Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why "Verified By Visa" System Is Insecure

Posted by timothy on from the shifting-the-blame dept.

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

5 of 243 comments (clear)

  1. Re:Lol by tatsuyame · · Score: 5, Interesting

    It's not. I tried making a purchase on newegg, got the the Verified by Visa page, but the frame didn't show anything. Assuming that the purchase wouldn't go through, I tried making the same purchase on my other computer. Frame loaded, entered password, purchase went through. However, the first purchase went through, even though I never entered the password for that one. So yeah, I'm guessing it doesn't really do anything to protect you.

  2. Re:Welcome to 3 years ago by Threni · · Score: 5, Interesting

    My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.

  3. Mastercard gives me Virtual Numbers for online use by JoshDM · · Score: 3, Interesting

    I go to the Mastercard website and request a virtual number. I can specify amount and expiration time (in months). It is linked to my credit card and once I use it at a merchant, that number can only be used at that merchant for up to the amount I specified. I love it.

    Meanwhile, a few years back I had to implement Verified by Visa, Mastercom, and Paypal solutions for the checkout process for the company I worked for. Paypal was the easiest and the other two were crappy. I'm not sure how they've worked out in the years since, but you don't see me using them currently. Virtual Numbers all the way.

  4. Activation During Shopping by epine · · Score: 4, Interesting

    My GF's great-grandmother passed away in November. She was very close.

    Weepy GF gets onto the web site of a regional Canadian carrier that prides itself on its customer service, selects her flight, and begins to fill out the VISA information. After filling out most of the information she clicks "continue" and *bam* up comes VISA's activation during shopping page (ADS) with a giant "I agree" button under inscrutable masses of legal fine print. She is in a fine state of mind for clicking her life away.

    This happens right in the middle of the transaction, with no advance warning. Not on the page before she began filling out the details: to complete this transaction with your VISA card, you will be obligated to click "I agree" to the ADS terms of service, which shifts VISA's liability onto your shoulders and plays havoc with established web security practices and altogether makes the world a shittier place.

    All of this under the commercial maxim that instant gratification == learned helplessness. Your average user will blindly click anything during gratification interruptus.

    As it happens, my red-eyed GF muttered out loud "WTF is this?". It took me about 30s to get past "HF those sleezy MFs". Then I told her to slam down the virtual circuit on her half-completed web page transaction and start the transaction over again using an aging circuit-switched technology far less suited to rights erosion, and also more expensive for the airline to provide. Real human at the other end. What a PITA.

    Brilliant lose-lose for everyone involved.

    Two of the links I recorded checked this out:
    Links More Banking Stupidity: Phished by Visa
    Verified by Visa: British banks phish their own customers - Boing Boing

    Redacted portions of an online TOS from a large Canadian bank which has since gone 404.

    You agree not to: modify, adapt, sub-license, translate, sell, reverse engineer, decompile or disassemble any portion of the Verified by Visa Website or service or the software used in connection with Verified by Visa.

    You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.

    Answer me this, Batman:

    How is one supposed to notify the bank that you've lost control over the password, when you lose control to a phishing widget embedded in a concealed iFrame?

    I wrote that riddle back in November, and I'm no closer now to coming up with the solution. FWIW, this agreement is probably less egregious than the one that came up under ADS, from a different major Canadian bank. Bonus marks for completing this task without first discovering how the service works which violates your TOS.

    This whole thing makes me seriously limbic.

    Larry Lessig on laws that choke creativity

    And on the other side, among our kids, there's a growing copyright abolitionism, a generation that rejects the very notion of what copyright is supposed to do, rejects copyright and believes that the law is nothing more than an ass to be ignored and to be fought at every opportunity possible. The extremism on one side begets extremism on the other, a fact we should have learned many, many times over, and both extremes in this debate are just wrong.

    For the good of society, the law ought not to be an ass, and the VISA company ought to not be pushing the matter like a used car salesman at the helm of an invincible glass castle.

  5. Re:Welcome to 3 years ago by scamper_22 · · Score: 3, Interesting

    There's a very easy solution to this problem. I'm sure they have similar system elsewhere but Interac (debit card) in Canada allows you to pay online. I use it for shopping at ncix.com for example.

    You setup an account with the merchant.
    You do your shopping... add to card... go to checkout... they give you a bill.

    You then log into your online bank separately! and from your bank account you transfer money to the merchants account.

    The merchant never sees your password and phishing is near impossible because you have to logon to your bank account separately. It's a bit inconvenient, but it's a much more secure system. You don't even have to trust the merchant as they never see your password info. They just wait for the money.

    There's no other way to really do it. even if the showed a URL in the Verified by Visa scheme, you would still need to check it... a shady merchant could fake it...
    About the only other way would be to have some trusted authorities built into the browser (like we do with certificates). The site can request the browser to 'bring up secure payment for visa'... and it handles it with a non-webpage login/payment system.