This is page 2 of:
Cambridge University Calls Verified By Visa Secure Protocol Terrible Security
The report also takes issue with how 3DS handles passwords, which is already getting quite difficult.
“Before 3DS can be used to authenticate transactions, cardholders must register a password with their bank. A reasonably secure method would be to send a password to the customer’s registered address. But to save money, the typical bank merely solicits a password online the first time the customer shops online with a 3DS-enabled card, known as activation during shopping (ADS),” the Cambridge University paper said. “To confirm that the customer is the authorized cardholder, the ADS form may ask for some weak authenticators (e.g., date of birth), although not all banks do even this. From the customer’s perspective, an online shopping Web site is asking for personal details. This further undermines customers’ security usability and trust experience, and it is being exploited by criminals, as phishing Web sites impersonating the ADS form to ask for banking details. Also, because setting a password is a secondary task, [customers] are more likely to choose a poor password, or one they use elsewhere. While Visa requires that customers can opt out at least the first three times, banks may try to force 3DS activation after this stage by preventing the purchase. One of the authors attempted to opt out of using 3DS with a Maestro product. The issuer, the NatWest Bank (now majority-owned by the U.K. Government), did not allow even one card use without activating 3DS for the account.”
The password problems get even worse.
“The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. This [step] is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder’s ATM PIN,” the report said. “It’s bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent. Another issuer-specified choice is how to reset the password when a customer forgets it. Here, again, corners are cut. Some banks respond to one or two failed password attempts by prompting an online password reset using essentially the same mechanisms as ADS. In a number of cases, the bank requires only the cardholder’s date of birth, which is easily available from public records. With one (U.K. Government-owned) bank, two wrong password attempts simply lead to an invitation to set a new password.”
This issue is a classic battle between expediency and security. To be fair, there is a legitimate security advantage to expediency–if and only if it sharply increases consumer participation, and if and only if that increased participation improves security. Yes, there’s a PCI parallel argument here–namely, that even with all of its issues, PCI has still sharply improved retail security.
That said, the Cambridge University report’s well-reasoned case against the 3DS approach is more than enough to give security executives pause. But at this stage of marketshare acceptance, is it too late? As a practical matter, this siren is indeed probably much too late.
-Marc
February 4th, 2010 at 12:51 pm
Darn, they beat me to the punch! This was on my to-write-about list.
All the topics in the report I fully agree with. Some banks using ATM PINs for both ATMs and VbV/SC5 was news to me. While the report said that Visa and MasterCard got the economics right for the merchant, I feel they missed it for the consumer. The agreement most cardholder’s sign when enrolling for the programs stipulate a significant loss in charge back rights. In the fine print of many of these agreements is that the consumer can’t dispute a transactions based on “I didn’t make that purchase.”
I never use these programs for just this reason (plus the fact you have to dissect the page source to confirm it is not a phishing site).
February 5th, 2010 at 9:21 am
Nice paper. Factual conclusions. Utterly useless. It won’t get fixed.
Remember that Visa is perversely opposed to providing true security for transactions. True security means full end-to-end protection of the transaction, with those endpoints being the customer’s credit card and their bank. In a truly secure model, you don’t trust any part of the network, so any untrustworthy network will suffice. And in that case VisaNet is just like the regular Internet, except with vigorish.
As long as Visa can continue hand-waving, blaming security faults on retailers, processors, web sites, and everybody but themselves, they can keep raking in the interchange fees. They don’t even accept responsibility for the losses due to fraud because of these weak protocols: those flow to the merchant or to the bank. Visa has every financial incentive to keep the current confusing, insecure model around as long as possible.
No single retailer (except possibly WalMart) is large enough to orchestrate a change in protocols. A single bank could bring out a secure system for its customers, but it would be more complex than a simple credit card, and customers have incentive to stay with “simple” mag stripes as the mandated $50 limit protects them from liability. And no government agency is going to mandate a security change, as those would be railed against as “expensive” or “anti-business”. It won’t get fixed because the current screwed up system is too profitable for Visa. How screwed up is that?
February 6th, 2010 at 10:56 am
One bank using the card PIN as 3DS password doesn’t prove that the whole protocol is useless.
Besides that, the protocol might not be perfect, it does prevent from a lot of very simple Card Not Present fraud happening today.
Offtopic: saying that with EMV the ATM PIN is used for POS is typically UK, because whole Europe was already using PIN in POS in magstripe debit transactions for years!
February 18th, 2010 at 12:19 pm
The quote from Steven J. Murdoch and Ross Anderson’s report is incomplete. There’s a lot missing between the first sentence and the rest, incorrectly leading the reader to believe 3DS specifies PINs as the method of identity verification. Truth is that only one card issuing bank was found doing that.
From the report: “The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. This is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder’s ATM PIN. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode has trained cardholders to enter ATM PINs at terminals in shops; training them to enter PINs at random e-commerce sites is just grossly negligent.”
April 7th, 2010 at 12:56 pm
Here’s another acronym: Points-of-Failure (PoF).
3DS requires additional communications and services to complete a transaction. Both the Visa’s directory look-up and issuing bank’s verifier need to be reachable and running which poses possible PoF in a transaction.