The insecurity of Verified by Visa and MasterCard SecureCode

An article on the H points to this paper by Steven Murdoch and Ross Anderson, from the University of Cambridge Computer Laboratory, on the poor security design of the 3-D secure (3DS) protocol used by Visa and MasterCard in the UK and catching on worldwide. In addition, 3DS undermines privacy by sending a full description of each transaction to the card issuer or its contractors.

Banks also use the supposed additional security of 3DS to shift liability for fraudulent use towards the customer.

What’s wrong with 3DS? The authors list a number of issues. The 3DS system throws up a request for additional authentication in a pop-up dialog or iFrame, which means you cannot easily check its source; it could be a phishing attack. The memorable pass phrase that is meant to prevent this is vulnerable to man-in-the-middle attacks, as well as impatient users who might not bother to read it. Password reset mechanisms are often poorly implemented, and may depend on semi-public information such as date of birth.

The authors suggest that a simple approval process, such as a text message to your phone asking for an authorisation code, would be more secure, even if only as a stop-gap before adopting a more robust solution.

I find it surprising that 3DS has been adopted so widely despite well-known flaws. As the authors note:

3-D Secure has received little public scrutiny despite the fact that with 250 million users of Verified by Visa alone, it’s probably the largest single sign-on system ever deployed.

Well, with this post I am doing my bit.

3 thoughts on “The insecurity of Verified by Visa and MasterCard SecureCode”

  1. It is rather worse than that, because the 3DS system takes control away from the host web site, providing plenty of opportunity for screw-ups when you come back. I’ve seen one web site where I was returned to a browser error on the host site of “URL is not syntactically valid”. When I clicked OK on the dialog I got a blank screen. Customer support for the host web site insisted that this was not their problem.

    I’m also a little dubious about the habit that RBS (and possibly other banks) have of asking for just a few randomly-selected characters from the pass phrase. Surely this only reduces the number of characters an algorithm has to guess.

    Sadly, however, I don’t think UK banks care. Their primary objective appears to not to prevent fraud, but to put all of the responsibility onto the card owner. I also have credit cards drawn on US banks, which are much more responsible, and I use them wherever possible. (Of course many UK web sites won’t accept credit cards not registered at a UK address. Goodness knows how tourists manage.)

  2. Cheryl, I think the “asking for just a few randomly-selected characters from the pass phrase” makes a lot of sense: think if keyloggers.

    Especially the way some banks implement it: they put the characters in drop-down lists, in such a way (padded with spaces) that also stops you keying the letters/numbers.

Comments are closed.