It seems that, anymore, Visa is increasingly encouraging credit cardholders to use their “Verified by Visa” program, in which you’re supposed to enter a secret code to confirm that it’s really you using a credit card number.
The problem is, it’s insecure.
The system is properly called 3-D Secure (3DS) but it’s called Verified by Visa and MasterCard SecureCode by the two card corporations.
Here are some of the problems found by Cambridge researchers Professor Ross Anderson and Steven Murdoch:
- 3DS is shown in an “inline frame” or IFRAME HTML element. The problem with that is that the content for that frame is coming from a different website than the merchants, and it’s hard for users to verify its authenticity because you can’t see the URL it’s coming from.
- The system allows setting of a password directly on a merchant site with activation during shopping (ADS). Your identity is confirmed with a piece of information like birth date, which is commonly available.
- That also means the password can be reset with birth date or other commonly available information.
- It’s also vulnerable to phishing attempts.
Since users have to agree to be responsible for use of the card if they participate in Verified by Visa, banks are less likely to do chargebacks, and are more likely to put blame on the user if there is fraud.
My comments
I had been sort of suspicious of how well these systems worked, but thanks to these Cambridge professors, now we know. In fact, there’s probably no other way we’d know because the terms of these programs actually prohibit you from reverse-engineering or tinkering with the 3DS system in any way.
Moral: Don’t think your card is impenetrable just because your banks says so.
I think it’s good to have a separate, low-limit card for general Internet transactions.
Resources
PCWorld article
Register article
Cambridge University paper
Financial Cryptography and Data Security Conference
http://en.wikipedia.org/wiki/3-D_Secure
http://www.visa.com/verifiedbyvisa/
If you liked this article
If you liked this article, don’t forget to subscribe for updates!
Get updates by RSS (What’s RSS?)
Follow me on Twitter
![[del.icio.us]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/digg.png)
![[dzone]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/dzone.png)
![[Facebook]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/linkedin.png)
![[Reddit]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/reddit.png)
![[Slashdot]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/slashdot.png)
![[StumbleUpon]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Technorati]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/twitter.png)
![[Yahoo!]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/yahoo.png)
![[Email]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/email.png)
Top Incoming Search Terms
"verified by visa" insecure digitivity wiki firefox visa verification problem google chrome and securecode problem google verified vise google verify visa insecure director tinkering with insecured by visa installing inline frame for verified by visa is it good to get a mastercard securecode java verified visa kreditkarte plugin veified firefox limit problem securecode mastercard loptop iphone verifiedbyvisa master visa card source code mastercard secure # digit mastercard secure code problem mastercard secure virus mastercard securecode firefox problems mastercard securecode insecure mastercard securecode problem mastercard securecode wiki pares verified by visa decoder web app problem verify visa problem with verified by visa program ross anderson card code ross anderson securecode secure code mastercard photo secure master card code securecode google chrome securecode visa securecode wiki vbv decode pares verified by mastercard verified by mastercard not working verified by visa and mastercard secure code for developer verified by visa chrome verified by visa google chrome verified by visa inline frame in php verified by visa insecure verified by visa issues verified by visa problem verified by visa problem google chrome mac verified by visa problems verified by visa+wiki verify by visa problems visa secure code visa verification code visa verification problems wiki securecode wiki verified visaRelated posts:
- Google Releases Skipfish Automatic Website Security Scanning Tool Google released a free website scanning tool called Skipfish. Skipfish...
- How to Install Google Skipfish on Ubuntu Linux Skipfish is a new security scanning tool from Google that...
- How to Install Java on Windows Java is an application environment (like, in a way, .NET,...
- How to Install Miro Podcast Viewer on Windows Miro is a free and open source podcast viewer for...
- My Windows XP Gets Virus Infected I got hit badly with some nasty viruses which ultimately...
Explore related content: MasterCard, MasterCard SecureCode, Ross Anderson, security, Steven Murdoch, Verified by Visa, Visa
excellenta tilico mi rovevel te gramovamo arias fúposondu. adincia te eiteala mader nos nafir o camivado morer mosilhir bien.
I carry on listening to the reports talk about getting boundless online grant applications so I have been looking around for the finest site to get one. Could you advise me please, where could i acquire some?
Great article and straight to the point. I am not sure if this is really the best place to ask but do you folks have any thoughts on where to hire some professional writers? Thanks in advance