Forgot your password?
typodupeerror
Security The Almighty Buck IT

Why "Verified By Visa" System Is Insecure 243

Posted by timothy
from the shifting-the-blame dept.
angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."
This discussion has been archived. No new comments can be posted.

Why "Verified By Visa" System Is Insecure

Comments Filter:
  • by rnicey (315158) on Thursday January 28, 2010 @03:37PM (#30939308) Homepage

    I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.

    3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.

    Only problem is, it's crap.

    Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.

    If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.

    Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

    • by Ken D (100098) on Thursday January 28, 2010 @03:49PM (#30939566)

      Exactly.
      By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.

      Pseudo-security => All Pain, No Gain.

    • by Threni (635302) on Thursday January 28, 2010 @03:49PM (#30939568)

      My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.

      • I wish we did. I've seen a few devices in the past year that were Chip and PIN (one was at a nearby CVS... can't remember the rest).

        Still not sure how it's more secure than a normal magstripe. I guess you can't clone a chip so easily as a magstripe... but that's why I consider my plastic only slightly more "lose-able" than cash, and still keep it safe

      • Re: (Score:3, Informative)

        Always call your bank / credit card company before going abroad. It will save you hassle especially if you don't travel. Anything that appears to be out of the ordinary will get questioned.
        • by Anne_Nonymous (313852) on Thursday January 28, 2010 @04:57PM (#30940968) Homepage Journal

          Also:

          1. Always carry more than one card (one each of Visa and MC for example).
          2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
          3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
          4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
          5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.

      • by steelfood (895457) on Thursday January 28, 2010 @04:45PM (#30940706)

        Plane ticket: $350
        Hotel room for 5 nights: $500
        Rental car for 6 days: $200
        Broadway show tickets for two: $300
        Finding out your VISA card doesn't work but your Master Card does: priceless.

      • Chip cards have been in use for a very long time in France. They all have mag stripes, mainly because that's what most ATM use anyway, but also for use abroad. The mag stripe contains information as to whether the card also has a chip, so that even when an authorisation (the terminal phoning the acquirer) is not required, it can decide to deny the transaction preemptively if the card is supposed to have a pin and the terminal is supposed to be able to read it.

        In that I case I guess the bank is just being in

    • by Qzukk (229616) on Thursday January 28, 2010 @04:00PM (#30939760) Journal

      As a customer, the worst part is when the merchant doesn't bother to tell you "oh hey we're going to redirect you to this other site now" and first anti-XSS blocks the page transfer, then the page fails to work anyway thanks to noscript blocking the JS.

      Even after I added all the appropriate whitelists, when I buy from a site that uses it, all it does is flash the logo up on the screen then take me back to the merchant's site where I finish the transaction.

    • by rickb928 (945187)

      Sometimes it's called risk avoidance, sometimes risk sharing, sometimes risk transfer.

      It isn't sharing believe me. Wherever possible, processors and issuers will try to palm the risk off on the merchant, or the customer.

      While fraud prevention is a massive issue, there is no sure method to detect it. And online merchants suffer both more fraud and more penalties. They often pay higher fees to cover the inevitable fraud expenses.

      Even address verification is not enough. I'm not signing up for this, it mean

    • by KlomDark (6370)

      As a buyer, I refuse to do business with any company that I haven't visited directly that doesn't take PayPal. I am not giving my credit card or bank account number directly to any establishment. While PayPal may get dinged for freezing money on sellers accounts, I'd say most of the freezes are put on scammy accounts rather than trustable accounts.

      As a purchaser - it's PayPal or the Highway. It's not worth the risk to have to evaluate every single company for honesty. (And my neighbor works for PayPal, so i

    • No surprise (Score:5, Insightful)

      by sjames (1099) on Thursday January 28, 2010 @05:42PM (#30941794) Homepage

      The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.

      Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).

      In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.

      In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.

    • by scamper_22 (1073470) on Thursday January 28, 2010 @05:43PM (#30941824)

      There's a very easy solution to this problem. I'm sure they have similar system elsewhere but Interac (debit card) in Canada allows you to pay online. I use it for shopping at ncix.com for example.

      You setup an account with the merchant.
      You do your shopping... add to card... go to checkout... they give you a bill.

      You then log into your online bank separately! and from your bank account you transfer money to the merchants account.

      The merchant never sees your password and phishing is near impossible because you have to logon to your bank account separately. It's a bit inconvenient, but it's a much more secure system. You don't even have to trust the merchant as they never see your password info. They just wait for the money.

