3D Secure online payment system not secure, researchers say

Liability for fraud said to be unfairly shifted from merchants to customers

A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.

The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.

As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.

That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.

One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another.

The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.

3DS also allows people to set their password immediately as they enroll in the system, a process called "activation during shopping" (ADS). The ADS enrollment will ask for some other piece of information, such as a birth date, in order to confirm the setting of the password. That's a security issue since birth dates are easily obtainable, the researchers argue.

Since the password is also solicited during a transaction, people are less likely to carefully select one since they're more eager to complete the transaction, Murdoch and Anderson wrote. 3DS is vulnerable to phishing, where fraudsters use various methods such as spurious e-mails in order to elicit a person's password.

Customers are also unlikely to closely read the terms and conditions, which means customers could end up paying for bad transactions using their card. Murdoch said he hasn't heard, however, of a customer being held liable for a fraudulent 3DS transaction.

Murdoch said there are other systems on the market that guarantee that the person who is doing a transaction is who they say they are by using their mobile phone.

Those systems can involve generating one-time passcodes on a person's mobile phone that are entered as part of an e-commerce purchase. Another method is sending a SMS (short message service) verification to a person's mobile phone along with a one-time passcode that can be entered during the e-commerce transaction.

However, "most banks have chosen to go for passwords than anything better," Murdoch said. "Passwords are really cheap."

Merchants must pay to implement SecureCode or Verified by Visa, where the systems mentioned above would likely require the banks to spend money, Murdoch said.

In a statement, Visa defended its system, saying criminals will always try to defeat security measures but that it had reduced fraud and made consumers more comfortable with on-line transactions.

"Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," the statement said. "Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."

MasterCard officials could not be immediately reached for comment.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?