Cambridge University Calls Verified By Visa Secure Protocol Terrible Security

Written by Evan Schuman
February 1st, 2010

At a presentation at the Financial Cryptography and Data Security conference, a Cambridge University computer lab team dissected the recent 3-D Secure (3DS) protocol—branded as Verified By Visa and MasterCard SecureCode. The team found that not only was the security lacking, but it sharply undermined other security mechanisms.

“3-D Secure has so far escaped academic scrutiny, yet it might be a textbook example of how not to design an authentication protocol,” wrote Cambridge University’s Steven J. Murdoch and Ross Anderson. “It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent.”

The pair, however, found that 3DS did get one part right: the money and where it comes from. Although “other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts.”

The report is an impressive indictment of the processes surrounding the popular security tactic. (We quote extensively from the report in this article but have also link to the report’s full text.)

Murdoch and Anderson argue that the methodology 3DS uses actually undermines routine security procedures.

“In the initial form, 3DS would pop up a password entry form to a bank customer who attempted an online card payment. [The customer] would enter a password and, if it was correct, would be returned to the merchant Web site to complete the transaction,” the report said. “Difficulties arose with pop-up blockers, and now the recommended mode of operation uses inline-frames (‘iframe’). The merchant passes the card number to Visa or MasterCard and gets back a URL to embed in an iframe to display to the customer. If the customer executes the protocol successfully, the merchant gets an authorization code to submit to his bank. Security economics teaches that you’re unlikely to get a secure system if Alice guards it while Bob pays the cost of failure.”

The problem with this process is that it contradicts conventional anti-phishing advice, which makes such attacks more likely to succeed. “The standard advice given to customers to prevent phishing attacks is that they should only enter their bank password in TLS secured sites and where they have verified the domain name matches what they expect. Because the 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password,” the report said. “This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice (as do E-mails from banks containing clickable URLs). In fact, when one of the authors first encountered 3DS, he established that the iframe came from and called his bank, who informed him that this was a phishing site. Actually, this domain name belongs to Cyota (owned by RSA), the company to which many U.K. banks have outsourced the 3DS authentication process.”


5 Comments | Read Cambridge University Calls Verified By Visa Secure Protocol Terrible Security

  1. Steve Sommers Says:

    Darn, they beat me to the punch! This was on my to-write-about list.

    All the topics in the report I fully agree with. Some banks using ATM PINs for both ATMs and VbV/SC5 was news to me. While the report said that Visa and MasterCard got the economics right for the merchant, I feel they missed it for the consumer. The agreement most cardholder’s sign when enrolling for the programs stipulate a significant loss in charge back rights. In the fine print of many of these agreements is that the consumer can’t dispute a transactions based on “I didn’t make that purchase.”

    I never use these programs for just this reason (plus the fact you have to dissect the page source to confirm it is not a phishing site).

  2. A reader Says:

    Nice paper. Factual conclusions. Utterly useless. It won’t get fixed.

    Remember that Visa is perversely opposed to providing true security for transactions. True security means full end-to-end protection of the transaction, with those endpoints being the customer’s credit card and their bank. In a truly secure model, you don’t trust any part of the network, so any untrustworthy network will suffice. And in that case VisaNet is just like the regular Internet, except with vigorish.

    As long as Visa can continue hand-waving, blaming security faults on retailers, processors, web sites, and everybody but themselves, they can keep raking in the interchange fees. They don’t even accept responsibility for the losses due to fraud because of these weak protocols: those flow to the merchant or to the bank. Visa has every financial incentive to keep the current confusing, insecure model around as long as possible.

    No single retailer (except possibly WalMart) is large enough to orchestrate a change in protocols. A single bank could bring out a secure system for its customers, but it would be more complex than a simple credit card, and customers have incentive to stay with “simple” mag stripes as the mandated $50 limit protects them from liability. And no government agency is going to mandate a security change, as those would be railed against as “expensive” or “anti-business”. It won’t get fixed because the current screwed up system is too profitable for Visa. How screwed up is that?

  3. E t Voorde Says:

    One bank using the card PIN as 3DS password doesn’t prove that the whole protocol is useless.

    Besides that, the protocol might not be perfect, it does prevent from a lot of very simple Card Not Present fraud happening today.

    Offtopic: saying that with EMV the ATM PIN is used for POS is typically UK, because whole Europe was already using PIN in POS in magstripe debit transactions for years!

  4. Lucas Zaichkowsky Says:

    The quote from Steven J. Murdoch and Ross Anderson’s report is incomplete. There’s a lot missing between the first sentence and the rest, incorrectly leading the reader to believe 3DS specifies PINs as the method of identity verification. Truth is that only one card issuing bank was found doing that.

    From the report: “The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. This is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder’s ATM PIN. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode has trained cardholders to enter ATM PINs at terminals in shops; training them to enter PINs at random e-commerce sites is just grossly negligent.”

  5. James Lin Says:

    Here’s another acronym: Points-of-Failure (PoF).

    3DS requires additional communications and services to complete a transaction. Both the Visa’s directory look-up and issuing bank’s verifier need to be reachable and running which poses possible PoF in a transaction.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.