back to article Mastercard and Visa to ERADICATE password authentication

Mastercard and Visa are removing the need for users to enter their passwords for identity confirmation as part of a revamp of the existing (oft-criticised) 3-D Secure scheme. The arrival of 3D Secure 2.0 next year will see the credit card giants moving away from the existing system of secondary static passwords to authorise …

Page:

  1. dogged

    Dubious, philosophically speaking

    "We want to identify people for who they are, not what they remember"

    riiiiiiiiight

    1. NumptyScrub

      Re: Dubious, philosophically speaking

      Looks like some people believe that it is nature, rather than nurture, that defines us. ^^;

      I agree that I am the sum of my experiences, however :)

  2. DrStrangeLug

    Biometrics

    Seriously people, stop thinking biometrics are secure.

    I've seen fingerprint authentication fooled for the cost of a camera and an inkject printer.

    1. Anonymous Coward
      Go

      Re: Biometrics

      That would be the most basic ones on the planet...half decent ones look for a pulse and blood vessels

      1. A Known Coward

        Re: Biometrics

        "half decent ones look for a pulse and blood vessels"

        Which I've seen defeated countless times by simply placing your finger behind the photocopy of a fingerprint (or a latex print created by the same).

      2. Carpetsmoker

        Re: Biometrics

        Indeed. This is truly impossible to fake...

        </sarcasm>

      3. DragonLord

        Re: Biometrics

        The most recent one that I've seen going into general use eschews fingerprints for scanning the pattern of the blood vessels in your finger.

        1. Khaptain Silver badge
          Pint

          Re: Biometrics

          The most recent one that I have seen captures your DNA and Blood, sends a sample to a local Vogon spaceship, anaylses the results for any traces of Pan-Galactic Gargle Blaster, calls up Zaphod directly, asks he was drinking with you lately and if not zaps you into oblivion.

          Why the importance of this diatribs, simples, it's great to have highly advanced techniques but they MUST BE AVAILABLE before anyone can use them and this takes bloody years......

          meanwhile as I reach for a bottle of good Ol' Janx Spirit.... ------>>> Yes it's Friday

        2. AndrueC Silver badge
          Coat

          Re: Biometrics

          Covered by a very early Mythbusters episode. Also of note - the manufacturer offered some kind of guarantee that it couldn't be beaten. So that's two lessons in one ;)

          Mine's the one with the hands in the pockets to stop someone cutting them off and using the fingerprints.

      4. Cynic_999 Silver badge

        Re: Biometrics

        I work with many different fingerprint scanning systems, but so far have not come across a scanner that detects either blood vessels or a pulse. I'm not sure how well either of those things would be detected in a cold environment either.

    2. Nigel 11

      Re: Biometrics

      I've seen fingerprint authentication fooled for the cost of a camera and an inkject printer.

      Or for the cost of a piece of sellotape (to lift a fingerprint), a small piece of photo-resist-coated PCB material, standard etchant, and a blob of silicone rubber. Which method has the advantage that it does not need any connivance from its victim. It's just a slight modification of the long-known method for putting a random fingerprint on an incriminating object. (Pray you have a good alibi if it's your print they lift )

      Or for no cost at all. A brutal criminal will just cut off your finger(s) and leave you tied up while he empties your bank account. Mercedes used to sell cars that used the owners finger instead of a key. Until South African carjackers started cutting drivers' fingers off. Mind you, that was better than being shot dead and then having your fingers hacked off. Or vice versa. No way I'd drive any car except a rust-bucket in a country like that. Safer still to not go there at all.

      No way am I ever going to carry a financial instrument that uses part of my body as a key.

      1. Anonymous Coward
        Anonymous Coward

        Re: No way am I ever going to carry a financial instrument that uses part of my body as a key.

        I also leave my brain at home when going to the atm :-)

        1. Gene Cash Silver badge

          Re: No way am I ever going to carry a financial instrument that uses part of my body as a key.

          Most people apparently do.

          This morning I wondered if the woman in front of me was attempting to negotiate a hostile takeover of the bank via the ATM. LADY! YOU DON'T NEED TO QUERY YOUR BALANCE THREE TIMES IN A ROW! IT WON'T MAGICALLY HAVE MORE MONEY!

          1. Mark Cathcart

            Re: No way am I ever going to carry a financial instrument that uses part of my body as a key.

            Really, why not? I transfer money to my kids, it shows up within 15-mins...

      2. Daniel B.
        Boffin

        Re: Biometrics

        No way am I ever going to carry a financial instrument that uses part of my body as a key.

