Why "Verified By Visa" System Is Insecure 243
angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."
Welcome to 3 years ago (Score:5, Informative)
I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.
3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.
Only problem is, it's crap.
Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.
If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.
Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.
Re:Welcome to 3 years ago (Score:1, Informative)
Agreed. A while back we got a few unexplainable card not authorised failures. Turned out these card were 3DS cards.
So I asked the internet guys if we should implement 3DS on our system to avoid losing sales.
Their answer was almost word for word verbatim what you've given "It transfers the liability from them to the customer, it is not secure".
We have not implement 3DS on our site. We have no intention of doing so.
Re:Recomendations? (Score:3, Informative)
Discover passes all these, except for being Discover. I'm able to use mine for 99% of purchases.
http://www.discovercard.com/customer-service/security/create-soan.html [discovercard.com]
What Is The Point Of 6 Digit Password? (Score:4, Informative)
I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.
Re:Welcome to 3 years ago (Score:3, Informative)
Frankly, I was treated like some kind of crinimal subversive for presenting a credit card that didn't have a CHIP on it. I was told by some retailers (a Mobile phone co) that they could not except my card as ALL card HAD to be Chip & PIN. It took a bit of experimenting with other retailers for them to work out that if you inserted a non C&P card into the chip slot, it asked you to swipe it. Although, some terminals didn't have swipe-y bits.
It seemed to be a shock to many that not all countries have cars with chip and pin on them.
Many retailers refused to believe, or be able to sell to me if i didn't have a postcode. (i'm visiting. Why do you need a postcode? I don't have one!).
This was outside the main tourists bits perhaps- (West Midlands), but still...
Re:Welcome to 3 years ago (Score:3, Informative)
Re:Recomendations? (Score:2, Informative)
http://creditcards.citicards.com/usc/citiforward/single/external/affiliates/Q309/rewards/default.htm?app=UNSOL&app_COL=COLLEGE&sc=46EZA3U9&sc_COL=4CECA3T9&m=90J600000ZW&langId=EN&siteId=CB&B=V&screenID=3124&link=Consumer_15687859&ProspectID=94A073FC70EB478AB75EF008227CD425 [citicards.com]
I have had it for a while now and things have been good. It has virtual account numbers like you wanted that you can set either a time limit, spending limit, or both on. It has basicially everything thing else in your list as well. You can even dispute charges online without having to call anyone (just finished this and the charge was reversed within 2 days without me having to talk to anyone on the phone). It also does have pretty nice rewards anyway, fairly reasonable interest rates, and an interest rate that will drop by
Re:I'd rather use (Score:4, Informative)
Re:Welcome to 3 years ago (Score:3, Informative)
You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high.
Really?
You'd better tell the people whose chip cards have been cloned. [thisismoney.co.uk]
Re:Welcome to 3 years ago (Score:4, Informative)
Also:
1. Always carry more than one card (one each of Visa and MC for example).
2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.
Re:I just use Paypal (Score:4, Informative)
Re:Recomendations? (Score:3, Informative)
MBNA'a (now owned by BofA) ShopSafe.
Re:Welcome to 3 years ago (Score:4, Informative)
Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.
Re:Welcome to 3 years ago (Score:1, Informative)
Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.
I really did give that exact post code, last time I bought a TV. The poor sales clerk confirmed the address on the till -- "Prime Minister and First lord of the treasury". Didn't ask me fore the number.
The TV before, I asked why I needed to provide an address. I was assured it wasn't for marketing reasons. I gave my work address -- BBC Television Centre, Wood Lane, London, W12 7RJ.
12 months later, I receive a letter from comet at work telling me my guarantee was due. No way they could get that address aside from the "TV Licensing demands it, not for marketing use"
Re:Recomendations? (Score:1, Informative)
Charles Schwab Visa card meets all your above requirements and more, 2% REAL CASH back next month deposited straight into your brokerage account. No monthly fees, no bonus points hassle, you just pay.
I think the online application is hidden for now, if you google I'm sure you'll find some threads on finance forums.
Airport Security (Score:2, Informative)