Secondary credit card security systems for online transactions such as Verified by Visa are all about shifting blame rather then curtailing fraud, Cambridge University security researchers argue. The 3D Secure system - branded as either Verified by Visa or MasterCard SecureCode - has become a ubiquitous extra line of security …
anybody who has worked with it
probably considers that blindingly obvious. the entire system has been badly managed from the start, and the majority of retailers who could deal with the chargebacks delayed/didn't bother implementing it
given that the only thing keeping credit cards afloat at all is the ``trust'' backed by large amounts of money and chargebacks on the merchants. It never was a securable system, given how you have to give a few magic numbers along with all your personal information to ``pay''. This is a common theme in banking, mind.
I find it ironic that openid is actually ``better'' in this sense, even though it clearly isn't difficult, since it also doesn't quite protect your personal information much, or at all.
Actually they know it.
Based on experience with the HSBC any time you shop more than 3 things in a row within 30 minutes on sites using Verify By Visa it is marked as fraud and they block your card. So if you are not being a compliant consumerdroid and not shopping for a holiday from a "approved" "bundle" as a compliant consumer should do you get a block straight away. Hotel, flight, parking, car - 4 puchases in 20 minutes on average for at least 1K in total. BOOM - blocked card.
If however the sites you use to shop are not using VBV the purchases actually tend to go through.
So base don experimental evidence and the way their current fraud prevention systems are setup they know it is weak. Just doing the "time to bury bad news" yet again and proclaiming how good it is for fraud prevention.
Mastercard also blocked my GF's card because they thought there was a suspicious transaction. She was paying her council tax online, so apparently now paying your taxes is 'suspicious behaviour'.
Ah that explains it!
I'm also with HSBC and used my Visa card heavily in the run-up to Christmas buying travel tickets from all and sundry.
Christmas Eve arrives and my card is locked, meanwhile the World's Local Bank (tm) has buggered off down the pub for a bonus-fuelled piss-up.
When I eventually got through to someone called Charles (in Bangalore) they couldn't explain why the card was locked, only that certain security issues had been raised - but nothing so serious that a few minutes listening to the godawful three bar HSBC anthem (all of their long-suffering customers will know it well) couldn't put right with a short spot of [tappity] and the requisite 'have you thought about buying home insurance from HSBC?' question.
Verified by Visa?
Do what I do. Shop somewhere else, and inform the vendor thats the reason.
no title....do I need one?...really?...
I totally agree....if a website uses VbV I go elsewhere. If I can comment about this on the website I do.
Oddly enough my local council now uses VbV for online transactions. Now I have to pay my monthly council tax payments by phone rather than online. Bastards!
Even the banks dont know what its for
First time I saw 'Verified by Visa', I was a bit doubtful it was legit. Even though I was shopping on a top ranked online site.
I called my Credit Card company. The call center had never heard of Verified by Visa. So they immediatly stopped my card.
Couple of days later they'd obviously been given the training course on what it was.
It is not the merchants who do this it's the banks. They demand that compaines use verified by visa or securecode, or face higher interchange rates (the amount that the merchant is charged for a card payment).
If the decision is £m's in incready bank charges per year or £000,000's to install and maintain VbV then the business will always go with option 2.
This misses the point...
MasterCard and Visa have build an infrastructure that allows individual banks to decide how secure their internet purchases must be. Banks make their own tradeoffs around (i) security versus customer convenience; and (ii) timelines for migrating their entire customer base to secure logins for internet banking and SC/VbV purchases.
Password/DOB based schemes are not totally secure. But they are enough of a barrier to stop >75% of opportunistic fraud.
Card readers with challenge-response codes verified by the credit card PIN are undoubtably more secure, but a pain for customers and a significant implementation headache for a bank with millions of customers. Many banks plan to move to this as a second phase for VbV/SecureCode, but the timeframe is usually aligned with their plans for securing access to their internet banking environments.
Yes, VbV/SecureCode are vulnerable to phishing. This only affects individual merchants, and is relatively quickly detected by banks' fraud analysis.
(posting anonylmously, as i'm a credit card industry insider and have worked on several MC SecureCode implementations)
Then you are to blame
I utterly despise MC SecureCode, it is utter crap and a total inconvenience. I have lost count of the number of times it has had some fit and blocked my purchase and just returned some meaningless exception code.
