Why "Verified By Visa" System Is Insecure

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

Re:Lol

[tatsuyame]

It's not. I tried making a purchase on newegg, got the the Verified by Visa page, but the frame didn't show anything. Assuming that the purchase wouldn't go through, I tried making the same purchase on my other computer. Frame loaded, entered password, purchase went through. However, the first purchase went through, even though I never entered the password for that one. So yeah, I'm guessing it doesn't really do anything to protect you.

oops!

[methano]

I first read this a verified by Vista and I wasn't surprised. Just thought they were beating a dead horse.

Re:Lol

[Kamokazi]

I used my Visa instead of my usual MC on Newegg for a Christmas gift and it came up for the first time ever. I closed the widow intending to buy it on my MC instead, but the payment still went through. 2 days later I got a call from the Visa fraud department...haha. I told the lady the verified thing was a bullshit pain in the ass and she let me on my way. Haven't used my Visa since.

Re:Lol

[Anonymous Coward]

similar thing happened to me, in my case I couldn't remember the password for that card, so canceled the verified by visa thingy, and used a different card. when I was done with the order using the second card, I saw that the first one went through regardless of a successful verified by visa thing.

Re:Welcome to 3 years ago

[Threni]

My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.

Re:Welcome to 3 years ago

[Anonymous Coward]

My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states.

So why does your bank bother to put a magnetic stripe on their cards if they guarantee that they won't work with a magnetic stripe?

Re:I just use Paypal

[Itninja]

I use the Paypal debit card and get the best of both worlds, sort of speak. And my Paypal account is tied to a bank account I only use for online purchases. There is only enough money in there for what I am about to buy. So even if someone does hax0r my Paypal card, there's nothing for them to steal.

Mastercard gives me Virtual Numbers for online use

[JoshDM]

I go to the Mastercard website and request a virtual number. I can specify amount and expiration time (in months). It is linked to my credit card and once I use it at a merchant, that number can only be used at that merchant for up to the amount I specified. I love it.

Meanwhile, a few years back I had to implement Verified by Visa, Mastercom, and Paypal solutions for the checkout process for the company I worked for. Paypal was the easiest and the other two were crappy. I'm not sure how they've worked out in the years since, but you don't see me using them currently. Virtual Numbers all the way.

it kills sales

[Anonymous Coward]

We had it forced on us by our payment provider and it killed sales, we had so many customers asking what their password was and where do they find it. We opted out of it.

Re:Welcome to 3 years ago

[Anonymous Coward]

You mean your VbV system doesn't use an RSA token as part of the logon? How silly.
(I use the same one for online banking and VbV - not entirely sure how that's set up, but it does seem like a step up from password-only.)

You don't even need the password

[beneppel]

I recently forgot my verified by visa password - the only security question it asked me that wasn't printed on the card was my date of birth - it's not the first time I've had to reset my password, and each time the question is the same. That means if somebody has my card, all they need to know is my date of birth, and they can reset my 3DS password easily.

Re:Lol

[Anonymous Coward]

I mis-guessed my verified-by-visa password multiple times on a newegg order and then gave up. The payment went through.

It reminds me of [insider knowledge, that's why I'm posting AC] something my state's unemployment system is about to implement. They're going to have a voice system where people can call in, change what bank account their claims will go into, etc. Of course, to do this, the claimant needs to know their PIN. If they don't know their PIN, though, they can reset their PIN to anything they want, without verifying their identity in any way. If you know someone's SSN, you can have their payments go to you, without knowing anything else. So what's the PIN for?

Activation During Shopping

[epine]

My GF's great-grandmother passed away in November. She was very close.

Weepy GF gets onto the web site of a regional Canadian carrier that prides itself on its customer service, selects her flight, and begins to fill out the VISA information. After filling out most of the information she clicks "continue" and *bam* up comes VISA's activation during shopping page (ADS) with a giant "I agree" button under inscrutable masses of legal fine print. She is in a fine state of mind for clicking her life away.

This happens right in the middle of the transaction, with no advance warning. Not on the page before she began filling out the details: to complete this transaction with your VISA card, you will be obligated to click "I agree" to the ADS terms of service, which shifts VISA's liability onto your shoulders and plays havoc with established web security practices and altogether makes the world a shittier place.

All of this under the commercial maxim that instant gratification == learned helplessness. Your average user will blindly click anything during gratification interruptus.

