|
Oct 27
2009
|
Fundamental flaw with 3D SecurePosted by: Dave on Oct 27, 2009 Tagged in: Visa , security , Phishing , passwords , online payments , MasterCard , Chip and PIN , Application Security , 3D Secure
|
|
3D Secure is the payment industries Internet authentication standard. The Visa implementation is known as Verified by VISA and MasterCard is known as MasterCard SecureCode. When a cardholder enrolls for 3D Secure they get a password associated with their card. From this point on, when they visit a site that supports 3D Secure they will be prompted to enter the password to verify their identity. 3D Secure shifts the liability for fraudulent transactions from the Merchant to the cardholders issuing bank so this is a strong incentive for Merchants to adopt the standard.
3D Secure allows the cardholder to create a new password if they forget their current password. The manner in which this forgot password functionality is implemented seriously undermines 3D Secure and its use as an Internet authentication standard.
I am a frequent online shopper but I rarely come across sites that support 3D Secure. Recently I was purchasing some Skype credit and after entering my card details I was presented with a screen indicating that I had to verify my payment before I could proceed.
After clicking on the 'Verify payment' button I was prompted to enter my 3D secure password.
Rather than enter my password I clicked on the 'Forgot your password?' link. I have blocked out my login name in the above screen-shot but it was displayed as static text. After clicking the 'Forgot your password?' link I was presented with the Verified by Visa 'Forgot Your Password - Identification' form.
Here I was prompted to enter the following information:
- The 3 digit security code on the back of my card, known as the Card Verification Code (CVC).
- The credit card expiry date.
- Cardholder Name as it appears on the card.
- Cardholder date of birth.
To my surprise after successfully entering all of this information a 'Create Password' form was displayed.
Here I am able to create a new password to be associated with my credit card for 3D secure transactions. It is worth noting that the password complexity rules enforced for the 3D secure password would not necessarily produce a password that one would regard as complex. The password must contain between 8 and 32 characters, contain at least one number and one letter. Once I created a new password I was then proceed to complete my purchase. Later I received an email from MBNA confirming that I had updated my 3D Secure account profile.
So what is the problem?
There are two fundamental flaws with the 3D Secure 'Forgot Password' process.
- The information required to change the password.
- The method by which the cardholder is notified of the password change.
1. The information required to change the password
Three out of the four pieces of information required to change the 3D secure password are available on the Visa card.
- The 3 digit security code on the back of my card, known as the Card Verification Code (CVC).
- The credit card expiry date.
- Cardholder Name as it appears on the card.
If someone is attempting a fraudulent transaction they will have already provided the CVC and the expiry date earlier in the transaction. There is a good chance they also have the cardholder name but if not they can easily determine it from the 'Login Name' displayed on the initial 'Verify Payment' view. The final piece of information required is the cardholders date of birth and if the cardholder has an online presence (e.g. Facebook, Bebo, LinkedIn etc.) then this is not exactly difficult to determine.
2. The method by which the cardholder is notified of the password change
The email to notify me that my password had changed came from mbna@securesuite.co.uk. The email contains links to a different domain www.mbna.3dsecurecard.ie/visa than that of the email. The combination of these two points make the email look like a phishing email. This is exactly the sort of email that we as security professionals educate people to ignore. Changing your 3D secure password is a pretty big deal yet the email does not mention that the password has been changed only that the 3D secure account profile has been updated.
3D Secure is often viewed as the online version of Chip and PIN. Imagine if this 'Forgot password' process was applied to Chip and PIN in the offline world. When paying for a purchase at a POS device you would have the option 'Forgot PIN'. Selecting this would allow you to reset your PIN by entering the CVC, expiry date, cardholder name and cardholder date of birth. This scenario sounds ridiculous because it is. This would never happen offline so why implement such a process online where there is even greater potential and risk of fraud?
