Insecure verification

February 1st, 2010

Ross Anderson on how the banks and credit card companies have pulled a fast one by pushing customers to use the 3D Secure system to 'protect' their online purchases:

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it. In a paper I'm presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it's becoming a fat target for phishing. So why did it succeed in the marketplace? […]

Surprisingly enough, it's got very little to do with security and a great deal to do with shifting liability for losses onto customers.

[Via Bruce Schneier]

This entry was posted on Monday, February 1st, 2010 at 23:17. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.