As it happens, my red-eyed GF muttered out loud "WTF is this?". It took me about 30s to get past "HF those sleezy MFs". Then I told her to slam down the virtual circuit on her half-completed web page transaction and start the transaction over again using an aging circuit-switched technology far less suited to rights erosion, and also more expensive for the airline to provide. Real human at the other end. What a PITA.

Brilliant lose-lose for everyone involved.

Two of the links I recorded checked this out:
Links More Banking Stupidity: Phished by Visa [links.org]
Verified by Visa: British banks phish their own customers - Boing Boing [boingboing.net]

Redacted portions of an online TOS from a large Canadian bank which has since gone 404.

You agree not to: modify, adapt, sub-license, translate, sell, reverse engineer, decompile or disassemble any portion of the Verified by Visa Website or service or the software used in connection with Verified by Visa.

You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.

Answer me this, Batman:

How is one supposed to notify the bank that you've lost control over the password, when you lose control to a phishing widget embedded in a concealed iFrame?

I wrote that riddle back in November, and I'm no closer now to coming up with the solution. FWIW, this agreement is probably less egregious than the one that came up under ADS, from a different major Canadian bank. Bonus marks for completing this task without first discovering how the service works which violates your TOS.

This whole thing makes me seriously limbic.

Larry Lessig on laws that choke creativity [ted.com]

And on the other side, among our kids, there's a growing copyright abolitionism, a generation that rejects the very notion of what copyright is supposed to do, rejects copyright and believes that the law is nothing more than an ass to be ignored and to be fought at every opportunity possible. The extremism on one side begets extremism on the other, a fact we should have learned many, many times over, and both extremes in this debate are just wrong.

For the good of society, the law ought not to be an ass, and the VISA company ought to not be pushing the matter like a used car salesman at the helm of an invincible glass castle.

Re:Insecure != Unsecured

[pjt33]

I would understand "unsecured" to mean "no-one has attempted to secure it". If they've attempted and failed then it's badly secured and insecure.

Re:Welcome to 3 years ago

[Anonymous Coward]

Many retailers refused to believe, or be able to sell to me if i didn't have a postcode. (i'm visiting. Why do you need a postcode? I don't have one!)

Ah, some form of tv/video equipment?

Retailers are required by law to take the address of anyone purchasing equipment capable of recieving TV signals to pass on to TV Licensing (sweet and fuzzy name for Centrica, which is essentially a collection agency). Of course, taking a full address is slow, so most retailers only have terminals equipped to take name, postcode and building number. Tip: Buy in cash and give SW1A 2HQ, building 1.

Of course, a lot of retailers have miscategorised some of their products, and I've been stung by that one while buying a composite video capture device.

Re:Welcome to 3 years ago

[scamper_22]

There's a very easy solution to this problem. I'm sure they have similar system elsewhere but Interac (debit card) in Canada allows you to pay online. I use it for shopping at ncix.com for example.

You setup an account with the merchant.
You do your shopping... add to card... go to checkout... they give you a bill.

You then log into your online bank separately! and from your bank account you transfer money to the merchants account.

The merchant never sees your password and phishing is near impossible because you have to logon to your bank account separately. It's a bit inconvenient, but it's a much more secure system. You don't even have to trust the merchant as they never see your password info. They just wait for the money.

There's no other way to really do it. even if the showed a URL in the Verified by Visa scheme, you would still need to check it... a shady merchant could fake it...
About the only other way would be to have some trusted authorities built into the browser (like we do with certificates). The site can request the browser to 'bring up secure payment for visa'... and it handles it with a non-webpage login/payment system.

Re:Welcome to 3 years ago

[jimicus]

But cloning a chip should be very difficult without destroying the card and having long term access to the card. Even then it should be very difficult. Are there any demonstrated examples of criminals cloning credit card chips (or extracting the private cryptographic key)?

I did look a bit further after posting.

It would seem that the chips aren't cloned in their entirety - however it is possible to create a fake card which is good enough to fool some machines in some circumstances.

There may be be proof of concept demonstrations done by researchers, particularly on satellite cards, but has it been found in the wild for credit cards? And has it been verified, not just a crooked card holder falsely claiming his card was stolen?

Of course cloning the magstripe shouldn't do any good without the chip.

There are some instances of magswipe readers being attached to cash machines. The data isn't much good in the UK (it identifies that the card has a chip, and most if not all UK cash machines read the chip) but it is enough to create a fake card with just the magnetic strip and using it in a country where chipped cards are unknkown.