Dave
--
If you liked this article then you can:
- Subscribe to our
Blog RSS feed - Become a fan of webpayments.ie on Facebook
- Follow us on Twitter
Related Blog Posts:
written by Daniel Tenner , October 28, 2009
Hi Dave,
I think the 3D-secure password check depends on what information your bank has on you. For me, if I reset my 3D-secure password, it also asks me for 2 random letters from my "password" - the one that they use to authenticate me on the phone.
I'm sure they could do a better job in cases where they don't have enough information, but they also have to balance it against retailers losing sales because of overly complicated authentication procedures, I suppose.
Daniel
written by David Keogh , October 29, 2009
The change password functionality for SecureCode also includes another field for verification.
When changing my password recently I was requested to enter in my credit card limit. I didn't even remember what it was currently set at, to which I rang the bank and found out, but it's also available from your bank statement.
David
written by dave lowry , October 29, 2009
Hi Daniel and David,
Thank you for your comments. I did some further research and it looks like the Visa/Mastercard require participating banks to operate "compliant software" that confirms with the latest 3D Secure protocol specification. From what I have read it appears that it is up to each bank to implement their interpretation of the protocol. Assuming neither of you are using MBNA cards then this would explain the differences when we use the 3D Secure reset password functionality.
Thanks,
Dave
written by Noel , November 03, 2009
Well even if it is easily bypassed, at least it shifts the liability to the bank rather than the merchant. If the bank is getting caught frequently I imagine they won't be long changing their system.
written by dave lowry , November 05, 2009
Hi Noel,
Agreed moving the liability from the merchant to the bank is good for Merchants but the down side is the 3D Secure appears to have a negative effect on conversion rates. So you are protected against chargebacks but you maybe losing potential customers due to the confusing implementation of 3D Secure.
I would be interested to see what would happen if the flaw that I discussed was exploited in the real world. Would the bank accept liability or would they try pass it to the customer?
Dave
written by John Clarke , November 05, 2009
Dave,
If the flaw you pointed out was used in the real world, the bank would pass on liability to the cardholder. If a transaction is 3D Secure verified, the customer has NO chargeback right to say that they did not make the transaction. It is the same in the real world, if your PIN is used to withdraw money from an ATM. The bank's position is that you must have been negligent to let someone gain access to your PIN.
written by dave lowry , November 05, 2009
Hi John,
Thanks for the confirmation on this, that is exactly what I was thinking. If your PIN is used to withdraw cash from an ATM the bank says you must have been negligent so I was expecting the same might apply for 3D Secure.
It is not really a great incentive for customers to start using 3D Secure....
Dave
written by Joeri Spitaels , November 25, 2009
Hi,
with Citibank's 3D implementation you only need to provide the cardholder's birthdate and post code to get a new password. Basically they made their whole 3D implementation worthless doing that. Sad...
written by dugu , March 25, 2010
Most of the security schemes proposed recently are coming from the perspective of merchants and banks. Shoppers are urged to jump through hoops to protect the merchants.
Here's a simpler proposal that aims to address the shoppers' concerns: paymentseal.com
Benefits:
-protects your card data(one less entity knows your card data - the merchant)
-no registration process
-no passwords to remember
-can set expiration/max. amount that the merchant can authorize.
It's a simple implementation that does not involve additional entity (issuer bank) in the transaction process.
They will implement it if we get enough shoppers behind it.
written by dave lowry , March 26, 2010
Hi there,
I looked at the paymentseal website to see your simpler proposal. Out of the 4 benefits you outlined above only one of them 3 of them are already provided by hosted payment page integrations.
With a hosted payment page integration the card holder information never comes in contact with the merchant or the merchants servers. There is no registration process and there are no passwords to remember. So the only benefit of your proposed system is that you allow the customer to set the expiration and maximum amount that the merchant can authorise.
The only benefit of the paymentseal system is that the customer is protected from the merchant overcharging them. Is this a common occurrence? Personally I have never come across it. If a merchant was to do this they would be likely to lose their merchant account.
Dave
written by dugu , April 01, 2010
Dave,
Thanks for your feedback.
