Those of you who read my Blog post about MBNA and 3D secure will know I am an MBNA Visa card customer. MBNA provide their cardholders with a comprehensive online banking solution. You can review your recent transactions, recent statements, transfer balances and even view your PIN online. Recently, MBNA made some updates to their site, modifying the login process so it is now a two step process.

This change appears to be an attempt to improve usability on the site by simplifying the log-in process. The website  provides a "Where do I enter my password?" link giving MBNA's reasons for a two-step login process, reasons which I believe are misguided.

MBNA say the new two-step login process will better safeguard the privacy and security of their customers personal information. These changes in fact compromise the security of their customers and provide scope for denial of service attacks. Here, I'm going to show you why.

The first step in the log-in process where you enter your username. Here we encounter the first problem - if you enter an incorrect username you get a message saying that the username does not match their records. Unfortunately, this means that the system can be used to find valid usernames of MBNA customers.

After entering a valid username you are presented with the password entry screen.

If an incorrect password is entered then this is indicated to the user.

Now we encounter problem number two - MBNA implement an invalid login attempts policy by which accounts are locked after 3 invalid login attempts. This itself is not the problem but combined with the ability to determine valid usernames it becomes a problem.

The invalid login attempts will prevent an attacker from carrying out a brute force attack to find the password for a cardholders username but it does leave MBNA open to a type of denial of service attack. For example, an attacker could determine a list of valid usernames for MBNA cardholders and then proceed to make three invalid login attempts for each username, locking out the accounts in the process.

The lesson is simple - when securing these systems think about the malicious mind. It is good usability practice to return useful error messages, however the error message need only be useful to the point of correcting the users error. In the MBNA example there is no logic in having a second step. It does not provide any benefit to the customer in terms of security or data protection. I would also argue that it does not provide any benefits in terms of usability as the user now has to deal with two screens, two page loads and has an extra click to submit each form.

The username and password should be entered in the same form i.e. a single step sign in process. An informative error message such as "The username or password is incorrect." can then be displayed when an invalid username or password is entered. In this way the user benefits from the usability practices behind returning useful error messages however an attacker gains no extra knowledge to help compromise the system.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• Fundamental flaw with 3D Secure
• PCI Compliance is not a big deal?
• Exploiting a back-office application with CSRF

3D Secure is the payment industries Internet authentication standard. The Visa implementation is known as Verified by VISA and MasterCard is known as MasterCard SecureCode. When a cardholder enrolls for 3D Secure they get a password associated with their card. From this point on, when they visit a site that supports 3D Secure they will be prompted to enter the password to verify their identity. 3D Secure shifts the liability for fraudulent transactions from the Merchant to the cardholders issuing bank so this is a strong incentive for Merchants to adopt the standard.

3D Secure allows the cardholder to create a new password if they forget their current password. The manner in which this forgot password functionality is implemented seriously undermines 3D Secure and its use as an Internet authentication standard.

I am a frequent online shopper but I rarely come across sites that support 3D Secure. Recently I was purchasing some Skype credit and after entering my card details I was presented with a screen indicating that I had to verify my payment before I could proceed. 

After clicking on the 'Verify payment' button I was prompted to enter my 3D secure password. 

Rather than enter my password I clicked on the 'Forgot your password?' link. I have blocked out my login name in the above screen-shot but it was displayed as static text.  After clicking the 'Forgot your password?' link I was presented with the Verified by Visa 'Forgot Your Password - Identification' form.

Here I was prompted to enter the following information:

• The 3 digit security code on the back of my card, known as the Card Verification Code (CVC).
• The credit card expiry date.
• Cardholder Name as it appears on the card.
• Cardholder date of birth.

To my surprise after successfully entering all of this information a 'Create Password' form was displayed.

Here I am able to create a new password to be associated with my credit card for 3D secure transactions. It is worth noting that the password complexity rules enforced for the 3D secure password would not necessarily produce a password that one would regard as complex. The password must contain between 8 and 32 characters, contain at least one number and one letter. Once I created a new password I was then proceed to complete my purchase. Later I received an email from MBNA confirming that I had updated my 3D Secure account profile.

So what is the problem?

There are two fundamental flaws with the 3D Secure 'Forgot Password' process.

1. The information required to change the password.
2. The method by which the cardholder is notified of the password change.

1. The information required to change the password

Three out of the four pieces of information required to change the 3D secure password are available on the Visa card.

• The 3 digit security code on the back of my card, known as the Card Verification Code (CVC).
• The credit card expiry date.
• Cardholder Name as it appears on the card.

If someone is attempting a fraudulent transaction they will have already provided the CVC and the expiry date earlier in the transaction. There is a good chance they also have the cardholder name but if not they can easily determine it from the 'Login Name' displayed on the initial 'Verify Payment' view. The final piece of information required is the cardholders date of birth and if the cardholder has an online presence (e.g. Facebook, Bebo, LinkedIn etc.) then this is not exactly difficult to determine.

2. The method by which the cardholder is notified of the password change

The email to notify me that my password had changed came from mbna@securesuite.co.uk. The email contains links to a different domain www.mbna.3dsecurecard.ie/visa than that of the email. The combination of these two points make the email look like a phishing email. This is exactly the sort of email that we as security professionals educate people to ignore. Changing your 3D secure password is a pretty big deal yet the email does not mention that the password has been changed only that the 3D secure account profile has been updated.

3D Secure is often viewed as the online version of Chip and PIN. Imagine if this 'Forgot password' process was applied to Chip and PIN in the offline world. When paying for a purchase at a POS device you would have the option 'Forgot PIN'. Selecting this would allow you to reset your PIN by entering the CVC, expiry date, cardholder name and cardholder date of birth. This scenario sounds ridiculous because it is. This would never happen offline so why implement such a process online where there is even greater potential and risk of fraud?

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• PCI Compliance is not a big deal?
• Exploiting a back-office application with CSRF