Why "Verified By Visa" System Is Insecure

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

I'd rather use

[sconeu]

Single-use CC numbers. But my Visa (issued by my Credit Union) doesn't have one, and AMEX doesn't do them any more.

It's all the wrong system anyway

[Anonymous Coward]

The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.

Re:Lol

[FlyingBishop]

No, because it's in an iFrame it's less secure than having nothing at all. When you're pulling data from two different sites on the same page, it's much easier for a third party to insert their own fields without you knowing.

Re:Welcome to 3 years ago

[Ken D]

Exactly.
By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.

Pseudo-security => All Pain, No Gain.

Re:Welcome to 3 years ago

[Qzukk]

As a customer, the worst part is when the merchant doesn't bother to tell you "oh hey we're going to redirect you to this other site now" and first anti-XSS blocks the page transfer, then the page fails to work anyway thanks to noscript blocking the JS.

Even after I added all the appropriate whitelists, when I buy from a site that uses it, all it does is flash the logo up on the screen then take me back to the merchant's site where I finish the transaction.

Re:I switched credit cards

[pavon]

I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.

No kidding. What is worse is that every time I have been shown the verification page isn't wasn't even hosted at something obviously legitimate like verify.visa.com, but rather the domain was some other corporation related to Visa (can't remember the name right now).

Re:Welcome to 3 years ago

[Threni]

Your problems are all related to the desire to stop fraud. You're not a subversive - you're just a little unusual. If you use a mag swipe and the card turns out to be stolen, the store loses out. So, unsurprisingly, some stores would rather not serve you. With chip and pin, they'll not lose out if the card turns out to be stolen/fraudulently used. Ditto the post code - they wanted it so they could check it against the postcode the card is registered against. In the perfect world the store staff would know some people, especially tourists/foreigners, don't have chip and pin cards but really the store staff don't give a shit about you - they're just there to get paid, and frankly don't care whether you buy anything or not. I'm sure the store managers are a little more concerned you have a good time, but you're just going to have to get used to being asked awkward questions, or perhaps pay cash.

RSA keyfobs in credit cards

[ehud42]

I would like to see my credit card display a time sync'd rolling number instead of the lame 3 digit code on the back of the card. As I see it, the problem with credit card fraud is not stolen cards, but stolen numbers. If I lose my card, I will know fairly soon and can have the card canceled. However, it may take quite a while to determine my number has been compromised. When shopping online I would like to enter my card number and a second number generated by the card. Cards expire after 2 years, so this should be doable from a battery life point of view. It could even be introduced as an extra fee initially to those who want the extra online shopping security.

Re:I switched credit cards

[Anonymous Coward]

In the UK, the server's domain name is securesuite.co.uk. How is the average user going to be aware that the domain is legit? Furthermore, most merchants seem to use iframes (seen some popups too) so you can't even see the domain unless you right-click->properties. Pretty stupid.

Re:Welcome to 3 years ago

[Anonymous Coward]

Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.

I am well aware of the smartcard chips found in many countries.

But:

- Many banks issue cards with CHIPS and with MAGNETIC STRIPES since there still are many merchants without CHIP readers
- His bank issues cards with CHIPS and with MAGNETIC STRIPES
- His bank declines all transactions with MAGNETIC STRIPES

My question was why do they bother with MAGNETIC STRIPES on their cards since they are always declined? It would be easier to issue cards WITHOUT magnetic stripes since then you wouldn't try to use the MAGNETIC STRIPES, and then call up the bank asking about the failed purchase.

Re:Lol

[Trails]

Security is about tradeoffs. So, let's be clear. iFrame = bad, I agree with you. But let's take it further, let's look at what you're getting. I've hit verified by visa a couple times, I always forget my password. In part, my standard repetoire of passwords don't work because it only accepts letters and numbers, my passwords often contain various symbols. In other words, the limitations on the password characters limit the number of possible passwords. Not great, though not as bad as the iframe thing. So I use the "forgot your password" flow everytime. The genius thing about that is that it asks me stuff I'd already entered on the retailer's purchase form. There's no additional info required, it's all fairly standard "accessible" user profile info, but for the re-entering of the card details. So, to be clear, from a quantitative aspect we have 1 bad and 1 "not so hot". But what have we gained? Nothing!!! It's online security theatre. It's about as effective as a Dutch Airport security officer.

Re:Welcome to 3 years ago

[Anonymous Coward]

Of course you would never use your bank account number, but what's the risk with a credit card? If there's a fraudulent charge, you dispute it and pay nothing. Maybe I'm wrong, but I've never heard of PayPal providing the same level of protection as a credit card.

No surprise

[sjames]

The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.

Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).

In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.

In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.

Re:Welcome to 3 years ago

[orlanz]

I am a long time credit card user (don't believe in cash). I ran into this a few months back with Walmart online. It actually looked like a scam. And you are right about the security aspect, just an offloading of (increased) risk. It pops out of no where and the new page's instructions clearly said it was optional and I can hit cancel. BUT, there was no cancel button, I even looked in the source code. So I closed the browser.

This was considered _fraudulent_activity_ and locked my card for a while (automatic, no warning). I basically had to tell them: I don't want to sign up for the "optional feature" and I leave it to you if you want to keep my card locked. I just started using my MC. A Visa card that used to get charged 2-3k a month in business charges now gets about $50. I think Visa completely, utterly screwed up with not only the idea, but the implementation, and the very approach of presenting the system. A colossal failure for Visa and a big win for MC. If MC starts it, rest assured, I will move to Discover and so on with Paypal at the end.

A credit card is supposed to provide you with security and convenience. This system gives you neither! Now, you basically have the risk of a TON of cash sitting behind yet another password only _you_ are supposed to know. There are better ways to provide FAR more security with a negligible loss of convenience at a slightly higher price (ex: personal and one time pins), but I guess Visa just wanted to waste money tricking its customers into accepting a lot of the merchant's and Visa's risk.

Re:Insecure != Unsecured

[pjt33]

But if I lock it with a 50 cent padlock then it's locked, but extremely easy to open.