RSS Alerts

Share

More services

Related Links

  • MasterCard
  • Visa
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Visa Europe planning move to real time fraud scoring
    The days of having your credit or debit card refused - and then the retailer having to phone for authorisation because of fraud worries - may soon be over, as Visa Europe has introduced real-time scoring to its risk detection platform.
  • Chip & PIN invades Australia
    The Chip & PIN system pioneered by French banks in the 1980s - and rolled out across the UK and Europe in recent years - is to be extended to payment cards in Australia, Visa's operation there has announced.
  • Comment: Cyber-gang Crackdown Cripples Malware Traffic…for Now
    This past summer’s FBI-coordinated crackdown on computer scareware companies virtually shut the fake security software business down, but without the implementation of tough, diverse preventative solutions, Enigma Software's Alvin Estevez says it might remain akin to nothing more than cutting off the head of a hydra
  • The Rise and Fall of Online Credit Fraud
    While Chip and Pin technology has certainly decreased in-store fraud, it has also re-directed criminals’ attention to online banks and shoppers. Stephen Pritchard investigates what methods cybercriminals are using to steal credit card data, and reports on how the finance sector is fighting back
  • 95% of spam sales serviced by just three banks
    Research just published claims that around 95% of spam-advertised products are handled by just three banks, suggesting that these financial institutions are profiting from the many billions of spam messages that make up more than 80% of the internet's email traffic.

Top 5 Stories

News

Verified by Visa and MasterCard SecureCode security in question

28 January 2010

The 3D Secure method of online card transaction protection – aka Verified by Visa and MasterCard SecureCode – may not be as secure as the banks are telling us, as a team of security researchers claim there are multiple weaknesses.

The security researchers at the University of Cambridge include Steve Murdoch and Professor Ross Anderson, both of whom are respected in their field, and who have penned a seven-page paper detailing their findings.

Introduced in 2007/2008, 3D Secure is an XML-based protocol used as an added layer of security for online credit and debit card transactions. The extensible code technology, which uses data known only to the cardholder, was originally developed by Visa to improve the security of internet payments and offered to customers as the Verified by Visa service.

Online security dervices based on the protocol have since also been adopted by MasterCard, under the name MasterCard SecureCode, and by JCB International as J/Secure.

According to a research paper, which Professor Anderson presented earlier this week at a financial cryptography event in the Canary Islands, most websites gateway to the relevant bank's 3D Secure service as a iFrame on the transaction page. The problem, say the researchers, is that since no URL is displayed with the iFrame, it's difficult to tell whether the page request is a genuine one.

On top of this, since users are asked to select a password when they first use the 3D secure system, Murdoch and Anderson note that the online user will be keen to complete the transaction, and less concerned about the security of the password.

Coupled with the fact that 3D Secure is vulnerable to phishing, the research paper asserts that cardholders could have their passwords eavesdropped upon or simply stolen. This is a potential problem, the researchers say, because the terms and conditions relating to a 3D Secure transaction are such that the use of the system is treated as a valid transaction by the banks concerned.

"As few customers object to terms and conditions, banks are free to set terms that shift liability to customers", said the paper, adding that, despite the bank having made many poor security choices, the customer must accept the losses. This, say the researchers is "a clear example of misplaced incentives."

"The use of passwords also harms customer interests because they no longer have the statutory protection afforded by signatures where, in the UK at least, the law makes a forged signature void and thus prevents banks from using their terms and conditions to make customers liable for forged cheques."

Put simply, Infosecurity notes, this means that someone whose 3D Secure password was misused, could find themselves liable for the transactions. To be fair to the banks, however, the researchers say that they have never heard of a cardholder being held liable for a fraudulent 3DS transaction.

So what about other authentication systems such as the Gridsure pictorial replacement for PINs? Whilst these systems are available in the marketplace, the research paper says that most banks have chosen to go for passwords over other systems because "passwords are really cheap."

In response to Anderson's paper, Visa has gone on the PR offensive, claiming that, whilst criminals will always try to defeat security measures, Visa has helped to reduce the level of online fraud and, as a result, cardholders are more comfortable with online transactions.

"Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," said Visa. "Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."

This article is featured in:
Compliance and Policy  • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012