        OH SO VERY AGREED. Anyone who has watched either The 6th Day or Demolition Man already knows exactly why biometrics for security are a very bad idea. Sure, high-end biometric scanners will usually check if the body part is still attached to its rightful owner, but the common criminals won't necessarily know this before hacking off your finger or plucking out your eye. And they might still do it out of spite anyway.

        Stop this biometric madness. If you want better security, go down either 2FA, PKI, or some combination of these. Biometrics are going to be painful.

    3. Jin

      Re: Biometrics

      There is another issue to look at.

      Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

      Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

      What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.

      As such, it is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

  3. Carpetsmoker

    So how secure are 'biometrics'?

    I don't understand the focus on 'biometrics'.

    Given that it's not that difficult to fake a fingerprint, this means we will all have to wear gloves? Because otherwise anyone could swipe my fingerprints, and have my "secret" code (ie. my fingerprint).

    Even if through some technological breakthrough somehow a brand new 'biometric' system will spring to life, it's not at all inconceivable someone will find a way to fake this in such a way that will fool the detectors.

    This is a problem with *all* biometric authorisation (iris scans, etc.) ...

    Passwords, on the other hand, are something only *I* know, and reading my thoughts is not only impossible today, it's quite possibly not even physically possible.

    There are also more practical concerns, how will this work? Will I need a fingerprint reader? Will that work with my BSD system? Or do I need a smartphone? What if I don't have a smartphone? Will this system even be secure? History has thought us that these sort of systems often contain flaws (sometimes quite serious ones). At least the current systems are well understood (flaws and all).

    The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox.

    In any case, I don't see how 'biometric authorisation' will make matters better, especially if this means it *replaces* passwords (rather than supplement them).

    1. DragonLord

      Re: So how secure are 'biometrics'?

      Why does everyone automatically jump to fingerprints as soon as anyone mentions biometrics. Of the entire set of things that you could use on the human body (non-invasively) for biometric checks, the fingerprint is just a fairly small subset.

      1. Anonymous Coward
        Anonymous Coward

        Re: So how secure are 'biometrics'?

        "Why does everyone automatically jump to fingerprints as soon as anyone mentions biometrics. Of the entire set of things that you could use on the human body (non-invasively) for biometric checks, the fingerprint is just a fairly small subset."

        It's just the simplest representation to present in an argument, but the argument can be made for any and every biometric. Quite simply, just about anything man can create, man can either re-create or subvert. How do biometrics stop a Man in the Middle, for example, like a tampered entry point, which is physically proven to be impossible to completely secure simply because anyone can find and subvert a point outside a chain of trust and disguise it as a trusted point beyond the point of everyday detectability?

        1. djack

          Re: So how secure are 'biometrics'?

          Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..

          During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)

          During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.

          The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.

          That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.

          In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.

    2. Charles 9 Silver badge

      Re: So how secure are 'biometrics'?

      "The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox."

      Then someone breaks your master password. Or your memory's so bad you can't even remember that password. And the moment someone says, "Tough!", that someone loses at least one customer. So what are you going to do? Customers are demanding turnkey solutions that don't rely on memory and won't take no for an answer.

      1. Anonymous Coward
        Anonymous Coward

        Re: So how secure are 'biometrics'?

        I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).

        My UK bank account is particularly unusable since it prevents me from using a password manager by asking for random characters from my password.

        Having said which - the visa and mastercard verification MITM popups are the most half-assed and broken web abortions I have ever seen. They look exactly like a phishing MITM attack, they fail to work on some browsers, etc etc. Glad to see them go.

        1. Trainee grumpy old ****
          Trollface

          Re: So how secure are 'biometrics'?

          >> particularly unusable since it prevents me from using a password manager by asking for random characters from my password.

          Get a better password manager? One that lets you select specific characters / substrings from your password.

        2. djack

          Re: So how secure are 'biometrics'?

          "I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."

          Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).

        3. Daniel B.
          Boffin

          Re: So how secure are 'biometrics'?

          I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).

          See, sometimes forcible regulation brings good things. All Mexican banks offer 2FA, because they are mandated by law to do so. Pretty much every bank implemented some form of 2FA since 2007, and the last one that still used the corny "card number matrix" switched to physical real tokens sometime around 2011.

          Meanwhile in the US, 2FA is nowhere to be found.

        4. jonathanb Silver badge

          Re: So how secure are 'biometrics'?

          Some of my UK bank accounts have two factor authentication.

          RBS/Natwest, Barclays and Nationwide have a card reader, so I have to put my card in it, enter a PIN and get a code which I enter into the website.

          HSBC has a code generator which gives me a number to enter into the website.

          Halifax and Santander send a code by SMS to my phone which I have to enter into the website.

