Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why "Verified By Visa" System Is Insecure

Posted by timothy on from the shifting-the-blame dept.

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

8 of 243 comments (clear)

  1. Welcome to 3 years ago by rnicey · · Score: 5, Informative

    I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.

    3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.

    Only problem is, it's crap.

    Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.

    If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.

    Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

    1. Re:Welcome to 3 years ago by Ken+D · · Score: 5, Insightful

      Exactly.
      By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.

      Pseudo-security => All Pain, No Gain.

    2. Re:Welcome to 3 years ago by Threni · · Score: 5, Interesting

      My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.

    3. Re:Welcome to 3 years ago by steelfood · · Score: 5, Funny

      Plane ticket: $350
      Hotel room for 5 nights: $500
      Rental car for 6 days: $200
      Broadway show tickets for two: $300
      Finding out your VISA card doesn't work but your Master Card does: priceless.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  2. Re:Lol by tatsuyame · · Score: 5, Interesting

    It's not. I tried making a purchase on newegg, got the the Verified by Visa page, but the frame didn't show anything. Assuming that the purchase wouldn't go through, I tried making the same purchase on my other computer. Frame loaded, entered password, purchase went through. However, the first purchase went through, even though I never entered the password for that one. So yeah, I'm guessing it doesn't really do anything to protect you.

  3. It's all the wrong system anyway by Anonymous Coward · · Score: 5, Insightful

    The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.

  4. Insecure != Unsecured by Anonymous Coward · · Score: 5, Funny

    Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.

    I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"

  5. No surprise by sjames · · Score: 5, Insightful

    The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.

    Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).

    In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.

    In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.