You phone the card company, they can't help.
You phone the retailer, they can't help.
So you use a different card and say "FUCK OFF" to MC SecureCode.
Also, the MC SecureCode shit is very badly integrated and my browser throws a fit as 85% of the time it detects MC SecureCode potential XSS. My, that really boost my confidence in MC SecureCode.
Take my advice - boycott retailers that use MC SecureCode/VbV and keep you life simples.
It's always been flawed.
The biggest flaw at the moment is the way you have to enter the password. For those who haven't been through the process try this:
Enter the fourth, seventh and eleventh characters of your password.
In my experience very people can do that off the top of their head. Most people seem to remember passwords more by 'finger habit' than anything else. When I use VbV I've found the most reliable way is to write my password using Notepad and put a row of digits underneath. That's clearly a big FAIL for security.
I have to track nearly a dozen passwords (personal and corporate since our IT people are only slowly hooking every application up to the domain) but VbV is the only time I have difficulty.
The other fail with VbV is that it's easy to circumvent. A friend has given up trying to enter their password and either lets it fail or just goes for 'I forgot it'. They've been doing this for a couple of years now and aside from a few extra clicks it's never stopped them buying things.
I suspect it's like Chip 'n' Pin - it's a get out strategy. Something they can point to if a transaction is disputed that they hope will let them off the hook. They don't want to protect our money - they just don't want to have to reimburse us.
All of them should be band
The are a pain, require too many passwords, and are no substite for just not being stupid.
I hate them and will not use any site that uses these. Lord knows what it is like for someone who only shops on line from time to time and is not so happy with internet shopping.
Chip and Pin
No different. How many readers have a shroud which totally covers the magnetic strip when you insert it? How many of us know what's inside that box?
A local petrol station (chip and pin equipped) was cloning cards for months. They'd got the skimmer mounted on the chip and pin device, mounted so it looked like part of the casing.
It's not about securing customer finances, it's about shifting blame. It always is. If they wanted to make it secure, the PIN system would be thrown out and we'd have one-time authentication (code is a hash of PIN, Date and Time, and amount. Code can't be used any other time), or two-factor authentication (Something you are, something you have, something you know. Pick two).
You may think that Chip and Pin / 3D security are two-factor: They're not. The card is an identifier, not part of the security system. An RFID token, or photographic ID would be a second factor. In online transactions, everything is always "something you know" as you only need to know the details of the card holder to bypass the system / authenticate successfully.
Natwest have a two-factor authentication system for their online banking, so it can be done.
Whilst you are in some ways right
...that EMV Chip and PIN cards are mostly an exercise in shifting the blame, you don't have the details. The card IS part of the security system and contains a small crypto processor.
They DO have secure one-time authentication in the EMV system. The card itself produces a cryptogram of the transaction amount, date, time and a few other bits and pieces that the terminal verifies. the card also produces another cryptogram that the terminal cannot read and is sent to the authorising bank so that it can verify that the transaction details are identical as understood by the card and the terminal and nobody's trying to interfere.
Yes - you can still skim magnetic stripe card details and use them in some places. That is the weak link. EMV is only secure if merchants refuse to take mag-stripe transactions.
So, would it be good to rub off the mag strip on our cards?
What use are they these days?
Would a store refuse a card with no mag strip, thinking it's bogus?
And in other news...
...bears poop in the woods.
Not to diss the guys behind the research, who are top notch and deserve credit (and deserve to be listened to a lot more closely by the buffoonish powers that be), but anyone who has been handling card payments on a website has known that this is pretty much the case ever since the gormless scheme was introduced. Like the CVC (CVV, Card Security Code, call it what you will) it's just a mechanism for the banks to offload as much responsibility for fraudulent transactions as they can to either the merchant or the cardholder.
That way, they get to keep more of our money so that they can widdle it up the wall on dodgy investments and pay themselves ludicrous bonuses.
I'm glad Cambridge researchers agree with me
I've been saying this for years...
Lets hope this makes it into the mainstream media, with all the anti-bank feeling around at the moment something might be done.
