February 1st, 2010
Ross Anderson on how the banks and credit card companies have pulled a fast one by pushing customers to use the 3D Secure system to 'protect' their online purchases:
Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it. In a paper I'm presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it's becoming a fat target for phishing. So why did it succeed in the marketplace? [...]
Surprisingly enough, it's got very little to do with security and a great deal to do with shifting liability for losses onto customers.
[Via Bruce Schneier]