Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why "Verified By Visa" System Is Insecure

Posted by timothy on from the shifting-the-blame dept.

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

6 of 243 comments (clear)

  1. Welcome to 3 years ago by rnicey · · Score: 5, Informative

    I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.

    3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.

    Only problem is, it's crap.

    Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.

    If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.

    Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

    1. Re:Welcome to 3 years ago by Anne_Nonymous · · Score: 4, Informative

      Also:

      1. Always carry more than one card (one each of Visa and MC for example).
      2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
      3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
      4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
      5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.

    2. Re:Welcome to 3 years ago by jonbryce · · Score: 3, Informative

      Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.

  2. What Is The Point Of 6 Digit Password? by tunapez · · Score: 3, Informative

    I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.

    --
    Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
  3. Re:I'd rather use by pdbaby · · Score: 3, Informative

    There are enough numbers. Each issuer has 1 trillion numbers and there's about a million possible issuer numbers... there's a useful description of the anatomy of credit card numbers at http://www.merriampark.com/anatomycc.htm

    --
    Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
  4. Re:I just use Paypal by Neoprofin · · Score: 3, Informative

    Unless Paypal decides to shut down your account for no reason, or drain more money from the bank account than you've ever put in it for obvious reasons. Both of these are quite common if you've been following any of the Slashdot stories about Paypal.