Cambridge University Calls Verified By Visa Secure Protocol Terrible Security
Written by Evan SchumanAt a presentation at the Financial Cryptography and Data Security conference, a Cambridge University computer lab team dissected the recent 3-D Secure (3DS) protocol—branded as Verified By Visa and MasterCard SecureCode. The team found that not only was the security lacking, but it sharply undermined other security mechanisms.
“3-D Secure has so far escaped academic scrutiny, yet it might be a textbook example of how not to design an authentication protocol,” wrote Cambridge University’s Steven J. Murdoch and Ross Anderson. “It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent.”
The pair, however, found that 3DS did get one part right: the money and where it comes from. Although “other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts.”
The report is an impressive indictment of the processes surrounding the popular security tactic. (We quote extensively from the report in this article but have also link to the report’s full text.)
Murdoch and Anderson argue that the methodology 3DS uses actually undermines routine security procedures.
“In the initial form, 3DS would pop up a password entry form to a bank customer who attempted an online card payment. [The customer] would enter a password and, if it was correct, would be returned to the merchant Web site to complete the transaction,” the report said. “Difficulties arose with pop-up blockers, and now the recommended mode of operation uses inline-frames (‘iframe’). The merchant passes the card number to Visa or MasterCard and gets back a URL to embed in an iframe to display to the customer. If the customer executes the protocol successfully, the merchant gets an authorization code to submit to his bank. Security economics teaches that you’re unlikely to get a secure system if Alice guards it while Bob pays the cost of failure.”
The problem with this process is that it contradicts conventional anti-phishing advice, which makes such attacks more likely to succeed. “The standard advice given to customers to prevent phishing attacks is that they should only enter their bank password in TLS secured sites and where they have verified the domain name matches what they expect. Because the 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password,” the report said. “This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice (as do E-mails from banks containing clickable URLs). In fact, when one of the authors first encountered 3DS, he established that the iframe came from securesuite.co.uk and called his bank, who informed him that this was a phishing site. Actually, this domain name belongs to Cyota (owned by RSA), the company to which many U.K. banks have outsourced the 3DS authentication process.”
-Marc
February 4th, 2010 at 12:51 pm
Darn, they beat me to the punch! This was on my to-write-about list.
All the topics in the report I fully agree with. Some banks using ATM PINs for both ATMs and VbV/SC5 was news to me. While the report said that Visa and MasterCard got the economics right for the merchant, I feel they missed it for the consumer. The agreement most cardholder’s sign when enrolling for the programs stipulate a significant loss in charge back rights. In the fine print of many of these agreements is that the consumer can’t dispute a transactions based on “I didn’t make that purchase.”
I never use these programs for just this reason (plus the fact you have to dissect the page source to confirm it is not a phishing site).
February 5th, 2010 at 9:21 am
Nice paper. Factual conclusions. Utterly useless. It won’t get fixed.
Remember that Visa is perversely opposed to providing true security for transactions. True security means full end-to-end protection of the transaction, with those endpoints being the customer’s credit card and their bank. In a truly secure model, you don’t trust any part of the network, so any untrustworthy network will suffice. And in that case VisaNet is just like the regular Internet, except with vigorish.
As long as Visa can continue hand-waving, blaming security faults on retailers, processors, web sites, and everybody but themselves, they can keep raking in the interchange fees. They don’t even accept responsibility for the losses due to fraud because of these weak protocols: those flow to the merchant or to the bank. Visa has every financial incentive to keep the current confusing, insecure model around as long as possible.
No single retailer (except possibly WalMart) is large enough to orchestrate a change in protocols. A single bank could bring out a secure system for its customers, but it would be more complex than a simple credit card, and customers have incentive to stay with “simple” mag stripes as the mandated $50 limit protects them from liability. And no government agency is going to mandate a security change, as those would be railed against as “expensive” or “anti-business”. It won’t get fixed because the current screwed up system is too profitable for Visa. How screwed up is that?
February 6th, 2010 at 10:56 am
One bank using the card PIN as 3DS password doesn’t prove that the whole protocol is useless.
Besides that, the protocol might not be perfect, it does prevent from a lot of very simple Card Not Present fraud happening today.
Offtopic: saying that with EMV the ATM PIN is used for POS is typically UK, because whole Europe was already using PIN in POS in magstripe debit transactions for years!
February 18th, 2010 at 12:19 pm
The quote from Steven J. Murdoch and Ross Anderson’s report is incomplete. There’s a lot missing between the first sentence and the rest, incorrectly leading the reader to believe 3DS specifies PINs as the method of identity verification. Truth is that only one card issuing bank was found doing that.
From the report: “The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. This is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder’s ATM PIN. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode has trained cardholders to enter ATM PINs at terminals in shops; training them to enter PINs at random e-commerce sites is just grossly negligent.”
April 7th, 2010 at 12:56 pm
Here’s another acronym: Points-of-Failure (PoF).
3DS requires additional communications and services to complete a transaction. Both the Visa’s directory look-up and issuing bank’s verifier need to be reachable and running which poses possible PoF in a transaction.