Put magic number on card.
Magic number lets anyone who knows it buy stuff.
Problem: magic number is too easy to duplicate.
Solution: add a 2nd magic number.
The only reason they haven't put 3 magic numbers on there yet is that they can't think of a good acronym for it.
I tried to avoid these for a while
Eventually everywhere I wanted to buy something from had Verified by Visa in the process, so I had to give up and go with the flow.
It was obvious from the outset that like Chip & Pin the only reason for this existing is to push fraud liability back onto the customer. If you wanted to make the PIN properly secure, you should separate the PIN entry from the system processing the payment - let the cardholder have direct entry on the card or their own machine. Combining PIN entry hardware with validation token receipt means that the machine is susceptible to interference to record PINs and account details as a pair.
If I had the power, I'd get real security researchers to lay down some minimum legal standards for security which must be met before anyone can claim enough system integrity to push liability somewhere else. You'd probably want to do this at a europe-wide level though.
You should not be able to blame someone for revealing secret information when it isn't secret anyway. That should be classed as fraud on the part of the credit institution. Perhaps one day they'll piss off someone rich enough to make a case out of it.
The Rich don't get ripped off...
They have a concierge contact Their financial staff (who they told to buy them something) based upon the pre-agreed parameters setup by the bank and the Person's staff of financial agents. They don't sully their hands dealing with the riff-raff.
If someone DARES to commit fraud using a line of credit (NEVER call it a "credit card" - those are for the plebs) under Their name, the bank bends over backwards to remove the offending error and flaps furiously that such a thing could happen, AND IT WILL NEVER HAPPEN AGAIN.
Basically - If you have the money that such a thing would cause an issue they would get upset over, the bank won't let it become an issue they would get upset over. :(
Of course its about offloading liability...!
The same as the anti-virus/phishing software being peddled by the banks directly via their online banking systems - I'd put money on the fact that the banks will try to deny liability if you don't use [b]their[/b] AV software rather than another reputable solution... Its all about passing blame and avoiding payouts
In the early 1980's I was working as an engineer tracing a problem with duplicate transactions on cash machines. I saw on the news that night, a spokesman for the bank I had been brought in to help, telling how people who were complaining of duplicate transactions were mistaken. It was fraud, it physically could not happen. It must be a family member, they MUST have told the pin number to someone, it was not possible for the system to duplicate a transaction.
Yet there I was, working on a problem were duplicate transactions were being logged....
Trust them not.
Terrified by Visa...
I was ultimately able to opt out of this for one of my cards with a simple phone call (though finding the right number to call turned out to be less simple). What I don't know is what effect this has on my liability (or at least the liability that might be assumed before an ombudsman has to be involved). Not been able to do so for other cards as I can't find anyone to talk to with a clue.
Biggest problem is the implementation which embeds the request for additional information (or, most of the same information all over again....) within the merchant's website in such a way that you can't readily see where the information is being sent and therefore distinguish between a real and rogue merchant - it's basically an open invitation to phishing.
Not that poor security in card-processing should be a surprise to anyone by now...
It works great for me...
Because VbV and SecureCode don't let you use the same password twice, and because they have such tight password requirements, I can never remember the password I have set with them, so I have to write it down, or change it every time (by confirming my DoB etc) I make a purchase...
Writing it down obviously isn't the best option :o)
"a target for phishing"
Never mind a target for phishing, it's always looked like the most basic phishing attack to begin with. My parents, who I've managed to train quite well, refused to use it at first as it seemed dodgy. In their defence, it was a redirect that was neither the shopping site, a visa domain or indeed one of the bank's domain. It's very very difficult for the average Joe to identify a genuine Verified By Visa request.
It must be one of the most utterly useless security check ever designed (maybe next to the 3-digit CVV code - all you're really doing is extending the card number from 16 digits to 19), especially as pointed out in the article it's trivial to reset the password.
If I remember correctly, way back in the early noughties when I was writing ecommerce sites and the 3-digit CVV was introduced, the instruction was that it was never to be stored anywhere in your DB, on pain of some kind of nastiness to your merchant account. I presume (but don't know) it's also not stored in a machine-readable format on the card.
