A UK money and finance forum. Finance Banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Finance Banter forum » UK Finance Newsgroups » UK Finance
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

UK Finance (uk.finance) Discussion about Finance issues in the UK.

3D Secure is not secure



 
 
Thread Tools Display Modes
  #1  
Old January 30th 10, 06:05 PM posted to uk.finance
Jonathan Bryce
external usenet poster
 
Posts: 1,473
Default 3D Secure is not secure

Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.
Ads
  #2  
Old January 30th 10, 07:06 PM posted to uk.finance
Andy Pandy
external usenet poster
 
Posts: 1,748
Default 3D Secure is not secure


"Jonathan Bryce" wrote in message
...
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.


Yes, interesting that the author of the latter works for Cronto, who are
trying to flog an alternative transaction verification system -
http://www.cronto.com/

There seem to be a lot of theoretical scenarios where customers could be
defrauded and not get their money back, but how many times has this actually
happened in the real world and is it any worse than before? It was just the
same when cash machines first came out, credit cards, online banking, chip &
pin etc.

--
Andy


  #3  
Old January 30th 10, 09:26 PM posted to uk.finance
David Woolley[_2_]
external usenet poster
 
Posts: 49
Default 3D Secure is not secure

Jonathan Bryce wrote:
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.


And they make the common assumption that vendors/card processor using
this system actually serve the form from Cyota. Many of them don't, or
at least didn't, including major card processors, and British Gas. They
copy the form into their own page, and go man in the middle on the
outbound leg.
  #4  
Old January 31st 10, 07:10 AM posted to uk.finance
GSV Three Minds in a Can
external usenet poster
 
Posts: 810
Default 3D Secure is not secure

Bitstring , from the
wonderful person Postman Pat said

Anyway, even when it works, it fails to recognise my password, so I go
for the "not yet enrolled" option and knock up a pwd there and then.
They have have dozens of passwords for me now, and I am sure I am not
alone.


Me too, mostly caused by the fact that my wife and I had joint cards and
she could never remember the password I used, nor I the one she set
(assuming even she could remember it).

The Mastercard version, whatever it is called, doesn't seem to
understand the concept of two different users with same card number
(which I guess is Capital One's fault ... most other card issuers give
secondary card a different number).

--
GSV Three Minds in a Can
16,110 Km walked. 2,937 Km PROWs surveyed. 53.1% complete.
  #5  
Old February 1st 10, 06:57 PM posted to uk.finance
S[_2_]
external usenet poster
 
Posts: 14
Default 3D Secure is not secure

On Jan 30, 8:06*pm, "Andy Pandy"
wrote:
"Jonathan Bryce" wrote in message

...

Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.


http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf


There's nothing new here for anyone who has been following this group, but
it is still an interesting read.


Yes, interesting that the author of the latter works for Cronto, who are
trying to flog an alternative transaction verification system -http://www..cronto.com/

There seem to be a lot of theoretical scenarios where customers could be
defrauded and not get their money back, but how many times has this actually
happened in the real world and is it any worse than before? It was just the
same when cash machines first came out, credit cards, online banking, chip &
pin etc.


You don't need to worry, because banks are fine institutions and they
are always the first to admit to their mistakes and to refund monies
wrongly taken from their customers' accounts and they would never
dream of prosecuting a customer for complaining about phantom
withdrawals.
  #6  
Old February 1st 10, 07:01 PM posted to uk.finance
S[_2_]
external usenet poster
 
Posts: 14
Default 3D Secure is not secure

On Jan 31, 7:50*am, Postman Pat wrote:
David Woolley wrote

Jonathan Bryce wrote:
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.


There's nothing new here for anyone who has been following this group, but
it is still an interesting read.


And they make the common assumption that vendors/card processor using
this system actually serve the form from Cyota. *Many of them don't, or
at least didn't, including major card processors, and British Gas. *They
copy the form into their own page, and go man in the middle on the
outbound leg.


VBV is a PITA. I use Firefox with the No-script plug-in and VBV
usually fails due to the way it is implemented.

