Now Ross Anderson and Steven Murdoch, computer security researchers at the University of Cambridge, have published a paper [PDF] analysing 3D-Secure. Announcing the work on his blog, Prof. Anderson said,

From the engineering point of view, [3D-secure] does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace? Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. … This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.

The paper concludes by recommending technical measures that would improve security for card-holders. It also calls for regulation to protect consumers from being forced to accept liability for online fraud.

I hope that the academic rigour of Anderson and Murdoch’s work, backed by the formidable reputation of the University of Cambridge Security Research Laboratory, will help to focus mainstream attention on Visa and Mastercard’s selfish treatment of their customers.

It turns out I wasn’t the only one to notice this potential. Reports last week indicate that a Verified by Visa phishing scam is now circulating by email:

Webroot’s Andrew Brandt claimed that the scam begins with an email that appears to be targeted at holiday shoppers who buy gifts online. Brandt said: “Once you register with the (real) Verified by Visa service, participating merchants permit you to enter a password in addition to your card information.

“In addition to providing the purchaser with an additional layer of safety, the password also gives the merchant some assurance that larger-than-normal transactions (like the ones you make during holiday shopping season) will be approved quickly, without triggering fraud alerts.”

However Brandt pointed that in the email, the user is sent to a web page that asks you for the information you gave the card-issuing bank at the time you first signed up for the credit card. He also commented that the page is clearly more professional, slick and clean than most phishing pages as the form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.

You might think that credit-card companies have a vested interest in reducing fraud however the reality is subtly different. Their interests lie in reducing their liability not the overall fraud-loss figures. Like chip-and-pin before it, the main benefit to banks and merchants of the 3D-secure system is that it transfers liability for fraud onto the card-holder, not that it improves the intrinsic security of transactions.

Here’s my understanding of how it works: banks first offer to indemnify merchants from any fraudulent transactions they charge that have been authenticated using the scheme. This is a strong incentive for merchants and has ensured widespread adoption. Next the banks adjust their terms and conditions to make their customers liable for all password-authenticated transactions and impose on them a duty to protect their password. Lastly the bank asserts that any password-authenticated transaction must either have originated with the cardholder or be as a result of their neglect – i.e. they have allowed their password to become known to someone else. The customer is then held liable for the cost of the fraud unless they can somehow prove they are not to blame for their password being used without their consent. Both the bank and merchant are protected from loss at the expense of the card-holder.

Is it reasonable to expect credit-card customers to shoulder the blame for the failure of such a fragile security system given the prevelance and increasing sophistication of phishing attacks such as the one reported by Webroot? Implementations of 3D-Secure vary between banks and card companies, however the technology is inherently susceptible to social-engineering attacks, as I noted in my previous post. In addition, even if your password security is meticulous, in some cases all a fraudster needs to reset it are the details on the card and the holder’s date of birth. Hardly a challenge for criminals with a passing knowledge of social-networking and the darknets.

I think fraud liablility should remain with banks and credit-card companies except in cases where they can prove their customers are trying to rip them off. The card companies are best placed to solve the problem of online fraud but there’s no incentive for them to do so if they don’t stand to lose from it.

Colour me unsurprised.

The consultants who carried out this work are from the same community of experts who have been warning [pdf] that the cards would be cracked since the Home Office first disclosed the mechanics of the scheme.

The alterations can be detected with a check against the National Identity Register (assuming this hasn’t also been compromised) however each such look-up will cost around £2. The Government expects the majority of transactions will be authorised through local checks rather than referring back to the central database.

Once someone automates the attack and publishes their code on the Internet, anyone with half a brain, the right mobile phone and access to the world-wide web will be able to change their Government-issued identity at will. As the cards use RFID chips this could be done in seconds while on the move. You wouldn’t even have to remove your card from your wallet.

Disturbingly, your card could also be changed without your knowledge by someone standing close to you, or from dozens of feet away with the right sort of radio antenna hooked up to a portable computer. The process leaves no trace, so when your card is subsequently checked against the database and is found to have been modified, it will be impossible to determine when the changes were made or by whom.

Possessing a falsified ID card could land you with a fine and up to two years in gaol. Owning the equipment or software needed to make the changes could be enough to win you a decade-long stay at Her Majesty’s pleasure. [Identity Cards Act 2006 s25 and s29].

If it weren’t for these stiff penalties, I’d be tempted to suggest the ability to change the details on your own ID card is an unintended benefit of the scheme, not for the Government but for those who value their privacy.

The National Identity Register will store fifty different classes of information about you in a collection of linked databases. The Transformational Government project (also known as the Database State initiative) plans to share all of this information with any official who cares to look. This is the antithesis of the “least privilege” security principal: that people should be given access to just enough sensitive information to do their job, but no more. For example you may wish to tell your doctor about your medical history but not about your bank balance or speeding fines. The ID card scheme wrests from you control over your personal information and gives it to the state: it will not be possible for individuals to choose which “registrable facts” about them are made available to whom.

It would be possible to regain some of this control, however, if we were able to change at will the details stored on our own ID cards. Facts that we are not willing to share could be either falsified, replaced with nonsense or erased. A mobile phone “identity management” application could be written to store multiple personality profiles for your ID card. Using this, you could switch between personae as the need arises, perhaps even employing your phone’s in-built GPS chip to make sure the “Mr. Smith” profile is on the card when you’re at the Doctor’s surgery and the “Mr. Jones” profile is active when visiting your bank. Being able to compartmentalise your relationships with third parties in this way would be a very strong personal privacy measure.

