Verified by Visa?

used under creative commons from johnsnape's Flickr


 
In 2001 Visa introduced a security protocol they called 3DS, short for 3 Domain Secure in an attempt to reduce the incidence of credit card fraud in online purchases. 3DS is better known by the names used by the various card issuers when they implement the system “Verified by Visa“, “MasterCard Secure Code“, “J/Secure” (JCB International) and “SafeKey” (American Express). the trouble is that 3DS doesn’t really present any barrier at all, to even the average fraudster, at least in the way that is is implemented by card issuers that I tested.
 
In the FAQ published by Visa they say “Verified by Visa protects your card against unauthorised transactions, giving you complete confidence when shopping online“. Later in the same FAQ they also state “If you forget your password you can easily reset it” and therein lies the problem. The following relates to implementations by the credit card issuers I was able to test, not necessarily to the entire 3DS system.
 
The problem stems from a very basic design flaw. If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but…
 
What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.
 
The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitmate account holder, let’s have a look at that “Identification” phase.
 

Second step in password reset


 
Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.
 
Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.
 
So what should be improved? There’s nothing new or amazing here, just some really basic steps that need to be incorporated into the process.
 

  • Upon enrolling in the system, cardholders should be requested to set a “Secret question” which will later serve as authentication data for a passsword change.
  •  

  • Instead of simply clicking through to the reset screen, a one time password reset URL should be delivered to a registered email address.
  •  

  • Whever a change to the account details is requested, or is succesful, the registered email address should receive a notification message.
  •  

 
Oh, one more thing, it would be really great if I could use special characters in my password, please.
 

13 thoughts on “Verified by Visa?

  1. Pingback: Loopholes in Verified by Visa & SecureCode | iCodeSource

  2. Oops, I broke it

    It is actually much LESS secure than even what you’ve shown, at least in my repeated experience. I’ve never set up a password, and each time I buy something from newegg I get this. I just click the “Forgot Password” link, then the “Cancel” link… and go right back to NE and see my confirmation number on my receipt. I’ve found this by accident some three or four times, then finally bothered to recall it.

    Reply
  3. Pingback: Boot up: Galaxy Nexus Android review, BlackBerry PlayBooks 'stolen from Indiana truck stop', and more | Gunsirit Live News Stream

  4. Pingback: Study Slams Kindle Fire Usability

  5. Pingback: Boot up: Galaxy Nexus Android review, BlackBerry PlayBooks ‘stolen from …

  6. Pingback: Visa looks into Eastern European security breach | LocatePC | Locate your stolen computer or stolen laptop - Works for both Mac and PC

  7. Pingback: "Ontwerpfout in wachtwoordbeveiliging creditcards" | Hackers Domein

  8. Pingback: 你在社群網站公布的生日和信用卡盜刷有什麼關係? | 雲端防毒是趨勢

  9. Mathieu

    Do we agree this is a card issuer’s problem, and not a 3DS problem ?
    I mean, the fact to rely on a password is a card issuer’s decision, as some of mine use 3DS but do not rely on a password.

    The one I prefer rely on something I have, not something I know.
    For each transaction, it sends me a SMS on a predetermined number, with a secret one-time code in it, which I need to type on the page.
    No reset, no alternative… no “I don’t have my mobile”, just a “resend please, I didn’t get it”. And it doesn’t give the full number it sent the text to, just the few last digits.

    So I agree, no mobile, no SMS, no order…
    But still, my point is this password thing is a card issuer decision… alternatives are already used by others.

    And actually noone ever asked me if I was ok with yet another password… or if I prefered another means or “verification/authentication”.

    Reply
  10. Sophia

    This is why Swedish banks have either e-authorization protocols that need to be downloaded to your computer through your internetbank which you can only use with a small security box/digipass. You don’t use a password to log in to your internet bank, but different codes that is provided by the digipass.

    Reply
  11. dg

    My Visa issuer in .se requires that 3DS password resets are completed only when authenticated in the Internet bank.
    So it looks like issuers in US handles this differently.

    Reply
  12. Pingback: Loopholes in Verified by Visa & SecureCode — Krebs on Security

  13. matt

    It is a total scam, anyway. It was created (per internal credit card company documents detailing its design) to protect the CARD ISSUERS from having to reimburse you for fraudulent transactions. If the scammer gets thru Verified by Visa, then OBVIOUSLY you the customer are in on the scam and they don’t owe you s…. Not a customer protection, it’s COMPANY protection. F… them

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>