Why "Verified By Visa" System Is Insecure

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

Welcome to 3 years ago

[rnicey]

I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.

3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.

Only problem is, it's crap.

Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.

If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.

Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

Re:Welcome to 3 years ago

Agreed. A while back we got a few unexplainable card not authorised failures. Turned out these card were 3DS cards.
So I asked the internet guys if we should implement 3DS on our system to avoid losing sales.

Their answer was almost word for word verbatim what you've given "It transfers the liability from them to the customer, it is not secure".

We have not implement 3DS on our site. We have no intention of doing so.

Re:Welcome to 3 years ago

[zonky]

I was visiting the UK last month as a tourist. I have lived there, and moved away about 5 years ago, around the time Chip & PIN was first appearing.

Frankly, I was treated like some kind of crinimal subversive for presenting a credit card that didn't have a CHIP on it. I was told by some retailers (a Mobile phone co) that they could not except my card as ALL card HAD to be Chip & PIN. It took a bit of experimenting with other retailers for them to work out that if you inserted a non C&P card into the chip slot, it asked you to swipe it. Although, some terminals didn't have swipe-y bits.

It seemed to be a shock to many that not all countries have cars with chip and pin on them.

Many retailers refused to believe, or be able to sell to me if i didn't have a postcode. (i'm visiting. Why do you need a postcode? I don't have one!).

This was outside the main tourists bits perhaps- (West Midlands), but still...

Re:Welcome to 3 years ago

[thetoadwarrior]

Always call your bank / credit card company before going abroad. It will save you hassle especially if you don't travel. Anything that appears to be out of the ordinary will get questioned.

Re:Welcome to 3 years ago

[jimicus]

You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high.

Really?

You'd better tell the people whose chip cards have been cloned.

Re:Welcome to 3 years ago

[Anne_Nonymous]

Also:

1. Always carry more than one card (one each of Visa and MC for example).
2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.

Re:Welcome to 3 years ago

[jonbryce]

Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.

Re:Welcome to 3 years ago

Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.

I really did give that exact post code, last time I bought a TV. The poor sales clerk confirmed the address on the till -- "Prime Minister and First lord of the treasury". Didn't ask me fore the number.

The TV before, I asked why I needed to provide an address. I was assured it wasn't for marketing reasons. I gave my work address -- BBC Television Centre, Wood Lane, London, W12 7RJ.

12 months later, I receive a letter from comet at work telling me my guarantee was due. No way they could get that address aside from the "TV Licensing demands it, not for marketing use"

Re:Recomendations?

[DCstewieG]

Discover passes all these, except for being Discover. I'm able to use mine for 99% of purchases.

http://www.discovercard.com/customer-service/security/create-soan.html

What Is The Point Of 6 Digit Password?

[tunapez]

I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.

Re:Recomendations?

[prestonmichaelh]

I would recommend the Citi Forward Card:

http://creditcards.citicards.com/usc/citiforward/single/external/affiliates/Q309/rewards/default.htm?app=UNSOL&app_COL=COLLEGE&sc=46EZA3U9&sc_COL=4CECA3T9&m=90J600000ZW&langId=EN&siteId=CB&B=V&screenID=3124&link=Consumer_15687859&ProspectID=94A073FC70EB478AB75EF008227CD425

I have had it for a while now and things have been good. It has virtual account numbers like you wanted that you can set either a time limit, spending limit, or both on. It has basicially everything thing else in your list as well. You can even dispute charges online without having to call anyone (just finished this and the charge was reversed within 2 days without me having to talk to anyone on the phone). It also does have pretty nice rewards anyway, fairly reasonable interest rates, and an interest rate that will drop by .75% after 3 months on-time payments. You can also set it up to auto-pay or "pay on demand" via ACH from your bank (enter your routing and account number). Anyway, I generally think of Citi as a pretty big corporate evil, but this card, so far, has been pretty good.

Re:I'd rather use

[pdbaby]

There are enough numbers. Each issuer has 1 trillion numbers and there's about a million possible issuer numbers... there's a useful description of the anatomy of credit card numbers at http://www.merriampark.com/anatomycc.htm

Re:I just use Paypal

[Neoprofin]

Unless Paypal decides to shut down your account for no reason, or drain more money from the bank account than you've ever put in it for obvious reasons. Both of these are quite common if you've been following any of the Slashdot stories about Paypal.

Re:Recomendations?

[sgtrock]

MBNA'a (now owned by BofA) ShopSafe.

Re:Recomendations?

Charles Schwab Visa card meets all your above requirements and more, 2% REAL CASH back next month deposited straight into your brokerage account. No monthly fees, no bonus points hassle, you just pay.

I think the online application is hidden for now, if you google I'm sure you'll find some threads on finance forums.

Airport Security

[Xeleema]

Well that's good news, because the American ones like to plant drugs as a practical joke.