[Infowarrior] - Security researchers blast credit card verification system

Fri Jan 29 00:06:44 UTC 2010

Security researchers blast credit card verification system
By Ryan Paul | Last updated January 28, 2010 1:20 PM
http://arstechnica.com/secu

Some credit card companies use a system called 3-D Secure (3DS) that  
adds an extra step to transactions that are carried out on the  
Internet. Visa and MasterCard tout their security, but researchers are  
questioning their efficacy.
When making a purchase, online shoppers are confronted with a  
validation check that requires them to supply a password—in addition  
to the standard security code that is on the card itself—in order to  
prove that they are the real owner of a credit card. Systems built on  
3DS are better known by their brand names, which include Verified by  
Visa and MasterCard SecureCode.

Security researchers say that these validation systems—which are used  
by over 200 million cardholders—suffer from serious security  
deficiencies. Although the failings of 3DS and its lack of conformance  
with best practices are well-documented, it has still been widely  
adopted by online retailers because it allows them to deflect the  
liability for fraud back to the credit card companies.

Some of the credit card companies take advantage of 3DS by wrapping  
their implementations of the validation system in draconian terms of  
service that force users to agree to accept full liability for credit  
card fraud. To make matters worse, some retailers don't allow  
consumers to opt out. The 3DS Activation During Shopping (ADS)  
functionality often ropes in users and gets them to sign up without  
fully realizing that they are doing.

In a paper presented at the Financial Cryptography conference,  
researchers Ross Anderson and Steven Murdoch reveal the dark  
underbelly of 3DS and show how the service is detrimental to consumers.

"From the engineering point of view, [3DS] does just about everything  
wrong, and it's becoming a fat target for phishing," wrote Anderson in  
an entry at the University of Cambridge security research blog. "This  
is yet another case where security economics trumps security  
engineering, but in a predatory way that leaves cardholders less  
secure."

The standard method of integrating 3DS verification in a website  
involves using HTML iframes. This is highly problematic, because it  
means that users won't be able to rely on the security features of  
their browser—such as certificate highlighting in the browser URL bar— 
to easily distinguish between phishing sites legitimate 3DS  
verification. The inability to visually ascertain whether the  
certificate is valid exposes users to the possible risk of man-in-the- 
middle attacks.

Another problems with 3DS that is highlighted in the report is that it  
fails to specify a consistent mechanism for verification. Individual  
implementors are free to determine the means for verification on their  
own, and often make really poor choices. For example, the report says  
that one bank requires cardholders to enter their ATM PIN during the  
verification process. This is a pretty shoddy security practice that  
encourages consumers to engage in risky practices that will expose  
them to significant risk from phishing scams.

Fixing the problems
The widespread and growing adoption of 3DS is difficult to combat  
because it offers built-in incentives for merchants and banks by  
making it easy for them to shift liability to the consumer. The  
researchers say that the time has come for better technology and  
regulatory intervention.

Financial institutions have aggressively embraced the concept of  
electronic passwords in some countries—such as the UK—because  
passwords aren't covered by the laws that protect consumers from the  
consequences of transactions that are carried out with forged  
signatures. The security researchers say that the banks should only  
get to shift the liability to the consumer when transactions are  
validated by a trustworthy payment device—a piece of hardware, similar  
to a CAP calculator, that connects to the user's computer and  
implements a two-factor authentication model.