Why "Verified By Visa" System Is Insecure 243
angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."
Insecure != Unsecured (Score:5, Funny)
Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.
I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"
Sharath (Score:1, Funny)
can't believe this..the people simply start commenting having just half knowledge.. 3DS protocol is secure and helps banks to chose the method that it uses to verify its customer. Its left to banks how they want to authenticate its card holder. Few banks have chosen to keep static password while others use OTPs. In future banks would use IVR calls or Voice authentication or some other technology to identify its customer but the protocol does not change.
Few merchants may have implemented the flow wrongly.. merchants are supposed to re-direct the customer to his bank site and not show in frame or i-frame; that is just a bad implementation and is a invitation for phishing attack. In India at least as for as I have seen none of the merchant use i-frame thing.. all most all the merchants re-direct the customer to his bank for verification and customer can clearly see the url of bank server (or provider) that is authenticating him.
Its like telling.. if one drunk driver crashes a car and kills himself cars are unsafe.. :P
Re:Welcome to 3 years ago (Score:5, Funny)
Plane ticket: $350
Hotel room for 5 nights: $500
Rental car for 6 days: $200
Broadway show tickets for two: $300
Finding out your VISA card doesn't work but your Master Card does: priceless.
Re:Lol (Score:4, Funny)
My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.
See that! You're more secure already!
And you doubted the value of this valuable security feature...
Bank fucked up (Score:3, Funny)
Chip cards have been in use for a very long time in France. They all have mag stripes, mainly because that's what most ATM use anyway, but also for use abroad. The mag stripe contains information as to whether the card also has a chip, so that even when an authorisation (the terminal phoning the acquirer) is not required, it can decide to deny the transaction preemptively if the card is supposed to have a pin and the terminal is supposed to be able to read it.
In that I case I guess the bank is just being incompetent, and failed to implement the ultra-advanced algorithm:
if (card.haschip() && terminal.haschipreader())
return MUSTUSECHIP;
else
return ITSOKTOUSETHEMAGSTRIPE;