It seems that, anymore, Visa is increasingly encouraging credit cardholders to use their “Verified by Visa” program, in which you’re supposed to enter a secret code to confirm that it’s really you using a credit card number.
The problem is, it’s insecure.
The system is properly called 3-D Secure (3DS) but it’s called Verified by Visa and MasterCard SecureCode by the two card corporations.
Here are some of the problems found by Cambridge researchers Professor Ross Anderson and Steven Murdoch:
- 3DS is shown in an “inline frame” or IFRAME HTML element. The problem with that is that the content for that frame is coming from a different website than the merchants, and it’s hard for users to verify its authenticity because you can’t see the URL it’s coming from.
- The system allows setting of a password directly on a merchant site with activation during shopping (ADS). Your identity is confirmed with a piece of information like birth date, which is commonly available.
- That also means the password can be reset with birth date or other commonly available information.
- It’s also vulnerable to phishing attempts.
Since users have to agree to be responsible for use of the card if they participate in Verified by Visa, banks are less likely to do chargebacks, and are more likely to put blame on the user if there is fraud.
My comments
I had been sort of suspicious of how well these systems worked, but thanks to these Cambridge professors, now we know. In fact, there’s probably no other way we’d know because the terms of these programs actually prohibit you from reverse-engineering or tinkering with the 3DS system in any way.
Moral: Don’t think your card is impenetrable just because your banks says so.
I think it’s good to have a separate, low-limit card for general Internet transactions.
Resources
PCWorld article
Register article
Cambridge University paper
Financial Cryptography and Data Security Conference
http://en.wikipedia.org/wiki/3-D_Secure
http://www.visa.com/verifiedbyvisa/
If you liked this article
If you liked this article, don’t forget to subscribe for updates!
Get updates by RSS (What’s RSS?)
Follow me on Twitter
![[del.icio.us]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/digg.png)
![[dzone]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/dzone.png)
![[Facebook]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/linkedin.png)
![[Reddit]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/reddit.png)
![[Slashdot]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/slashdot.png)
![[StumbleUpon]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Technorati]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/twitter.png)
![[Yahoo!]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/yahoo.png)
![[Email]](http://digitivity.org/blog/wp-content/plugins/bookmarkify/email.png)
Top Incoming Search Terms
kreditkarte plugin veified firefox ross anderson securecode securecode google chrome securecode visa verified by mastercardRelated posts:
- Digital Photo Frames Meet Social Networking It had to happen some time, I suppose. Digital photo...
- What Is NoFollow? Nofollow is an HTML element attribute promoted by Google that...
Explore related content: MasterCard, MasterCard SecureCode, Ross Anderson, security, Steven Murdoch, Verified by Visa, Visa
