Cambridge University Calls Verified By Visa Secure Protocol Terrible Security
Written by Evan Schuman"3-D Secure has so far escaped academic scrutiny, yet it might be a textbook example of how not to design an authentication protocol," wrote Cambridge University's Steven J. Murdoch and Ross Anderson. "It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It's bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent." The pair, however, found that 3DS did get one part right: the money and where it comes from. Although "other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts."
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Pages: 1 2
5 Comments | Read Cambridge University Calls Verified By Visa Secure Protocol Terrible Security
Leave a Reply
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
February 4th, 2010 at 12:51 pm
Darn, they beat me to the punch! This was on my to-write-about list.
All the topics in the report I fully agree with. Some banks using ATM PINs for both ATMs and VbV/SC5 was news to me. While the report said that Visa and MasterCard got the economics right for the merchant, I feel they missed it for the consumer. The agreement most cardholder’s sign when enrolling for the programs stipulate a significant loss in charge back rights. In the fine print of many of these agreements is that the consumer can’t dispute a transactions based on “I didn’t make that purchase.”
I never use these programs for just this reason (plus the fact you have to dissect the page source to confirm it is not a phishing site).
February 5th, 2010 at 9:21 am
Nice paper. Factual conclusions. Utterly useless. It won’t get fixed.
Remember that Visa is perversely opposed to providing true security for transactions. True security means full end-to-end protection of the transaction, with those endpoints being the customer’s credit card and their bank. In a truly secure model, you don’t trust any part of the network, so any untrustworthy network will suffice. And in that case VisaNet is just like the regular Internet, except with vigorish.
As long as Visa can continue hand-waving, blaming security faults on retailers, processors, web sites, and everybody but themselves, they can keep raking in the interchange fees. They don’t even accept responsibility for the losses due to fraud because of these weak protocols: those flow to the merchant or to the bank. Visa has every financial incentive to keep the current confusing, insecure model around as long as possible.
No single retailer (except possibly WalMart) is large enough to orchestrate a change in protocols. A single bank could bring out a secure system for its customers, but it would be more complex than a simple credit card, and customers have incentive to stay with “simple” mag stripes as the mandated $50 limit protects them from liability. And no government agency is going to mandate a security change, as those would be railed against as “expensive” or “anti-business”. It won’t get fixed because the current screwed up system is too profitable for Visa. How screwed up is that?
February 6th, 2010 at 10:56 am
One bank using the card PIN as 3DS password doesn’t prove that the whole protocol is useless.
Besides that, the protocol might not be perfect, it does prevent from a lot of very simple Card Not Present fraud happening today.
Offtopic: saying that with EMV the ATM PIN is used for POS is typically UK, because whole Europe was already using PIN in POS in magstripe debit transactions for years!
February 18th, 2010 at 12:19 pm
The quote from Steven J. Murdoch and Ross Anderson’s report is incomplete. There’s a lot missing between the first sentence and the rest, incorrectly leading the reader to believe 3DS specifies PINs as the method of identity verification. Truth is that only one card issuing bank was found doing that.
From the report: “The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. This is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder’s ATM PIN. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode has trained cardholders to enter ATM PINs at terminals in shops; training them to enter PINs at random e-commerce sites is just grossly negligent.”
April 7th, 2010 at 12:56 pm
Here’s another acronym: Points-of-Failure (PoF).
3DS requires additional communications and services to complete a transaction. Both the Visa’s directory look-up and issuing bank’s verifier need to be reachable and running which poses possible PoF in a transaction.