January 29, 2010 | Digital Security

It seems that, anymore, Visa is increasingly encouraging credit cardholders to use their “Verified by Visa” program, in which you’re supposed to enter a secret code to confirm that it’s really you using a credit card number.

The problem is, it’s insecure.

The system is properly called 3-D Secure (3DS) but it’s called Verified by Visa and MasterCard SecureCode by the two card corporations.

Here are some of the problems found by Cambridge researchers Professor Ross Anderson and Steven Murdoch:

• 3DS is shown in an “inline frame” or IFRAME HTML element. The problem with that is that the content for that frame is coming from a different website than the merchants, and it’s hard for users to verify its authenticity because you can’t see the URL it’s coming from.
• The system allows setting of a password directly on a merchant site with activation during shopping (ADS). Your identity is confirmed with a piece of information like birth date, which is commonly available.
• That also means the password can be reset with birth date or other commonly available information.
• It’s also vulnerable to phishing attempts.

Since users have to agree to be responsible for use of the card if they participate in Verified by Visa, banks are less likely to do chargebacks, and are more likely to put blame on the user if there is fraud.

My comments

I had been sort of suspicious of how well these systems worked, but thanks to these Cambridge professors, now we know. In fact, there’s probably no other way we’d know because the terms of these programs actually prohibit you from reverse-engineering or tinkering with the 3DS system in any way.

Moral: Don’t think your card is impenetrable just because your banks says so.

I think it’s good to have a separate, low-limit card for general Internet transactions.

Resources

PCWorld article
Register article
Cambridge University paper
Financial Cryptography and Data Security Conference
http://en.wikipedia.org/wiki/3-D_Secure
http://www.visa.com/verifiedbyvisa/

If you liked this article

If you liked this article, don’t forget to subscribe for updates!

Get updates by RSS (What’s RSS?)

Subscribe by email:

Follow me on Twitter

Top Incoming Search Terms

digitivity wiki google chrome and securecode problem insecure director tinkering with insecured by visa installing inline frame for verified by visa is it good to get a mastercard securecode kreditkarte plugin veified firefox limit problem securecode mastercard loptop iphone verifiedbyvisa mastercard secure # digit mastercard securecode firefox problems mastercard securecode insecure mastercard securecode problem mastercard securecode wiki pares verified by visa decoder web app ross anderson securecode secure code mastercard photo securecode google chrome securecode visa securecode wiki vbv decode pares verified by mastercard verified by mastercard not working verified by visa and mastercard secure code for developer verified by visa chrome verified by visa google chrome verified by visa inline frame in php verified by visa issues verified by visa problem google chrome mac verified by visa problems verified by visa+wiki wiki securecode wiki verified visa

Related posts:

1. Google Chrome Browser Third Place Behind Internet Explorer and Firefox A new survey is showing that Google’s Chrome browser is...
2. Google Releases Skipfish Automatic Website Security Scanning Tool Google released a free website scanning tool called Skipfish. Skipfish...
3. Firefox and Chrome Complicate Mozilla and Google Ties In a Computerworld article, Mozilla CEO John Lilly calls the...
4. Google Chrome for Mac: Now with Extensions Google Chrome's been out for Mac since December, but now...
5. How to Install Google Skipfish on Ubuntu Linux Skipfish is a new security scanning tool from Google that...

Explore related content: MasterCard, MasterCard SecureCode, Ross Anderson, security, Steven Murdoch, Verified by Visa, Visa