The security researchers at the University of Cambridge include Steve Murdoch and Professor Ross Anderson, both of whom are respected in their field, and who have penned a seven-page paper detailing their findings.
Introduced in 2007/2008, 3D Secure is an XML-based protocol used as an added layer of security for online credit and debit card transactions. The extensible code technology, which uses data known only to the cardholder, was originally developed by Visa to improve the security of internet payments and offered to customers as the Verified by Visa service.
Online security dervices based on the protocol have since also been adopted by MasterCard, under the name MasterCard SecureCode, and by JCB International as J/Secure.
According to a research paper, which Professor Anderson presented earlier this week at a financial cryptography event in the Canary Islands, most websites gateway to the relevant bank's 3D Secure service as a iFrame on the transaction page. The problem, say the researchers, is that since no URL is displayed with the iFrame, it's difficult to tell whether the page request is a genuine one.
On top of this, since users are asked to select a password when they first use the 3D secure system, Murdoch and Anderson note that the online user will be keen to complete the transaction, and less concerned about the security of the password.
Coupled with the fact that 3D Secure is vulnerable to phishing, the research paper asserts that cardholders could have their passwords eavesdropped upon or simply stolen. This is a potential problem, the researchers say, because the terms and conditions relating to a 3D Secure transaction are such that the use of the system is treated as a valid transaction by the banks concerned.
"As few customers object to terms and conditions, banks are free to set terms that shift liability to customers", said the paper, adding that, despite the bank having made many poor security choices, the customer must accept the losses. This, say the researchers is "a clear example of misplaced incentives."
"The use of passwords also harms customer interests because they no longer have the statutory protection afforded by signatures where, in the UK at least, the law makes a forged signature void and thus prevents banks from using their terms and conditions to make customers liable for forged cheques."
Put simply, Infosecurity notes, this means that someone whose 3D Secure password was misused, could find themselves liable for the transactions. To be fair to the banks, however, the researchers say that they have never heard of a cardholder being held liable for a fraudulent 3DS transaction.
So what about other authentication systems such as the Gridsure pictorial replacement for PINs? Whilst these systems are available in the marketplace, the research paper says that most banks have chosen to go for passwords over other systems because "passwords are really cheap."
In response to Anderson's paper, Visa has gone on the PR offensive, claiming that, whilst criminals will always try to defeat security measures, Visa has helped to reduce the level of online fraud and, as a result, cardholders are more comfortable with online transactions.
"Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," said Visa. "Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."