{"id":2171,"date":"2010-01-27T13:30:19","date_gmt":"2010-01-27T12:30:19","guid":{"rendered":"http:\/\/www.itwriting.com\/blog\/2171-the-insecurity-of-verified-by-visa-and-mastercard-securecode.html"},"modified":"2010-01-27T13:30:19","modified_gmt":"2010-01-27T12:30:19","slug":"the-insecurity-of-verified-by-visa-and-mastercard-securecode","status":"publish","type":"post","link":"https:\/\/www.itwriting.com\/blog\/2171-the-insecurity-of-verified-by-visa-and-mastercard-securecode.html","title":{"rendered":"The insecurity of Verified by Visa and MasterCard SecureCode"},"content":{"rendered":"<p>An <a href=\"http:\/\/www.h-online.com\/security\/news\/item\/Researchers-criticise-3D-Secure-credit-card-authentication-914144.html\">article on the H<\/a> points to <a href=\"http:\/\/www.cl.cam.ac.uk\/~rja14\/Papers\/fc10vbvsecurecode.pdf\">this paper<\/a> by Steven Murdoch and Ross Anderson, from the University of Cambridge Computer Laboratory, on the poor security design of the 3-D secure (3DS) protocol used by Visa and MasterCard in the UK and catching on worldwide.\u00a0In addition, 3DS undermines privacy by sending a full description of each transaction to the card issuer or its contractors.<\/p>\n<p>Banks also\u00a0use the supposed additional security of 3DS to shift liability for fraudulent use towards the customer.<\/p>\n<p>What\u2019s wrong with 3DS? The authors list a number of issues. The 3DS system throws up a request for additional authentication in a pop-up dialog or iFrame, which means you cannot easily check its source; it could be a phishing attack. The memorable pass phrase that is meant to prevent this is vulnerable to man-in-the-middle attacks, as well as impatient users who might not bother to read it. Password reset mechanisms are often poorly implemented, and may depend on semi-public information such as date of birth.<\/p>\n<p>The authors suggest that a simple approval process, such as a text message to your phone asking for an authorisation code, would be more secure, even if only as a stop-gap before adopting a more robust solution.<\/p>\n<p>I find it surprising that 3DS has been adopted so widely despite well-known flaws. As the authors note:<\/p>\n<blockquote><p>3-D Secure has received little public scrutiny despite the fact that with 250 million users of Verified by Visa alone, it&#8217;s probably the largest single sign-on system ever deployed.<\/p><\/blockquote>\n<p>Well, with this post I am doing my bit.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An article on the H points to this paper by Steven Murdoch and Ross Anderson, from the University of Cambridge Computer Laboratory, on the poor security design of the 3-D secure (3DS) protocol used by Visa and MasterCard in the UK and catching on worldwide.\u00a0In addition, 3DS undermines privacy by sending a full description of &hellip; <a href=\"https:\/\/www.itwriting.com\/blog\/2171-the-insecurity-of-verified-by-visa-and-mastercard-securecode.html\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The insecurity of Verified by Visa and MasterCard SecureCode<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44,75],"tags":[107,810,942],"class_list":["post-2171","post","type-post","status-publish","format-standard","hentry","category-internet","category-security","tag-3-d-secure","tag-security","tag-verified-by-visa"],"_links":{"self":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/2171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/comments?post=2171"}],"version-history":[{"count":0,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/2171\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/media?parent=2171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/categories?post=2171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/tags?post=2171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}