Slashdot Mirror
Why "Verified By Visa" System Is Insecure
angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."
I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.
3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.
Only problem is, it's crap.
Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.
If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.
Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.
It's not. I tried making a purchase on newegg, got the the Verified by Visa page, but the frame didn't show anything. Assuming that the purchase wouldn't go through, I tried making the same purchase on my other computer. Frame loaded, entered password, purchase went through. However, the first purchase went through, even though I never entered the password for that one. So yeah, I'm guessing it doesn't really do anything to protect you.
Single-use CC numbers. But my Visa (issued by my Credit Union) doesn't have one, and AMEX doesn't do them any more.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I used my Visa instead of my usual MC on Newegg for a Christmas gift and it came up for the first time ever. I closed the widow intending to buy it on my MC instead, but the payment still went through. 2 days later I got a call from the Visa fraud department...haha. I told the lady the verified thing was a bullshit pain in the ass and she let me on my way. Haven't used my Visa since.
As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.
No, because it's in an iFrame it's less secure than having nothing at all. When you're pulling data from two different sites on the same page, it's much easier for a third party to insert their own fields without you knowing.
I go to the Mastercard website and request a virtual number. I can specify amount and expiration time (in months). It is linked to my credit card and once I use it at a merchant, that number can only be used at that merchant for up to the amount I specified. I love it.
Meanwhile, a few years back I had to implement Verified by Visa, Mastercom, and Paypal solutions for the checkout process for the company I worked for. Paypal was the easiest and the other two were crappy. I'm not sure how they've worked out in the years since, but you don't see me using them currently. Virtual Numbers all the way.
Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.
I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"
We had it forced on us by our payment provider and it killed sales, we had so many customers asking what their password was and where do they find it. We opted out of it.
Discover passes all these, except for being Discover. I'm able to use mine for 99% of purchases.
http://www.discovercard.com/customer-service/security/create-soan.html
I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.
No kidding. What is worse is that every time I have been shown the verification page isn't wasn't even hosted at something obviously legitimate like verify.visa.com, but rather the domain was some other corporation related to Visa (can't remember the name right now).
I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
I recently forgot my verified by visa password - the only security question it asked me that wasn't printed on the card was my date of birth - it's not the first time I've had to reset my password, and each time the question is the same. That means if somebody has my card, all they need to know is my date of birth, and they can reset my 3DS password easily.
I would recommend the Citi Forward Card:
.75% after 3 months on-time payments. You can also set it up to auto-pay or "pay on demand" via ACH from your bank (enter your routing and account number). Anyway, I generally think of Citi as a pretty big corporate evil, but this card, so far, has been pretty good.
http://creditcards.citicards.com/usc/citiforward/single/external/affiliates/Q309/rewards/default.htm?app=UNSOL&app_COL=COLLEGE&sc=46EZA3U9&sc_COL=4CECA3T9&m=90J600000ZW&langId=EN&siteId=CB&B=V&screenID=3124&link=Consumer_15687859&ProspectID=94A073FC70EB478AB75EF008227CD425
I have had it for a while now and things have been good. It has virtual account numbers like you wanted that you can set either a time limit, spending limit, or both on. It has basicially everything thing else in your list as well. You can even dispute charges online without having to call anyone (just finished this and the charge was reversed within 2 days without me having to talk to anyone on the phone). It also does have pretty nice rewards anyway, fairly reasonable interest rates, and an interest rate that will drop by
I would like to see my credit card display a time sync'd rolling number instead of the lame 3 digit code on the back of the card. As I see it, the problem with credit card fraud is not stolen cards, but stolen numbers. If I lose my card, I will know fairly soon and can have the card canceled. However, it may take quite a while to determine my number has been compromised. When shopping online I would like to enter my card number and a second number generated by the card. Cards expire after 2 years, so this should be doable from a battery life point of view. It could even be introduced as an extra fee initially to those who want the extra online shopping security.
I'm in my right mind and I have the answer to everything!
In the UK, the server's domain name is securesuite.co.uk. How is the average user going to be aware that the domain is legit? Furthermore, most merchants seem to use iframes (seen some popups too) so you can't even see the domain unless you right-click->properties. Pretty stupid.
My GF's great-grandmother passed away in November. She was very close.
Weepy GF gets onto the web site of a regional Canadian carrier that prides itself on its customer service, selects her flight, and begins to fill out the VISA information. After filling out most of the information she clicks "continue" and *bam* up comes VISA's activation during shopping page (ADS) with a giant "I agree" button under inscrutable masses of legal fine print. She is in a fine state of mind for clicking her life away.