Yep, that’s right, I have just suggested committing fraud to regain some control over your identity in the event that you are made subject to the ID cards scheme. It’s a damning indictment of the relationship between UK citizens and the state that we should have cause to consider this at all. It’s a more damning indictment of the Government’s competence and character that it chose to pursue this illiberal scheme despite strident warnings and opposition from just about everyone who knows anything about security and technology. “We told them so” brings cold comfort after so much money and freedom has been wasted.

As each nail in the coffin of the ID cards scheme is hammered home the true motivation of the Home Office in persuing such an abysmal farce becomes ever more clear. If the Government understood security and respected individual privacy they would allow each of us to choose how much personal information we want to reveal to others. Instead they are trying to assume control over our identity, to nationalise it in a register that is not only a gross violation of the right to a private life, but will also lock those who conform into a system of fines and a lifetime of administrative strife. All in the pursuit of the ultimate bureaucratic convenience.

The confirmation that ID cards are totally insecure is a mortal wound. If the Government doesn’t now scrap this benighted scheme then we must scrap this Government at the General Election.

UPDATED 10/8/09 14:00 to add:

The Home Office has apparently turned down repeated offers to demonstrate this breach by the researchers who discovered it. A spokesperson said that the story was rubbish. The Home Office has published details of the encryption technologies used by ID cards scheme.

I’m disappointed, but not surprised, that the Home Office thinks security is a product which, if sprinkled liberally over a system in a manner similar to magic pixie dust, will somehow make it impervious to attack. It’s no good having “elliptic-curve cryptography” and “root certificates with RSA 4096-bit strength keys” if the system allows these things to be tampered with or circumvented.

Props to the Home Office spin department though: releasing the geeky details has distracted at least some of the press from holding them to account on the principles of the scheme.

If you use a credit card online you’ve probably come across Verified by Visa (or the Mastercard equivalent, SecureCode.) The systems add an extra password step to online transactions that the companies claim improves security. Unfortunately the user experience is nothing short of tragic and the implementation is counterproductive in the fight against phishing scams.

Last night I watched a friend burn through three Visa credit cards trying to book Eurostar tickets for a short break to France. Each time, the Eurostar website forwarded him and his card details to a page at 3dsecure.com, where he was asked to enter a password he’d previously registered. The site gave him two tries before blocking his card. This happened three times with three different cards. No tickets got bought.

Next, another of our group tried to buy concert tickets, again with a Visa card. Not being sure of her password she hit the “forgotten password” link and filled out the forms to reset it. She then submitted her transaction but was told that there was an authentication problem and she needed to call her bank. Again, no tickets got bought.

Verified by Visa took away about £250 worth of business from various merchants last night. However that’s not the scary part. The way card holders are required to enroll with the system beggars belief.

The first time you shop online at a merchant that supports Verified with your Visa card you are redirected to either a pop-up or an iframe that asks you to register for the system. It collects your name, credit card details, some “secret questions” and a password. It does all this from a domain that is neither the merchants’, your banks nor Visa’s (in fact there seem to be many variations on the domain name of the iframe or pop-up). The system then authorises the transaction and redirects you back to the merchant’s site. For subsequent transactions only the password is required.

How is this different in process or appearance from an email or website, claiming to be from or part of your bank, that takes you off to a third-party domain, asks for your credit card details, and then emails them to a drop-box from where a professional criminal cleans out your account?

Visa have invested heavily in securing their credit system against phishing attacks so I cannot understand why they modelled the Verified by Visa enrollment process on one. They used to be able to say to card-holders, “don’t ever give your passwords or card details to third parties” but now they have to qualify the message with “unless it’s got a Visa logo on it and it sounds something like 3Dsecure.com (or .co.uk, or was it 3-Dsecure.com. Whatever.)” That qualification makes it harder for them to get the anti-phishing message across; makes it more difficult for non-technical users to keep their accounts secure; and, with the increasing practice of embedding the offending password dialogue in an iframe, makes it more difficult to distinguish between legitimate and fraudulent requests for your details and passwords. When was the last time you hit View -> Source and checked for iframes?

What baffles me most is that snail mail works perfectly well as a secure channel for sending out authentication credentials. Why can’t Visa make the banks post out passwords to cardholders (with some literature detailing what the system does and the domain names involved) rather than dreaming up this suspicious-looking online registration system and presenting it to users without warning or explanation? Then they could mandate that the passwords be of high quality and customers could be confident that the system was legitimate. After all, that’s what they do with the PIN numbers for those very same cards, so it’s not like it would be any more effort.

After a suggestion by an online friend I’m tempted to start a list naming and shaming merchants who employ Verified by Visa. I know they’re being leaned on by the credit card companies to adopt the technology, however it would be a more effective method of pushing back than boycotting banks, which people are unlikely to want to do in large numbers. Of course with so few credit card companies to choose from, a boycott of Visa wouldn’t attract sufficient interest to make an impact, even if that’s what I really feel like doing.

Have you got a story of Verified-by-Visa-induced woe to add to the collection? Or perhaps your experience has been positive? Do you have a suggestion for the name-and-shame list? Add them in the comments!