Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why "Verified By Visa" System Is Insecure

Posted by timothy on from the shifting-the-blame dept.

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

4 of 243 comments (clear)

  1. Insecure != Unsecured by Anonymous Coward · · Score: 5, Funny

    Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.

    I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"

  2. Re:Welcome to 3 years ago by steelfood · · Score: 5, Funny

    Plane ticket: $350
    Hotel room for 5 nights: $500
    Rental car for 6 days: $200
    Broadway show tickets for two: $300
    Finding out your VISA card doesn't work but your Master Card does: priceless.

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  3. Re:Lol by Wintermute__ · · Score: 4, Funny

    My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.

    See that! You're more secure already!

    And you doubted the value of this valuable security feature...

  4. Bank fucked up by Nicolas+MONNET · · Score: 2, Funny

    Chip cards have been in use for a very long time in France. They all have mag stripes, mainly because that's what most ATM use anyway, but also for use abroad. The mag stripe contains information as to whether the card also has a chip, so that even when an authorisation (the terminal phoning the acquirer) is not required, it can decide to deny the transaction preemptively if the card is supposed to have a pin and the terminal is supposed to be able to read it.

    In that I case I guess the bank is just being incompetent, and failed to implement the ultra-advanced algorithm:

    if (card.haschip() && terminal.haschipreader())
            return MUSTUSECHIP;
    else
            return ITSOKTOUSETHEMAGSTRIPE;