Researchers criticise 3D Secure credit card authentication
Researchers at the University of Cambridge Computer Laboratory, say the 3D Secure (3DS) authentications system branded as the "Verified by Visa" and "MasterCard SecureCode" schemes are "a text book example of how not to design an authentication protocol". The researchers, Steven J Murdoch and Ross Anderson, make their criticisms in a paper being presented today at the Financial Cryptography and Data Security '10 (FC10) conference. It examines the failings of the credit card verification scheme which was introduced by banks as a response to the rise in fraud for card-not-present transactions.
In the paper, they identify a number of weaknesses, for example, the mechanism used to display the 3DS form is embedded within an iframe or pop-up with no address bar, so there us no indication of where the form has come from. This goes against banks advice to their customers to avoid phishing sites by only entering bank passwords into sites they can identify as the bank's own site. When one of the researchers initially encountered 3DS, he found the content was being served by securesite.co.uk and contacted his bank who informed him that this was a phishing site. In fact, securesite.co.uk belongs to Cyota, who are owned by RSA and handles the 3DS authentication process for many UK banks.
The researchers also criticise the initial password entry process which occurs the first time a card holder uses a 3DS enabled card to shop online. The user is asked to enter a new password as part of the process of making the purchase, which the researchers feel is a bad time to ask for the password as the user is probably more interested in shopping and more likely to choose a weak password. They also note that the process of entering the new password also signs the user up to new terms and conditions which shift liability onto the customer despite the bank having made "many poor security choices". Other problems included inconsistent authentication methods, weak mutual authentication with a memorable phrase having to be chosen when a new password is entered and concerns about privacy.
The paper concludes that the "single sign-on" model that the 3DS system implements is the wrong model and that what should replace it is a transaction authentication system where, for example, a user would receive an SMS message saying "You are about to pay $X to Merchant Y" and requesting an authorisation code from the customer, at least as a stop-gap until a more trustworthy payment device could be brought into use. The motivation for this, the researchers feel, should come from regulators intervening on behalf of consumers.