Is 3D Secure Credit card authentication Secure – A Research Perspective

Researchers  Steven J Murdoch and Ross Anderson criticise the current method of Credit-Card verification Scheme. They found that the current mechanism used by “Verified by Visa” from Visa and “MasterCard SecureCode” from Master Card are flawed.  Banks worldwide are starting to authenticate online card transactions using the “3-D Secure” protocol.

 

They observe that:

The mechanism used to display the 3DS form is embedded within an iframe or pop-up with no address bar, so there is no indication of where the form has come from. This goes against banks advice to their customers to avoid phishing sites. By only entering bank passwords into sites they can identify as the bank’s own site.

 

The researchers also criticise the initial password entry process which occurs the first time a card holder uses a 3DS enabled card to shop online. The user is asked to enter a new password as part of the process of making the purchase, which the researchers feel is a bad time to ask for the password as the user is probably more interested in shopping and more likely to choose a weak password.

 

The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. Liability of fraud is transferred to the customers.

 

What should be done technically?

 

They believe that single sign-on is the wrong model. What’s needed is transaction authentication. The system should ask the customer “You’re about to pay $X to merchant Y. If this is OK, enter the auth code”. This could be added to 3DS using SMS messaging, or systems like CAP (Chip Authentication Program) as a stopgap.

 

In the long term we need to move to a trustworthy payment device. This is not rocket science; rather than spending $10 per customer to issue CAP calculators, banks should spend $20 to issue a similar device but with a USB interface and a trustworthy display.

 

What must be done to make it happen?

 

Incentives are the key. Visa and MasterCard have managed to get 3DS deployed by arranging so that merchants and banks benefit (at least in the short term) while consumers lose out. What’s needed now is for regulators to intervene on behalf of the consumer. The EU already has the Electronic Signature Directive, which contemplates shifting the liability for electronic transactions to bank customers if they are equipped with a secure electronic signature creation device. The missing word is `only’. If the liability shift is permitted only once the technology actually empowers the customer to decide what transactions she will authorise, then the incentives will line up and finally we might start to move toward a sustainable infrastructure for cardholder-not-present payments.

 

Reference : https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

Comments are closed.