The problem is, it’s insecure.

The system is properly called 3-D Secure (3DS) but it’s called Verified by Visa and MasterCard SecureCode by the two card corporations.

Here are some of the problems found by Cambridge researchers Professor Ross Anderson and Steven Murdoch:

• 3DS is shown in an “inline frame” or IFRAME HTML element. The problem with that is that the content for that frame is coming from a different website than the merchants, and it’s hard for users to verify its authenticity because you can’t see the URL it’s coming from.
• The system allows setting of a password directly on a merchant site with activation during shopping (ADS). Your identity is confirmed with a piece of information like birth date, which is commonly available.
• That also means the password can be reset with birth date or other commonly available information.
• It’s also vulnerable to phishing attempts.

Since users have to agree to be responsible for use of the card if they participate in Verified by Visa, banks are less likely to do chargebacks, and are more likely to put blame on the user if there is fraud.

My comments

I had been sort of suspicious of how well these systems worked, but thanks to these Cambridge professors, now we know. In fact, there’s probably no other way we’d know because the terms of these programs actually prohibit you from reverse-engineering or tinkering with the 3DS system in any way.

Moral: Don’t think your card is impenetrable just because your banks says so.

I think it’s good to have a separate, low-limit card for general Internet transactions.

Resources

PCWorld article
Register article
Cambridge University paper
Financial Cryptography and Data Security Conference
http://en.wikipedia.org/wiki/3-D_Secure
http://www.visa.com/verifiedbyvisa/

Related posts:

1. Google Releases Skipfish Automatic Website Security Scanning Tool
2. How to Install Google Skipfish on Ubuntu Linux
3. How to Install Java on Windows