      There's no other way to really do it. even if the showed a URL in the Verified by Visa scheme, you would still need to check it... a shady merchant could fake it...
      About the only other way would be to have some trusted authorities built into the browser (like we do with certificates). The site can request the browser to 'bring up secure payment for visa'... and it handles it with a non-webpage login/payment system.

    • Re: (Score:3, Insightful)

      by orlanz (882574)

      I am a long time credit card user (don't believe in cash). I ran into this a few months back with Walmart online. It actually looked like a scam. And you are right about the security aspect, just an offloading of (increased) risk. It pops out of no where and the new page's instructions clearly said it was optional and I can hit cancel. BUT, there was no cancel button, I even looked in the source code. So I closed the browser.

      This was considered _fraudulent_activity_ and locked my card for a while (aut

  • for all sites that I visited that tried to make me jump through the dumb VbV hoops, I switched to American Express..

    I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.

    A.

    • Re: (Score:3, Insightful)

      by pavon (30274)

      I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.

      No kidding. What is worse is that every time I have been shown the verification page isn't wasn't even hosted at something obviously legitimate like verify.visa.com, but rather the domain was some other corporation related to Visa (can't remember the name right now).

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        In the UK, the server's domain name is securesuite.co.uk. How is the average user going to be aware that the domain is legit? Furthermore, most merchants seem to use iframes (seen some popups too) so you can't even see the domain unless you right-click->properties. Pretty stupid.

  • I'd rather use (Score:5, Insightful)

    by sconeu (64226) on Thursday January 28, 2010 @03:40PM (#30939376) Homepage Journal

    Single-use CC numbers. But my Visa (issued by my Credit Union) doesn't have one, and AMEX doesn't do them any more.

    • My credit card (Visa issued by my bank) doesn't have it either. I've been thinking about getting a second card that does have it solely for online use, but have been turned-off by the issuers I've seen with that feature. Is there anyone here that can recommend a credit card issuer that supports single-use numbers?

      My requirements:
      * No monthly/yearly fees
      * Standard grace period
      * Sane fraud protection (call me if you see something suspicion, but don't freeze my card)
      * Can be paid using standard electronic tran

      • Re: (Score:3, Informative)

        by DCstewieG (824956)

        Discover passes all these, except for being Discover. I'm able to use mine for 99% of purchases.

        http://www.discovercard.com/customer-service/security/create-soan.html [discovercard.com]

        • by pavon (30274)

          Interesting. When my parents had Discover it had maintenance fees, but supposedly made up for it with their cash-back rewards program. However, they could never find enough stores that actually took the card to earn enough cash back to cover the maintenance fees, so the eventually canceled it.

          If they've changed that I may look into it.

        • by David_W (35680)

          Discover passes all these, except for being Discover.

          Gotta disagree with you there. I had a Discover card since I started college (around 15 years ago) and finally ended up getting rid of it this past year, due to their failure on this point:

          * Sane fraud protection (call me if you see something suspicion, but don't freeze my card)

          Not only did they freeze my card when something suspicious popped up (and never actually ended up being a problem, BTW), but they never bothered to actually call me and inform me that they had frozen it. Every time it happened (and

          • by DCstewieG (824956)

            The only issue I've ever had (in over 6 years with the card) was when my wife and I were out shopping separately and we both bought multiple hundred dollar items. I just got an automated call a couple hours later that spoke the 2 merchants, let me press a button to confirm and that was it. But I guess I couldn't tell you if they froze it at some point within that time.

      • Re: (Score:2, Informative)

        I would recommend the Citi Forward Card:

        http://creditcards.citicards.com/usc/citiforward/single/external/affiliates/Q309/rewards/default.htm?app=UNSOL&app_COL=COLLEGE&sc=46EZA3U9&sc_COL=4CECA3T9&m=90J600000ZW&langId=EN&siteId=CB&B=V&screenID=3124&link=Consumer_15687859&ProspectID=94A073FC70EB478AB75EF008227CD425 [citicards.com]

        I have had it for a while now and things have been good. It has virtual account numbers like you wanted that you can set either a time limit, spending l
      • by nameer (706715)
        AT&T Universal Card. Citi owns it now, so I don't know if there are other equivalent Citi cards. I've had it for years now and the only thing I can't speak to on your list is the paying with electronic transfers. My wife pays the bill, but she is massive into online banking so I would suspect that you can.
      • Re: (Score:3, Informative)

        by sgtrock (191182)

        MBNA'a (now owned by BofA) ShopSafe.

    • I'm not smart enough to figure out how many credit card numbers exist - except that I know that it's not 10^16 because many numbers are invalid. For anyone who wants to figure this out, credit cards need a merchant code and an account code. I think the account code can be pretty arbitrary, but there are only a dozen or so merchant codes. And the whole thing needs a checksum.

