Thursday, February 11, 2010

Verified by Visa: Weak Security?

Steven J. Murdoch and Ross Anderson analyze the '3-D Secure' protocol, implemented as Verified by Visa (VbV) and MasterCard SecureCode (MCSC), in a recent article for Financial Cryptography and Data Security. The two credit card companies have implemented software and a process which attempts to make online transactions more secure by asking the card holder for a password whenever the card is used for a purchase. The idea is that someone holding a stolen card would not know the secret or pass-phrase the holder uses, and so won't be able to complete an online transaction.

In theory, this isn't a bad idea. Having a two-factor authentication scheme for purchases, if implemented correctly, can make fraud harder to perpetrate online. Because the second factor is (in theory) under the control of the card holder, it is their responsibility to make sure it's difficult to guess, and that they change it frequently or whenever it may have been compromised. Based on this theory, the card holders have changed the rules for liability profile for such transactions; a purchase conducted pursuant to the '3-D Secure' protocol shifts the liability for fraud to the issuing bank, away from the merchant and acquiring bank. In section 2.4 on page 4 of the report, the authors identify a situation where the issuing bank then passes the responsibility to the card holder; this is a UK bank, and I'm not sure that would be possible in the US.

The article points out that there are two important areas this protocol can fail. The first comes from the potential shift in liability to card holders, which would reduce the pressure on the banks involved to make more than token additional investments in fraud reduction, either by transaction analysis or by using effective security technology. This is in contrast to the current regime which absolves card holders of responsibility for fraud when they promptly report a lost or stolen card to the bank or issuer; when the cost of fraud lies with Visa or MasterCard, they make (and have made) significant investments in detection and prevention. Our cards have been stolen a few times; each time a large number of purchases were charged, and each time our prompt action avoided liability for the fraudulent balances. I think in most of those cases the bank called us to warn us of the unusual charges, implying that their fraud detection is pretty effective. Keep in mind that this potential responsibility shift to card holders may not be possible to effect in the US, at least under current laws.

The second area '3-D Secure' potentially fails is in the implementation; there are a number of weaknesses exposed in some banks' software:

  1. The web page asking for your VbV or MCSC password is not obviously served by your bank or by Visa or Mastercard. The password field is implemented as an IFRAME (an embedded frame) which does not trigger the security notices that are typically present in your broswer's location bar, so it's not easy to confirm that it's a safe place to type your password.
  2. A safe protocol would have you register a password or phrase at your bank's site before using the card. Unfortunately, the protocol allows something called "Activation During Shopping" (ADS) which prompts you for a password the first time you make a qualifying purchase. Well, maybe that's you, or maybe that's the person who stole your wallet. Some sites want to confirm it's really you, so they ask for your birth date - which is conveniently located on your driver's license, right next to the credit card. Or they may ask for your ATM PIN, which hopefully you haven't memorialized on another piece of paper in your wallet ...
  3. Password resets are not consistently secure. Some banks identified in the report prompted you for a new password if you entered an incorrect one three times.

Finally, there's another issue to consider. Because of the complexity, it seems a number of banks are outsourcing the implementation of '3-D Secure' to a third party such as Cyota. The potential positive effect of that decision might be that the participating banks all benefit simultaneously from increases in security as that party improves. The possible concern is that there's now yet another entity which knows about all your online credit card purchases; in fact, because transaction details are passed to the issuer to present to the card holder for verification, they now are told not only the total for the transaction but all the items in the purchase. That level of detail was not reported by the merchant to the bank previously (in the current/older SET protocol).

So what's the conclusion? Maybe you should consider this course of action when you're challenged by a site using Verified by Visa or MasterCard SecureCard: abandon the transaction, write a letter to the merchant explaining why you think '3-D Secure' is a bad idea, and write to your card issuer and let them know you'll be using another card (Discover? American Express? Paypal? Amazon Payments? Google Checkout?) for your online purchases. In the worst case, the driving consideration behind the development of this protocol is not improved security; instead, it could be the shift in liability for fraud from the banks to you. Maybe if enough card holders push back, they'll get the message, and maybe future implementations of '3-D Secure' will be better.

0 comments:

Post a Comment