Thus, the extra level of security this provides is not to turn a 16-digit number into a 19-digit one, but to guard against your card number being usable if a database where it's stored is compromised (quite likely at the time, having seen the sort of shoddy code being rushed out back then) or your card is skimmed.
So, in theory, if a card number is presented with CVV it is more likely that the person presenting it has (access to) the physical card, and less likely that they're using a card number stolen from somewhere.
I do recall having to tell coders who hadn't read the documentation that the CVV wasn't to be stored in the DB, so I'm assuming that there are various implementations out there that do store it and thus neuter it as a security measure - it's a slightly brittle solution in that respect.
You must never store the CVV number anywhere, ever...
PCI guidelines expressly forbid it - you even have to explicitly state you do not store that data to even get PCI compliance.
We hate VbV and Mastercard secure with a vengeance, and so far have resisted being forced into implementing it.
That's ok then..
As long as you promise that you won't write it down anywhere... I'm sure the phishing people don't store it either, that just wouldn't be cricket :-)
> Financial Cryptography conference in Tenerife, Canary Islands, Spain.
A conference in the Canary Islands?!
I needs to get me a gig like that!
More bloody passwords
I think the Verified by visa scheme has just tipped me over the biological limit for remembering passwords. I just can't remember the sodding thing.
They really just don't get it. It doesn't matter how many usernames and passwords credit card companies and banks ask for IT'S STILL ONLY SINGLE FACTOR.
Can't the sods get together and make a token?
Yup, several times I've had to phone up the (un)helpline (which last time I tried found they're not 24/7, bloody inconvenient to say the least) because I couldn't remember the VbV password and entering in details as-printed-on-the-card along with DoB etc. didn't work, so now I've taken a new route to picking passwords for these annoying multiple-layer 'security' systems.
Easy to remember because when you get to the 3rd password entry to buy something not even £20, your patience runs out and you start going "OHFORFUCKSAKE" so that's what you use as your password.
Verified by VISA pass the buck
I have had a protracted battle with my Bank, First Direct, and VISA over this. First Direct claim it is VISA insisting on it, VISA claim it is First Direct. Despite many calls and emails i can find no one who is prepared to admit that they are responsible for the service, so not only is it pushing the risk to the customer no one in the banking world is willing to take responsibility for it.
I object most strongly to it as to use it I am forced to accept terms that I can not adhere to. The conditions of sign up state that you must not write down or record in a recoverable electronic means the password. Doing so immediately makes you liable for any fraudulent use. Well I am badly dyslexic so failing to write the password down effectively locks me out. As dyslexia is a recognised disability by the equalities legislation I informed both my bank and VISA that they were discriminating against me. Thats when the "it's their fault" pass the parcel started.
Right now I do not buy from any retailer who uses verified by VISA and am looking for a bank that does not use verified by VISA though so far no luck...
Just don't tell them that you wrote it down
There, fixed for you.
One time passcode
Could they not send a one time code to the hardholders mobile and verify that?
HSBC Business Banking ...
used OTPs but they were supplied in a small keyfob device. Press a button on the device and the screen displayed the next 6-digit code. The equivalent code was also generated on the server side to match.
I would be happy with such a device for consumer banking. Or maybe supply it as a mobile app.
I have one of those keyfobs too and am happy with the security it brings. You are right it should be brought to consumer banking too. However I wouldn't trust it as a mobile app, there's too much opportunity for a hacked smartphone to intercept the cypher key used in generation.
Also if the bank phones me they use the more trustworthy method of quoting half my postcode/DOB/security question and asking that I complete it. That is decent secret sharing and wish chip & pin machines did something similar.
As I understand it some of the securecode-type variants let an account holder upload a picture which is shown back to them at checkout to gain their trust. This is poor secret sharing as it's wide open to MITM attacks, mitigated further by the use of iframes.
(Thumbs up for one time passcodes)
In Sweden 10 years ago
SwedBank rolled keyfobs out over a decade ago, but then their banking system seems to be somewhat better managed than the UK's.
I work for a major investment bank, and these are issued routinely to all staff so that we can access all systems remotely (when working at home, DR etc.).
And yes, the keyfob principle (6 digit code regenerated every 30 secs) is also available as an app on everybody's blackberry.