      Are there enough credit cards to let everyone use single-use numbers all the time? Maybe we should get only one alternate card number,

  • They verified my Visa a long time ago - and its easier to remember my email address and a password than it is to try and find my card to enter the numbers online.

    • Re: (Score:2, Interesting)

      by Itninja (937614)
      I use the Paypal debit card and get the best of both worlds, sort of speak. And my Paypal account is tied to a bank account I only use for online purchases. There is only enough money in there for what I am about to buy. So even if someone does hax0r my Paypal card, there's nothing for them to steal.
  • by Anonymous Coward on Thursday January 28, 2010 @03:44PM (#30939464)

    The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.

    • by Ken D (100098)

      Yep.

      Any system where you enter re-usable authentication credentials is a system that you have just enabled to pretend to be you.

    • by SomeJoel (1061138)
      Good system, but you greatly overestimated the intelligence of the average consumer.
      • so store the private key on the card, it'll still be more secure than a number & pin code. it could be made fairly seamless to the end user.

    • It's 3 letters at a time from a password. Either you have to have a shitty password or someone will still have to work at it for awhile.

      I hope Verfied by Visa does catch people with their pants down. Fuck 'em, maybe they'll be more inclined to learn how to use their computer properly after they've been had by some kid in Russia.
  • by JoshDM (741866) on Thursday January 28, 2010 @04:09PM (#30939890) Homepage Journal
    I go to the Mastercard website and request a virtual number. I can specify amount and expiration time (in months). It is linked to my credit card and once I use it at a merchant, that number can only be used at that merchant for up to the amount I specified. I love it.

    Meanwhile, a few years back I had to implement Verified by Visa, Mastercom, and Paypal solutions for the checkout process for the company I worked for. Paypal was the easiest and the other two were crappy. I'm not sure how they've worked out in the years since, but you don't see me using them currently. Virtual Numbers all the way.
    • by FooAtWFU (699187)

      I had a credit card which could do that once (a Wachovia card administered through some "FIA Card Services"). Then Wachovia decided to end that and administer it themselves (which was mostly just annoying). What other card providers provide this capability?

      On a related note: online bank security. WTF?

  • Ya, VbV is bullshit, but it would be nice if TFA could link to it's sources it lists as citations instead of financial%20cryptography%20and%20data%20security/
  • I switched from VISA to MASTERCARD because the system sucked, it pissed me off having to jump through hoops to buy something. Then MASTERCARD came out with the same system, just not used as much so I'm still staying with them. Actually pretty funny story... I made a purchase last Fall on a website that had the MASTERCARD security thingy, I hit cancel cause my account got locked out, and the purchase STILL WENT THROUGH.... ya... nice security there.
  • I got fed up with all the security issues with online Visa transactions. Now I use PayPal for everything, and I'm fully protected. Lessee, I've made around... hmmm, frozen, what does that mean? Well, I'm having some problems with my account at the moment, but I've made a lot of transactions.
  • by Anonymous Coward on Thursday January 28, 2010 @04:14PM (#30939996)

    Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.

    I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"

    • by Arimus (198136)

      I was going to mod this up, but while true I can't decide between insightful and funny - I kept chucking when I thought of a document going to see a shrink ;)

    • Re: (Score:3, Interesting)

      by pjt33 (739471)

      I would understand "unsecured" to mean "no-one has attempted to secure it". If they've attempted and failed then it's badly secured and insecure.

  • it kills sales (Score:2, Interesting)

    by Anonymous Coward

    We had it forced on us by our payment provider and it killed sales, we had so many customers asking what their password was and where do they find it. We opted out of it.

  • The researchers, and the article writers, completely fail to understand that 3-D Secure simply defines the interfaces between the three domains in the security model. The actual authentication model used is chosen and implemented by the card issuer. If the card issuer would decide it wants to use passphrase+OTP in a separate window (for URL validation), it could do so. In fact, outside of the US, many do. In Norway, for instance, online payments are usually verified through something akin to a "national ele

  • by tunapez (1161697) on Thursday January 28, 2010 @04:27PM (#30940284)

    I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.

