Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.
In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?
Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.
Update (2010-01-27): There has been some follow-up media coverage
- The Register – Verified by Visa bitchslapped by Cambridge researchers
- ZDNet UK – Cambridge researchers knock Verified by Visa
- Heise Security – Researchers criticise 3D Secure credit card authentication and Forscher kritisieren Kreditkartentechnik 3-D Secure
- PCWorld (IDG News Service) – 3D Secure Online Payment System Not Secure, Researchers Say
- V3.co.uk (formerly vnunet) – Researchers slam 3-D Secure as insecure
Update (2010-01-28): The New Scientist also has the story, as has Ars Technica.