Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why "Verified By Visa" System Is Insecure

Posted by timothy on from the shifting-the-blame dept.

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

15 of 243 comments (clear)

  1. Welcome to 3 years ago by rnicey · · Score: 5, Informative

    I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.

    3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.

    Only problem is, it's crap.

    Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.

    If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.

    Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

    1. Re:Welcome to 3 years ago by Ken+D · · Score: 5, Insightful

      Exactly.
      By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.

      Pseudo-security => All Pain, No Gain.

    2. Re:Welcome to 3 years ago by Threni · · Score: 5, Interesting

      My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.

    3. Re:Welcome to 3 years ago by steelfood · · Score: 5, Funny

      Plane ticket: $350
      Hotel room for 5 nights: $500
      Rental car for 6 days: $200
      Broadway show tickets for two: $300
      Finding out your VISA card doesn't work but your Master Card does: priceless.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
    4. Re:Welcome to 3 years ago by Anne_Nonymous · · Score: 4, Informative

      Also:

      1. Always carry more than one card (one each of Visa and MC for example).
      2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
      3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
      4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
      5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.

  2. Re:Lol by tatsuyame · · Score: 5, Interesting

    It's not. I tried making a purchase on newegg, got the the Verified by Visa page, but the frame didn't show anything. Assuming that the purchase wouldn't go through, I tried making the same purchase on my other computer. Frame loaded, entered password, purchase went through. However, the first purchase went through, even though I never entered the password for that one. So yeah, I'm guessing it doesn't really do anything to protect you.

  3. I'd rather use by sconeu · · Score: 4, Insightful

    Single-use CC numbers. But my Visa (issued by my Credit Union) doesn't have one, and AMEX doesn't do them any more.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  4. It's all the wrong system anyway by Anonymous Coward · · Score: 5, Insightful

    The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.

  5. Re:Lol by FlyingBishop · · Score: 4, Insightful

    No, because it's in an iFrame it's less secure than having nothing at all. When you're pulling data from two different sites on the same page, it's much easier for a third party to insert their own fields without you knowing.

  6. Insecure != Unsecured by Anonymous Coward · · Score: 5, Funny

    Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.

    I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"

  7. RSA keyfobs in credit cards by ehud42 · · Score: 4, Insightful

    I would like to see my credit card display a time sync'd rolling number instead of the lame 3 digit code on the back of the card. As I see it, the problem with credit card fraud is not stolen cards, but stolen numbers. If I lose my card, I will know fairly soon and can have the card canceled. However, it may take quite a while to determine my number has been compromised. When shopping online I would like to enter my card number and a second number generated by the card. Cards expire after 2 years, so this should be doable from a battery life point of view. It could even be introduced as an extra fee initially to those who want the extra online shopping security.

    --
    I'm in my right mind and I have the answer to everything!
  8. Activation During Shopping by epine · · Score: 4, Interesting

    My GF's great-grandmother passed away in November. She was very close.

    Weepy GF gets onto the web site of a regional Canadian carrier that prides itself on its customer service, selects her flight, and begins to fill out the VISA information. After filling out most of the information she clicks "continue" and *bam* up comes VISA's activation during shopping page (ADS) with a giant "I agree" button under inscrutable masses of legal fine print. She is in a fine state of mind for clicking her life away.

    This happens right in the middle of the transaction, with no advance warning. Not on the page before she began filling out the details: to complete this transaction with your VISA card, you will be obligated to click "I agree" to the ADS terms of service, which shifts VISA's liability onto your shoulders and plays havoc with established web security practices and altogether makes the world a shittier place.

    All of this under the commercial maxim that instant gratification == learned helplessness. Your average user will blindly click anything during gratification interruptus.

    As it happens, my red-eyed GF muttered out loud "WTF is this?". It took me about 30s to get past "HF those sleezy MFs". Then I told her to slam down the virtual circuit on her half-completed web page transaction and start the transaction over again using an aging circuit-switched technology far less suited to rights erosion, and also more expensive for the airline to provide. Real human at the other end. What a PITA.

    Brilliant lose-lose for everyone involved.

    Two of the links I recorded checked this out:
    Links More Banking Stupidity: Phished by Visa
    Verified by Visa: British banks phish their own customers - Boing Boing

    Redacted portions of an online TOS from a large Canadian bank which has since gone 404.

    You agree not to: modify, adapt, sub-license, translate, sell, reverse engineer, decompile or disassemble any portion of the Verified by Visa Website or service or the software used in connection with Verified by Visa.

    You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.

    Answer me this, Batman:

    How is one supposed to notify the bank that you've lost control over the password, when you lose control to a phishing widget embedded in a concealed iFrame?

    I wrote that riddle back in November, and I'm no closer now to coming up with the solution. FWIW, this agreement is probably less egregious than the one that came up under ADS, from a different major Canadian bank. Bonus marks for completing this task without first discovering how the service works which violates your TOS.

    This whole thing makes me seriously limbic.

    Larry Lessig on laws that choke creativity

    And on the other side, among our kids, there's a growing copyright abolitionism, a generation that rejects the very notion of what copyright is supposed to do, rejects copyright and believes that the law is nothing more than an ass to be ignored and to be fought at every opportunity possible. The extremism on one side begets extremism on the other, a fact we should have learned many, many times over, and both extremes in this debate are just wrong.

    For the good of society, the law ought not to be an ass, and the VISA company ought to not be pushing the matter like a used car salesman at the helm of an invincible glass castle.

  9. Re:Lol by Trails · · Score: 4, Insightful

    Security is about tradeoffs. So, let's be clear. iFrame = bad, I agree with you. But let's take it further, let's look at what you're getting. I've hit verified by visa a couple times, I always forget my password. In part, my standard repetoire of passwords don't work because it only accepts letters and numbers, my passwords often contain various symbols. In other words, the limitations on the password characters limit the number of possible passwords. Not great, though not as bad as the iframe thing. So I use the "forgot your password" flow everytime. The genius thing about that is that it asks me stuff I'd already entered on the retailer's purchase form. There's no additional info required, it's all fairly standard "accessible" user profile info, but for the re-entering of the card details. So, to be clear, from a quantitative aspect we have 1 bad and 1 "not so hot". But what have we gained? Nothing!!! It's online security theatre. It's about as effective as a Dutch Airport security officer.

  10. No surprise by sjames · · Score: 5, Insightful

    The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.

    Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).

    In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.

    In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.

  11. Re:Lol by Wintermute__ · · Score: 4, Funny

    My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.

    See that! You're more secure already!

    And you doubted the value of this valuable security feature...