    3. Anonymous Coward
      Anonymous Coward

      Re: So how secure are 'biometrics'?

      > The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords

      Even without a password manager. I have about two dozen passwords or so, and remember them all (most of the time!). It's not that I have great memory or anything

      What was I saying?

      Ah yes, not great memory, but I just learn to associate the passwords with the object/site/system I am trying to access, so that for example The Register becomes "8fLpow35" or whatever. Compared to the number of nouns one regularly uses in everyday language, a couple dozen passwords do not seem much. Of course it does require a little intellectual effort--not something I ever see as a bad thing, mind.

      Not advocating this system, just presenting another possible approach to the too many passwords problem.

  4. Kevin Johnston

    W00h00

    I cried when I read this...

    and it took ages before I could stop laughing/cheering long enough to start typing.

    From it's very first day I could never see this as anything other than an MitM vector waiting to be re-purposed

    1. Ian 62

      Re: W00h00

      First time I encountered VbyV (many years ago) I called the card issuer and said "What is this?".

      The call centre replied with, "We've never heard of it, so we've locked your card".

      Frankly, its been downhill ever since.

      Can't remember your password?

      Re-set immediately just by using the details on the card and the date of birth.

      Its not like my DOB is very secret.

      1. Nick Ryan Silver badge

        Re: W00h00

        I don't think I've ever, once, entered my a password on the entirely pointless and annoying Verified by Visa "service". Every time, it's "forgotten password", followed by a few basic details that I can remember and yet another relatively random slew of numbers and letters for the new password.

        Are there any details on how the delusional, control-freak muppets are planning the next ludicrous "security theatre" of authentication?

        1. fruitoftheloon

          @Nick Ryan Re: W00h00

          Nick,

          me too, I have always reset notVerifiedbyVisa with the same password EVERY F'ING TIME it comes up, I have no idea why, but until the last few months it never seemed to remem my password.

          So a bit chocolate teapot really...

          Ymmv.

          J

      2. Charles 9 Silver badge

        Re: W00h00

        "Can't remember your password?

        Re-set immediately just by using the details on the card and the date of birth.

        Its not like my DOB is very secret."

        So how do you tell the difference between a real customer with a bad memory and an intruder who did the research?

        1. John Miles

          Re: Its not like my DOB is very secret.

          Mine is if your website is called something like Facebook (I had to create facebook account but fortunately for an organization page not myself) or I don't think you need to know it at which point I take days, months, years and/or decades off my age

        2. Cynic_999 Silver badge

          Re: W00h00

          The usual way IME is apart from the usual DOB and "memorable question", my bank asks questions regarding recent and/or regular transactions. "Which supermarkets do you usually shop at?" "When did you last withdraw cash from an ATM?" "Have you bought a lottery ticket online over the past week?" etc. Of course it is possible that the fraudster has a copy of my bank statement that is less than a week old, but far less likely than knowing my DOB or family details.

    2. Anonymous Coward
      Anonymous Coward

      Re: W00h00

      Not just that but from a retailer point of view it was a pain.

      If you have an ecommerce site and spend a lot of effort with UX on your payment funnel then you capture the customer (who wishes to purchase), great!, however that pass over to 3DSecure and bam, forget their password, or the bank decides to reject the payment, etc.

      Not so bad to have extra security when you are delivering physical goods to a new customer, but if you aren't then a third party is deciding whether a customer can shop with you or not and there is absolutely no way of finding out why they couldn't complete. There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: W00h00

        > There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.

        Which is probably the reason why they're scratching it (i.e., sod all to do with the customer's convenience or security).

        Indeed, at one time one of my cards had that stupid system. There were some very unfortunate merchants in France who had this system forced upon them by their bank (providing the checkout). Much as I liked them, I had no choice but to forego their services until, a few months latter, they wrote to tell me they were now accepting AMEX for those of us who could not / would not use that piece of shit of a "verification" system. I felt sorry for them since AMEX's merchant fees are double everyone else's, but...

        At the same time, my bank was claiming that this was enforced from the receiving end and there was nothing they could do. I closed my accounts on that bank so I don't know what the latest status is, but none of the banks that I do business with nowadays seem to implement that sorry thing, thankfully.

      2. Equitas

        Re: W00h00

        Apparently the credit card companies charge retailers considerably more if they don't use 3Dsecure. On the other hand, the customer is more likely to avoid a retailer who does put the customer through the nuisance value of those bizarre credit card "security" setups. I still think that a pass number being sent by SMS each transaction is a far better way of doing things.