This happens right in the middle of the transaction, with no advance warning. Not on the page before she began filling out the details: to complete this transaction with your VISA card, you will be obligated to click "I agree" to the ADS terms of service, which shifts VISA's liability onto your shoulders and plays havoc with established web security practices and altogether makes the world a shittier place.
All of this under the commercial maxim that instant gratification == learned helplessness. Your average user will blindly click anything during gratification interruptus.
As it happens, my red-eyed GF muttered out loud "WTF is this?". It took me about 30s to get past "HF those sleezy MFs". Then I told her to slam down the virtual circuit on her half-completed web page transaction and start the transaction over again using an aging circuit-switched technology far less suited to rights erosion, and also more expensive for the airline to provide. Real human at the other end. What a PITA.
Brilliant lose-lose for everyone involved.
Two of the links I recorded checked this out:
Links More Banking Stupidity: Phished by Visa
Verified by Visa: British banks phish their own customers - Boing Boing
Redacted portions of an online TOS from a large Canadian bank which has since gone 404.
You agree not to: modify, adapt, sub-license, translate, sell, reverse engineer, decompile or disassemble any portion of the Verified by Visa Website or service or the software used in connection with Verified by Visa.
You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.
Answer me this, Batman:
How is one supposed to notify the bank that you've lost control over the password, when you lose control to a phishing widget embedded in a concealed iFrame?
I wrote that riddle back in November, and I'm no closer now to coming up with the solution. FWIW, this agreement is probably less egregious than the one that came up under ADS, from a different major Canadian bank. Bonus marks for completing this task without first discovering how the service works which violates your TOS.
This whole thing makes me seriously limbic.
Larry Lessig on laws that choke creativity
And on the other side, among our kids, there's a growing copyright abolitionism, a generation that rejects the very notion of what copyright is supposed to do, rejects copyright and believes that the law is nothing more than an ass to be ignored and to be fought at every opportunity possible. The extremism on one side begets extremism on the other, a fact we should have learned many, many times over, and both extremes in this debate are just wrong.
For the good of society, the law ought not to be an ass, and the VISA company ought to not be pushing the matter like a used car salesman at the helm of an invincible glass castle.
Security is about tradeoffs. So, let's be clear. iFrame = bad, I agree with you. But let's take it further, let's look at what you're getting. I've hit verified by visa a couple times, I always forget my password. In part, my standard repetoire of passwords don't work because it only accepts letters and numbers, my passwords often contain various symbols. In other words, the limitations on the password characters limit the number of possible passwords. Not great, though not as bad as the iframe thing. So I use the "forgot your password" flow everytime. The genius thing about that is that it asks me stuff I'd already entered on the retailer's purchase form. There's no additional info required, it's all fairly standard "accessible" user profile info, but for the re-entering of the card details. So, to be clear, from a quantitative aspect we have 1 bad and 1 "not so hot". But what have we gained? Nothing!!! It's online security theatre. It's about as effective as a Dutch Airport security officer.
Unless Paypal decides to shut down your account for no reason, or drain more money from the bank account than you've ever put in it for obvious reasons. Both of these are quite common if you've been following any of the Slashdot stories about Paypal.
MBNA'a (now owned by BofA) ShopSafe.
The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.
Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).
In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.
In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.
My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.
See that! You're more secure already!
And you doubted the value of this valuable security feature...
I've often wondered about that. When presented with the 'Verified by Visa' screen, how do I know it's the real thing?
What's to stop a dysfunctional e-store using a mocked-up version of that screen to collect my online PIN?
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
Well that's good news, because the American ones like to plant drugs as a practical joke.
"When I am king, you will be first against the wall..."
Chip cards have been in use for a very long time in France. They all have mag stripes, mainly because that's what most ATM use anyway, but also for use abroad. The mag stripe contains information as to whether the card also has a chip, so that even when an authorisation (the terminal phoning the acquirer) is not required, it can decide to deny the transaction preemptively if the card is supposed to have a pin and the terminal is supposed to be able to read it.
In that I case I guess the bank is just being incompetent, and failed to implement the ultra-advanced algorithm:
if (card.haschip() && terminal.haschipreader())
return MUSTUSECHIP;
else
return ITSOKTOUSETHEMAGSTRIPE;