIBC, Providian); Using a poorly registered domain as securesuite.net is registered to “cyota”. Not capitalized, not “incorporated”, just “cyota”. Not responding to feedback regarding their obvious oversights, for years; and more.

When I first encountered VbV, I thought this was a poor phishing attempt. When I sent notes to Via (the vendor), CIBC (the bank) and Visa, the responses were total incomprehension of my concerns. Well, the vendor understood some aspects of the problem, but were doing what they were told by the “experts”.

This security is worse than “useless” as it encourages people to enter information into sites of unknown trust. At the same time it was created by security experts, purchased by experts (RSA purchased Cyota in 2005) and integrated by experts (CIBC, RBC,…The banks in Canada tend to be large enough to support significant security expertise who are supposed to integrate security into their operations. ) It makes all these organizations look bad.

Perhaps with this issue hitting the press these organizations which I have named might do something to correct their poor implementation? Or make a comment here explaining their actions?

Nathan • February 25, 2010 1:48 PM

I’ve only come across VbV once, on newegg.com. I use noscript, so JavaScript is effectively disabled by default. In this state, the VbV thingy tries to load, fails, and my transaction continues unimpeded. Good enough for me.

JAF • May 27, 2010 11:41 PM

Today I went to pay my VZW Bill online and I was prompted for ‘Verified by Visa” to enter my password or if you click on the “I don’t have one’ it makes you sign up. This is NOT something that Verizon should have any control over. You (Verizon) do not get the right to decided how I set up my bank account. I have called Wells Fargo and they have stated that merchants have the option to participate in this program but should NOT be MAKING anyone sign up. Verizon has no right to dictate or have control how MY Bank account is set up. This is a very bad business practice. I understand that it is to promote security online HOWEVER, that is not your call to make! This is not a does not make purchases online any more secure it actually makes it less secure.

Ken Walker • June 20, 2010 7:15 PM

Here in Canada at least, the way that they issue pin numbers for these chip Visa cards offers no security at all.

My first concern with them was when the CIBC sent me a letter on the same day they sent my new chip Visa card that told me the pin number from my debit card. After having been told that even the bank can’t tell my pin, they print it out in a letter and mail it to me. Royal Bank does it the same way.

But today they did one better. My son, who deals at the same bank forgot the pin number for his chipped visa card. He phoned the number on the card. The only question he was asked was for the number on the back of the card. He was told to take it to an ATM and punch in a new pin number of his choice and it would be reset. The bank had absolutely no way of knowing who was calling or how he got the card. That means anyone who has the card, such as a thief or someone who finds it, can phone for a new pin and max out the account. I would expect to find that there is a provision in the card holder agreement that says the cardholder is responsible for the charges if the correct pin is used.

Ralph Yozzo • January 14, 2011 12:50 PM

Hi,

I agree with the lack of security in the current systems. It’s amazing that the secure well written systems are incorrectly not trusted by people. I hear “oh I don’t trust Google or PayPal.” It’s amazing this same user will use a novice web site and disclose everything to it. While the novice website will use PayPal to clear the payment. Amazing!

Here’s a paper that I wrote about a real world experience: http://internetsecurity.brooklynmarathon.com/

Ralph

Schneier on Security

Online Credit/Debit Card Security Failure

Comments

Leave a comment Cancel reply