Anyway, even when it works, it fails to recognise my password, so I go
for the "not yet enrolled" option and knock up a pwd there and then.
They have have dozens of passwords for me now, and I am sure I am not
alone.


I was able to reset my password using my birthdate but I was shocked
to learn that in some cases even that's not required. The best
strategy is then to set up a new password each time, since a thief
could have set up the new password as well.
  #7  
Old February 1st 10, 07:29 PM posted to uk.finance
Andy Pandy
external usenet poster
 
Posts: 1,748
Default 3D Secure is not secure


"S" wrote in message
...
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.


http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf

There's nothing new here for anyone who has been following this group,
but
it is still an interesting read.

Yes, interesting that the author of the latter works for Cronto, who are
trying to flog an alternative transaction verification
system -http://www.cronto.com/

There seem to be a lot of theoretical scenarios where customers could be
defrauded and not get their money back, but how many times has this
actually
happened in the real world and is it any worse than before? It was just
the
same when cash machines first came out, credit cards, online banking,
chip &
pin etc.


You don't need to worry, because banks are fine institutions and they
are always the first to admit to their mistakes and to refund monies
wrongly taken from their customers' accounts and they would never
dream of prosecuting a customer for complaining about phantom
withdrawals.


Nah, they're all *******s - don't trust them. Insist on getting paid in cash
and shove it all under the mattress. Much safer.

--
Andy


  #8  
Old February 1st 10, 07:39 PM posted to uk.finance
Andy Pandy
external usenet poster
 
Posts: 1,748
Default 3D Secure is not secure


"GSV Three Minds in a Can" wrote in message
...
Bitstring , from the wonderful
person Postman Pat said

Anyway, even when it works, it fails to recognise my password, so I go
for the "not yet enrolled" option and knock up a pwd there and then.
They have have dozens of passwords for me now, and I am sure I am not
alone.


Me too, mostly caused by the fact that my wife and I had joint cards and
she could never remember the password I used, nor I the one she set
(assuming even she could remember it).


I might be missing something - but WTF is the point of VBV if you can simply
set up a new password each time? I thought the idea was you registered a
password against a card and you could then only use that card for online
purchases with that password.

Only one of my cards has insisted on me registering, I've not used it since
the initial registration.

--
Andy



  #9  
Old April 13th 10, 04:36 AM
yes yes is offline
Banned
 
First recorded activity by FinanceBanter: Apr 2010
Posts: 14
Default

A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.

The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.

As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.

That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.

One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another.

The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.

3DS also allows people to set their password immediately as they enroll in the system, a process called "activation during shopping" (ADS). The ADS enrollment will ask for some other piece of information, such as a birth date, in order to confirm the setting of the password. That's a security issue since birth dates are easily obtainable, the researchers argue.

Since the password is also solicited during a transaction, people are less likely to carefully select one since they're more eager to complete the transaction, Murdoch and Anderson wrote. 3DS is vulnerable to phishing, where fraudsters use various methods such as spurious e-mails in order to elicit a person's password.

Customers are also unlikely to closely read the terms and conditions, which means customers could end up paying for bad transactions using their card. Murdoch said he hasn't heard, however, of a customer being held liable for a fraudulent 3DS transaction.

Murdoch said there are other systems on the market that guarantee that the person who is doing a transaction is who they say they are by using their mobile phone.

Those systems can involve generating one-time passcodes on a person's mobile phone that are entered as part of an e-commerce purchase. Another method is sending a SMS (short message service) verification to a person's mobile phone along with a one-time passcode that can be entered during the e-commerce transaction.

However, "most banks have chosen to go for passwords than anything better," Murdoch said. "Passwords are really cheap."

Merchants must pay to implement SecureCode or Verified by Visa, where the systems mentioned above would likely require the banks to spend money, Murdoch said.

In a statement, Visa defended its system, saying criminals will always try to defeat security measures but that it had reduced fraud and made consumers more comfortable with on-line transactions.

"Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," the statement said. "Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."

MasterCard officials could not be immediately reached for comment.
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 04:14 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright ©2004-2010 Finance Banter.
The comments are property of their posters.