It is true that the hosted payment page(HPP) solutions already address those points. The distinction of PaymentSeal from other solutions is that the shopper can see the protection. When you buy stuff online, how do you know if the site is using HPP? If you found a desperately needed item on a scruffy looking site, would you prefer to use PaymentSeal method or take a chance not knowing what's going on behind the scenes.
PaymentSeal significantly reduce the risk for the shoppers. Although card issuers guarantee on fraudulent charges, the card holder still need to deal with the hassle of reporting the theft, waiting for replacement card, and other nuances like nervously waiting for their investigation to confirm your claim is true. And if you didn't notice the charge in time, you are out of luck.
James Lin
written by osearcaigh , April 04, 2010
"the shopper can see the protection"
Why would a shopper trust PaymentSeal either?
"If you found a desperately needed item on a scruffy looking site"
I would advise not buying it regardless, if the site is that bad their logictics system is probably worse.
How does PaymentSeal make money?
written by james lin , April 05, 2010
PaymentSeal is just a name I gave to this method like 3D Secure/VbV.
It is a way to complete a transaction without exposing your credit card information to the merchant. You get your card data encrypted by the merchant's payment provider (who eventually receives the card data anyways) and then pass the encrypted card data to the merchant.
Regardless of how trustworthy the site looks, if there's a way to reduce card holder's risk (without cost), would you prefer it?
written by osearcaigh , April 06, 2010
I think you can not separate the trust a consumer holds in an ecommerce site with the site itself - that just seems illogical to me, so you can nopt disregard the trustworthiness of the site. Of course redicing risk without cost is a no-brainer.
So, I still have the same questions;
How does PaymentSeal make money?
Why would a shopper trust PaymentSeal?
Thank you for your reply.
written by dugu , April 06, 2010
Hi,
You are not shifting trust. In a typical online transaction, you give your card information to the merchant, and he passes it to his payment service provider(PSP) for approval. So, both the merchant and the PSP see the card data. PaymentSeal simply reduces the number of parties seeing the card data by one(the merchant), thus reducing the risk for card holders.
If this can be adopted widely, then the amount of risk that can be reduced is:
number of merchants divided by ( number of merchants + number of PSP)
written by John Clarke , April 07, 2010
But, as was mentioned earlier, all PSP's & Payment Gateways offer a Hosted Payment Page option precisely to address this issue for merchants. This solution is already widely adopted, and is increasing as mid-tier merchants want to avoid PCI audit requirements.
So if the entire business case is built around providing payments to dodgy-looking web sites that any sane customer would avoid (how often do you "desparately need something from a scruffy-looking web site"?), it is questionable whether there is a sufficiently large market here.
And if you don't trust the web site to begin with, why would you trust it just because it has a "PaymentSeal" logo on it? PaymentSeal has no brand capital, and this cannot be grown organically, it needs a lot of money to be spent to establish any brand as a trusted 3rd parth (just look at Verisign).
written by dugu , April 07, 2010
There is no 3rd party involved. if you looked at how-it-works document here:
http://www.paymentseal.com/PaymentSeal_HowItWorks.pdf
Hosted payment pages(HPP) is archaic and prone to losing customers amidst all the redirecting. Most major online sites do not use HPP for that reason.
written by John Clarke , April 08, 2010
PaymentSeal is the 3rd Party (between the merchant & Acquiring Bank - check it out in your how-it-works document!).
My point is that PaymentSeal has no brand capital, so there is no reason for a consumer to trust it - and establishing the credibility of a 3rd Party like PaymentSeal is an expensive process that is difficult to achieve organically, especially in the crowded online payment market.
The reason that most major sites do not use HPP is exactly the same reason they will never use a solution like PaymentSeal - they want to control the customer experience as tightly as possible, and not make any 3rd Parties visible during the checkout process.
Which brings us back to the question of how PaymentSeal will make money - is the "scruffy-looking website" sector large enough to support it?
