Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why "Verified By Visa" System Is Insecure

Posted by timothy on from the shifting-the-blame dept.

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

3 of 243 comments (clear)

  1. It's all the wrong system anyway by Anonymous Coward · · Score: 5, Insightful

    The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.

  2. Re:Welcome to 3 years ago by Ken+D · · Score: 5, Insightful

    Exactly.
    By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.

    Pseudo-security => All Pain, No Gain.

  3. No surprise by sjames · · Score: 5, Insightful

    The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.

    Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).

    In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.

    In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.