Now Ross Anderson and Steven Murdoch, computer security researchers at the University of Cambridge, have published a paper [PDF] analysing 3D-Secure. Announcing the work on his blog, Prof. Anderson said,

From the engineering point of view, [3D-secure] does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace? Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. … This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.

The paper concludes by recommending technical measures that would improve security for card-holders. It also calls for regulation to protect consumers from being forced to accept liability for online fraud.

I hope that the academic rigour of Anderson and Murdoch’s work, backed by the formidable reputation of the University of Cambridge Security Research Laboratory, will help to focus mainstream attention on Visa and Mastercard’s selfish treatment of their customers.

It turns out I wasn’t the only one to notice this potential. Reports last week indicate that a Verified by Visa phishing scam is now circulating by email:

Webroot’s Andrew Brandt claimed that the scam begins with an email that appears to be targeted at holiday shoppers who buy gifts online. Brandt said: “Once you register with the (real) Verified by Visa service, participating merchants permit you to enter a password in addition to your card information.

“In addition to providing the purchaser with an additional layer of safety, the password also gives the merchant some assurance that larger-than-normal transactions (like the ones you make during holiday shopping season) will be approved quickly, without triggering fraud alerts.”

However Brandt pointed that in the email, the user is sent to a web page that asks you for the information you gave the card-issuing bank at the time you first signed up for the credit card. He also commented that the page is clearly more professional, slick and clean than most phishing pages as the form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.

You might think that credit-card companies have a vested interest in reducing fraud however the reality is subtly different. Their interests lie in reducing their liability not the overall fraud-loss figures. Like chip-and-pin before it, the main benefit to banks and merchants of the 3D-secure system is that it transfers liability for fraud onto the card-holder, not that it improves the intrinsic security of transactions.

Here’s my understanding of how it works: banks first offer to indemnify merchants from any fraudulent transactions they charge that have been authenticated using the scheme. This is a strong incentive for merchants and has ensured widespread adoption. Next the banks adjust their terms and conditions to make their customers liable for all password-authenticated transactions and impose on them a duty to protect their password. Lastly the bank asserts that any password-authenticated transaction must either have originated with the cardholder or be as a result of their neglect – i.e. they have allowed their password to become known to someone else. The customer is then held liable for the cost of the fraud unless they can somehow prove they are not to blame for their password being used without their consent. Both the bank and merchant are protected from loss at the expense of the card-holder.

Is it reasonable to expect credit-card customers to shoulder the blame for the failure of such a fragile security system given the prevelance and increasing sophistication of phishing attacks such as the one reported by Webroot? Implementations of 3D-Secure vary between banks and card companies, however the technology is inherently susceptible to social-engineering attacks, as I noted in my previous post. In addition, even if your password security is meticulous, in some cases all a fraudster needs to reset it are the details on the card and the holder’s date of birth. Hardly a challenge for criminals with a passing knowledge of social-networking and the darknets.

I think fraud liablility should remain with banks and credit-card companies except in cases where they can prove their customers are trying to rip them off. The card companies are best placed to solve the problem of online fraud but there’s no incentive for them to do so if they don’t stand to lose from it.

If you use a credit card online you’ve probably come across Verified by Visa (or the Mastercard equivalent, SecureCode.) The systems add an extra password step to online transactions that the companies claim improves security. Unfortunately the user experience is nothing short of tragic and the implementation is counterproductive in the fight against phishing scams.

Last night I watched a friend burn through three Visa credit cards trying to book Eurostar tickets for a short break to France. Each time, the Eurostar website forwarded him and his card details to a page at 3dsecure.com, where he was asked to enter a password he’d previously registered. The site gave him two tries before blocking his card. This happened three times with three different cards. No tickets got bought.

Next, another of our group tried to buy concert tickets, again with a Visa card. Not being sure of her password she hit the “forgotten password” link and filled out the forms to reset it. She then submitted her transaction but was told that there was an authentication problem and she needed to call her bank. Again, no tickets got bought.

Verified by Visa took away about £250 worth of business from various merchants last night. However that’s not the scary part. The way card holders are required to enroll with the system beggars belief.

The first time you shop online at a merchant that supports Verified with your Visa card you are redirected to either a pop-up or an iframe that asks you to register for the system. It collects your name, credit card details, some “secret questions” and a password. It does all this from a domain that is neither the merchants’, your banks nor Visa’s (in fact there seem to be many variations on the domain name of the iframe or pop-up). The system then authorises the transaction and redirects you back to the merchant’s site. For subsequent transactions only the password is required.

How is this different in process or appearance from an email or website, claiming to be from or part of your bank, that takes you off to a third-party domain, asks for your credit card details, and then emails them to a drop-box from where a professional criminal cleans out your account?

Visa have invested heavily in securing their credit system against phishing attacks so I cannot understand why they modelled the Verified by Visa enrollment process on one. They used to be able to say to card-holders, “don’t ever give your passwords or card details to third parties” but now they have to qualify the message with “unless it’s got a Visa logo on it and it sounds something like 3Dsecure.com (or .co.uk, or was it 3-Dsecure.com. Whatever.)” That qualification makes it harder for them to get the anti-phishing message across; makes it more difficult for non-technical users to keep their accounts secure; and, with the increasing practice of embedding the offending password dialogue in an iframe, makes it more difficult to distinguish between legitimate and fraudulent requests for your details and passwords. When was the last time you hit View -> Source and checked for iframes?

What baffles me most is that snail mail works perfectly well as a secure channel for sending out authentication credentials. Why can’t Visa make the banks post out passwords to cardholders (with some literature detailing what the system does and the domain names involved) rather than dreaming up this suspicious-looking online registration system and presenting it to users without warning or explanation? Then they could mandate that the passwords be of high quality and customers could be confident that the system was legitimate. After all, that’s what they do with the PIN numbers for those very same cards, so it’s not like it would be any more effort.

After a suggestion by an online friend I’m tempted to start a list naming and shaming merchants who employ Verified by Visa. I know they’re being leaned on by the credit card companies to adopt the technology, however it would be a more effective method of pushing back than boycotting banks, which people are unlikely to want to do in large numbers. Of course with so few credit card companies to choose from, a boycott of Visa wouldn’t attract sufficient interest to make an impact, even if that’s what I really feel like doing.

Have you got a story of Verified-by-Visa-induced woe to add to the collection? Or perhaps your experience has been positive? Do you have a suggestion for the name-and-shame list? Add them in the comments!