Are some locations accepting cards with only a magstripe and pin and non-functioning chips?

Not possible unless you're the bank - the magstripe doesn't contain the PIN. The verification process is "card reader asks the chip if the PIN supplied is OK. Chip says either yes or no". Incidentally, this is a weak spot - build a chip which always says "yes" and suddenly you don't need the cardholders' PIN.

While these chip and pin systems might tend to shift liability to the card holder, the reduction in the number of frauds might nevertheless make it cheaper for the card holder anyway.

Banks have not reduced their charges as a result of this system - indeed, most personal UK bank accounts are free of charge anyway. Where you get charged is if you have a business bank account or if you exceed your overdraft limit - and if you exceed your overdraft limit, boy do you get charged.

The American system of giving every merchant and his employees all the information needed to max out your credit card account, seems almost insane. Chip and pin and or a push system of payment like paypal, makes a lot more sense to me.

Better, yes. However, the banks are (or at least were originally) taking the line that it's 100% cast-iron foolproof, which is obviously balls.

Re:Welcome to 3 years ago

[TheRaven64]

Merchant banks will only guarantee the transaction with the chip and pin. If you don't (or can't) use it then the retailer will be liable for fraud. Big shops, like Tesco, will not care because it's better for them to eat the cost of fraud and maintain good customer relations. For smaller shops, it might cost them their profit margin to accept it.

Re:Welcome to 3 years ago

[mrcaseyj]

It would seem that the chips aren't cloned in their entirety - however it is possible to create a fake card which is good enough to fool some machines in some circumstances.

The machines that would take a cloned card are probably the ones that will work with only the magstripe. That would protect the card holder somewhat against fraudulent charges, especially if the charge was in another country. You still might have a hard time getting your money back if your pin was used though.

Are some locations accepting cards with only a magstripe and pin and non-functioning chips?

Not possible unless you're the bank - the magstripe doesn't contain the PIN. The verification process is "card reader asks the chip if the PIN supplied is OK. Chip says either yes or no". Incidentally, this is a weak spot - build a chip which always says "yes" and suddenly you don't need the cardholders' PIN.

In the US cards don't typically have chips. They only have mag stripes. But ATM cards work with a pin even though they don't have a chip. The card reader pin pad encrypts the pin after it is typed, and sends it to the bank and the bank confirms if the pin is correct. No chip is needed in the card. I assumed UK cards could work similarly with regard to the pin, though with additional protection provided by the chip. With the pin being stored only at the bank and in the card holder's brain, it doesn't matter what the card says about the validity of the pin. The card need not even know what the pin is.

While these chip and pin systems might tend to shift liability to the card holder, the reduction in the number of frauds might nevertheless make it cheaper for the card holder anyway.

Banks have not reduced their charges as a result of this system - indeed, most personal UK bank accounts are free of charge anyway. Where you get charged is if you have a business bank account or if you exceed your overdraft limit - and if you exceed your overdraft limit, boy do you get charged.

The reduced fraud costs might not show up in direct charges. Merchants competing on price could reduce retail prices with lower fraud and negotiate lower merchant fees with card companies who would also have less fraud costs. And credit card interest rates could also be lowered a little. On the other hand, saving one percent on all your purchases might not be much consolation if you're one of the unlucky few that gets stuck with a fraudulent $10000 bill, because chip and pin allowed the bank to transfer the liability to you. It must also be remembered that banks don't always make it easy to get your money back even if chip and pin isn't used. If the charge is from Nigeria, then they'll probably have to give you your money back, but if the charge is made locally or shipped to your house and intercepted, you might have a hard time convincing them it was fraudulent. Chip and pin would probably drastically reduce such charges. I expect chip and pin and this verified by visa thing would be beneficial to us card holders over all.

The real solution to this though is that cards need to have a display and pin pad on the card. That's hard because they're thin, but the system would be much more secure. A fake pin pad would not be able to capture the pin (though a camera still might). And the card holder could see on the display who the payment was being sent to and how much was being sent. Such a system could even be used on a poorly secured home computer without much worry, since no transaction could take place without the card holder physically authorizing it and seeing the amount and destination on the card's secure display. If the card's operating system was simple enough, it would stand a reasonable chance of being virus proof.

Re:Lol

[mr_lizard13]

I've often wondered about that. When presented with the 'Verified by Visa' screen, how do I know it's the real thing?

What's to stop a dysfunctional e-store using a mocked-up version of that screen to collect my online PIN?