        1. Anonymous Coward
          Anonymous Coward

          Re: W00h00

          They don't charge more than if you are using CVV, however they will absorb responsibility for fraudulent transactions (i.e. no chargebacks for stolen cards or unauthorised purchases).

  5. Anonymous Coward
    Anonymous Coward

    Stop with the mobile requirement already

    I don't want stuff via mobile, you need a sim and signal; a Three PAYG sim was a rip-off and a contract would be a complete waste money for me!

    1. A Known Coward

      Re: Stop with the mobile requirement already

      How is a free PAYG sim from Three a 'rip-off'?

      Moreover how are calls charges of 3p a minute, texts at 2p and data at 1p/MB a rip-off either? Assuming you ever use the thing? I put £10 on mine months ago and despite periodically checking my emails via 4G and making the odd call I've still got over £7 on there.

      1. Dave Pickles

        Re: Stop with the mobile requirement already

        It's a problem if you're in $FOREIGN_COUNTRY facing enormous roaming charges to receive calls and texts, with no way to top-up a PAYG account. Any way some of us just don't want a mobile phone.

        1. A Known Coward

          Re: Stop with the mobile requirement already

          Forgive me, but if you're in $FOREIGN_COUNTRY you're not going to be shopping online much are you? Services are a bit different, but it still seems like you're being a bit pedantic.

          I'm not really in favour of using phones for 2FA either, but the original posters comment about a PAYG sim being a 'rip off' just seems like complete rubbish. It's only expensive if you use it a lot, but the original poster clearly wouldn't use it very much since they manage to get by without a phone at all.

          1. Cliff

            Re: Stop with the mobile requirement already

            AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection. And seeing as three and other networks are currently rolling out in-package calls for more and more roaming countries, that gets less of a deal.

            1. David Roberts Silver badge

              Re: Stop with the mobile requirement already

              When I go abroad to visit family I go for a while.

              When in country I expect to be able to shop on line even when I have popped a PAYG SIM in my phone.

              I could be booking hotels, motels, camp sites, ferries, flights using the new SIM either directfly on my phone or tethered to laptop or tablet.

              I may even want to click and collect at stores.

              For this to work in the age of the global traveller you would need to be able to switch phone numbers quickly, easily, and repeatedly from abroad.

              Given that proviso it doesn't seem quite as secure.

            2. Charles 9 Silver badge

              Re: Stop with the mobile requirement already

              "AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection."

              Even in the US, it's pretty easy to pick a plan that has generous texting allowances if not unlimited texting, meaning even if they charge for receiving, it becomes just a drop in the ocean.

          2. Anonymous Coward
            Anonymous Coward

            Re: Stop with the mobile requirement already

            > Forgive me, but if you're in $FOREIGN_COUNTRY you're not going to be shopping online much are you?

            Could you expand on that please?

            1. Anonymous Coward
              Anonymous Coward

              Re: Stop with the mobile requirement already

              >Could you expand on that please?

              What needs to be explained? How many people shop on-line while abroad as much as they do at home? How many people do it at all? Hands up please.

              First off it's assumed $FOREIGN_COUNTRY is the country in which you do not live for most of the year, because then it's no longer foreign. $FOREIGN_COUNTRY is somewhere you are visiting for a business trip or holiday, not the house you own in France and live in for months each summer.

              Many stores won't ship to a different street address than the one which appears on your bank statement, almost none will ship when the country is different, it's an anti-fraud measure. So immediately shopping on-line when abroad becomes more difficult.

              Then there's the cost of shipping abroad, assuming you're buying from the country in which you normally reside, this isn't something you'd make a habit unless it was vital - e.g. arrived at your destination and realised you've forgotten something that can't be purchased locally. In these circumstances why would you not also be prepared to turn your phone on (or swap sims) to receive a text message?

      2. qwertyuiop
        Joke

        Re: Stop with the mobile requirement already

        Yeah, but those of us who have friends tend to have far higher usage and therefore it's more expensive!

    2. Charles 9 Silver badge

      Re: Stop with the mobile requirement already

      Well, for many, their mobile is the only second factor available to them, so if you want 2FA, it's mobile or bust. If you declare 2FA bust, then you now have to figure out how to build a security system that's tamper-proof, turnkey simple, and doesn't require a second factor? Last time I checked, that means the general public is not accepting anything less than the impossible.

    3. fruitoftheloon

      Re: Stop with the mobile requirement already

      Ac,

      not necessarily, Google Authenticator (I think that is what it is called) on my android generates pseudo-random sequence to be entered into web pages etc, and does not to be connect to the interwebs at the time.

      Works quite well, especially here in the countryside, where SMS 2fa is a pain in the derriere due to having ropey mobile reception...

      J

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019