    • by Neoprofin (871029)
      That's odd. My Verified by Visa password is 8+ characters and alpha-numeric, I've also only had to reset it after reporting a card stolen and having it replaced. Maybe it differs from different card issuers.
  • I recently forgot my verified by visa password - the only security question it asked me that wasn't printed on the card was my date of birth - it's not the first time I've had to reset my password, and each time the question is the same. That means if somebody has my card, all they need to know is my date of birth, and they can reset my 3DS password easily.
  • by ehud42 (314607) on Thursday January 28, 2010 @04:55PM (#30940916) Homepage

    I would like to see my credit card display a time sync'd rolling number instead of the lame 3 digit code on the back of the card. As I see it, the problem with credit card fraud is not stolen cards, but stolen numbers. If I lose my card, I will know fairly soon and can have the card canceled. However, it may take quite a while to determine my number has been compromised. When shopping online I would like to enter my card number and a second number generated by the card. Cards expire after 2 years, so this should be doable from a battery life point of view. It could even be introduced as an extra fee initially to those who want the extra online shopping security.

    • by RAMMS+EIN (578166)

      Now there's a good idea. I'd mod you up if I could.

      The way I see it, the number one problem with credit cards is that all the verification steps do basically amount to nothing ... everything you need is printed on the card, so what is verified is neither that you have the card nor that you know some secret.

      What you propose completely changes that.

      By adding a number that changes over time, you foil re-use. Someone can copy the other things on your card, but they will be useless without the card.

      Add some sort

  • by epine (68316) on Thursday January 28, 2010 @05:07PM (#30941170)

    My GF's great-grandmother passed away in November. She was very close.

    Weepy GF gets onto the web site of a regional Canadian carrier that prides itself on its customer service, selects her flight, and begins to fill out the VISA information. After filling out most of the information she clicks "continue" and *bam* up comes VISA's activation during shopping page (ADS) with a giant "I agree" button under inscrutable masses of legal fine print. She is in a fine state of mind for clicking her life away.

    This happens right in the middle of the transaction, with no advance warning. Not on the page before she began filling out the details: to complete this transaction with your VISA card, you will be obligated to click "I agree" to the ADS terms of service, which shifts VISA's liability onto your shoulders and plays havoc with established web security practices and altogether makes the world a shittier place.

    All of this under the commercial maxim that instant gratification == learned helplessness. Your average user will blindly click anything during gratification interruptus.

    As it happens, my red-eyed GF muttered out loud "WTF is this?". It took me about 30s to get past "HF those sleezy MFs". Then I told her to slam down the virtual circuit on her half-completed web page transaction and start the transaction over again using an aging circuit-switched technology far less suited to rights erosion, and also more expensive for the airline to provide. Real human at the other end. What a PITA.

    Brilliant lose-lose for everyone involved.

    Two of the links I recorded checked this out:
    Links More Banking Stupidity: Phished by Visa [links.org]
    Verified by Visa: British banks phish their own customers - Boing Boing [boingboing.net]

    Redacted portions of an online TOS from a large Canadian bank which has since gone 404.

    You agree not to: modify, adapt, sub-license, translate, sell, reverse engineer, decompile or disassemble any portion of the Verified by Visa Website or service or the software used in connection with Verified by Visa.

    You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.

    Answer me this, Batman:

    How is one supposed to notify the bank that you've lost control over the password, when you lose control to a phishing widget embedded in a concealed iFrame?

    I wrote that riddle back in November, and I'm no closer now to coming up with the solution. FWIW, this agreement is probably less egregious than the one that came up under ADS, from a different major Canadian bank. Bonus marks for completing this task without first discovering how the service works which violates your TOS.

    This whole thing makes me seriously limbic.

    Larry Lessig on laws that choke creativity [ted.com]

    And on the other side, among our kids, there's a growing copyright abolitionism, a generation that rejects the very notion of what copyright is supposed to do, rejects copyright and believes that the law is nothing more than an ass to be ignored and to be fought at every opportunity possible. The extremism on one side begets extremism on the other, a fact we should have learned many, many times over, and both extremes in this debate are just wrong.

    For the good of society, the law ought not to be an ass, and the VISA company ought to not be pushing the matter like a used car salesman at the helm of an invincible glass castle.

  • This is why I use a virtual card online (paypal offers them, and some banks do too) - generate a card, use it and then close it. It's also handy for sites that force you to subscribe when you only want a brief access (e.g. I'm only an occasional wow player, so I pay for a month, close the card, don't have to pay for the rest of the time when I don't have time to play).

  • I am a UI designer with an interest in security-related human factors.

    3DS as deployed by MasterCard is also fundamentally insecure because its based on an anti-pattern: trust by proxy without offering any easy way to verify that trust. Visa's implementation is marginally better becuase it echoes a "secret phrase" to you on the screen before you input your pin, thereby allowing you to verify that it's them, and not some random phisher.

    The trouble is most people just trust in the application of the anti-patte

No skis take rocks like rental skis!

Working...