So good question, why hasn't this been implemented for consumer banking?
Excuse the ignorance...
But how do you access DOB's publicly in the UK?
Is this through online census data?
You just call someone and claim to be from their bank. You tell them that before you explain why you are calling you need to know their DOB as a security check.
Sounds stupid and short sighted?
Yes - good ol' Barclays use that system.
Their Pinsentry seems secure but the problem with that is that I don't have my bank card with me when I'm using my computer. It's a right PITA having to get up to go and fetch it just so I can see my balances.
Fork with their heads!
Whenever a financial institution phones me and then tries to take me through security, I point out that they already know who I am and I am the one that needs to take them through security.
Sauce for the goose...
I always point out to them that I need characters 3,6 and 9 from their PIN code. When they quibble I 'discover' they haven't requested one so cannot speak to them as they cannot verify their ID. 9 times out of 10 I know why they are ringing and deal with it in background and it has now progressed that they try to use a different security check system for me which comprises me answering details about my DOB....well that is more secure then.
I have even prepared a 15 page docuemtn for an authorised person to complete to request a PIN but no-one has gone for it yet.
I know what you mean...
...but if someone phones me up and asks me for confidential information then I want THEM to be able to prove who THEY are. Usually I just say "Look, if you're really from my bank then I'll phone back and ask to speak to you - what's your name and department". They're only ever going to refuse if they're NOT who they initially claimed to be...
I hate them!
Bloody pain the arse those things. In some cases you could just ignore them asking you, or in some cases use another card. But now I've had to give in otherwise getting hold of stuff would be a lot more difficult.
Though I agree 100% with the article, and many other previous Reg commentards, like the PIN it's just another way for the banks to shift the blame to the customer as they can't possibly be in the wrong can they?
Thankfully not every credit card company has been forced into this yet. This is why I like my RBS Mint Visa card so much - they don't use that daft "security" system. Instead they have a internal fraud system that works very well.
Last year someone used my card in the US. Only spent £1 on some Web Hosting, but Mint spotted this as dodgy and blocked the card straight away. When I phoned them to find out what had happened, I got a very helpful guy in Scotland who even briefly unlocked the card to allow me to complete one more payment from the old card before he issued me a new one.
(Darn... now I am sounding like an advert...) If RBS can avoid this stupid system, and instead pay people to actually create a system that properly tracks fraud - why can't the other banks?
What doesn't surprise me is watching my clients trying to use this system with their cards. You see them forget the passwords, or write them onto the card (!!) This "security" is a joke and too easy to reset. (And I have lost count of the number of times clients have given up on a purchase due to VbyV breaking...)
We Live in Hope
Who knows, this might actually lead to something. Like banks taking their share of responsibility for online fraud.
Naaaaaaa! Nearly had you there didn't I?
I've been saying this since these schemes first appeared. My gf can never remember her password so every time she buys something online she has to reset it. That's really secure right there.
"Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders,"
Sounds like security to me. It makes the bank's money more secure. Wasn't that the point ?
I'll pay cash, thank you. Where's my wallet ?
Surely a more secure system would be for the customers not to provide card details to retailers but use the ability of Public Key Encryption to transmit the information securely.
Customer visits website, fills up basket and proceeds to checkout.
At checkout customer completes name, address, delivery address , cost, card type before proceeding to payment.
At payment, the Customer's Browser generates an encrypted message (using the public certificate of Card Vendor) consisting of the name, delivery address, cost, card details and a random string of characters from the web site's public certificate which is then sent to the retailer.
The retailer stores the encrypted message with the customer order details as payment method
The retailer then encrypts customer name, address, delivery address, card type, cost and customer generated message to the Payment Clearing Centre.
The Payment Clearing Centre decrypts the retailer message and uses the Card Supplier Type details to know which Card Supplier needs to process the request.
The Card Supplier receives the payment request details from Payment Clearing Centre which decrypts the Customer message, verifies the Name, Address, Delivery Address, Card, Total details against its records and the vendor supplied details. Authorisation for payment can be made to the Retailer.
In terms of refunds the Retailer can use the Customer encrypted message to return money onto the card, this encrypted message would automatically expire after a year.