Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.

"Jonathan Bryce" wrote in message
...
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.

Yes, interesting that the author of the latter works for Cronto, who are
trying to flog an alternative transaction verification system -
http://www.cronto.com/

There seem to be a lot of theoretical scenarios where customers could be
defrauded and not get their money back, but how many times has this actually
happened in the real world and is it any worse than before? It was just the
same when cash machines first came out, credit cards, online banking, chip &
pin etc.

--
Andy

Jonathan Bryce wrote:
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.

And they make the common assumption that vendors/card processor using
this system actually serve the form from Cyota. Many of them don't, or
at least didn't, including major card processors, and British Gas. They
copy the form into their own page, and go man in the middle on the
outbound leg.

Bitstring , from the
wonderful person Postman Pat said

Anyway, even when it works, it fails to recognise my password, so I go
for the "not yet enrolled" option and knock up a pwd there and then.
They have have dozens of passwords for me now, and I am sure I am not
alone.

Me too, mostly caused by the fact that my wife and I had joint cards and
she could never remember the password I used, nor I the one she set
(assuming even she could remember it).

The Mastercard version, whatever it is called, doesn't seem to
understand the concept of two different users with same card number
(which I guess is Capital One's fault ... most other card issuers give
secondary card a different number).

--
GSV Three Minds in a Can
16,110 Km walked. 2,937 Km PROWs surveyed. 53.1% complete.

On Jan 30, 8:06*pm, "Andy Pandy"
wrote:
"Jonathan Bryce" wrote in message

...

Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.

Yes, interesting that the author of the latter works for Cronto, who are
trying to flog an alternative transaction verification system -http://www..cronto.com/

There seem to be a lot of theoretical scenarios where customers could be
defrauded and not get their money back, but how many times has this actually
happened in the real world and is it any worse than before? It was just the
same when cash machines first came out, credit cards, online banking, chip &
pin etc.


You don't need to worry, because banks are fine institutions and they
are always the first to admit to their mistakes and to refund monies
wrongly taken from their customers' accounts and they would never
dream of prosecuting a customer for complaining about phantom
withdrawals.

On Jan 31, 7:50*am, Postman Pat wrote:
David Woolley wrote

Jonathan Bryce wrote:
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.

And they make the common assumption that vendors/card processor using
this system actually serve the form from Cyota. *Many of them don't, or
at least didn't, including major card processors, and British Gas. *They
copy the form into their own page, and go man in the middle on the
outbound leg.

VBV is a PITA. I use Firefox with the No-script plug-in and VBV
usually fails due to the way it is implemented.

Anyway, even when it works, it fails to recognise my password, so I go
for the "not yet enrolled" option and knock up a pwd there and then.
They have have dozens of passwords for me now, and I am sure I am not
alone.

I was able to reset my password using my birthdate but I was shocked
to learn that in some cases even that's not required. The best
strategy is then to set up a new password each time, since a thief
could have set up the new password as well.

"S" wrote in message
...
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

http://www.pcworld.idg.com.au/article/334105
http://www.cl.cam.ac.uk/~rja14/Paper...securecode.pdf

There's nothing new here for anyone who has been following this group,
but
it is still an interesting read.

Yes, interesting that the author of the latter works for Cronto, who are
trying to flog an alternative transaction verification
system -http://www.cronto.com/

There seem to be a lot of theoretical scenarios where customers could be
defrauded and not get their money back, but how many times has this
actually
happened in the real world and is it any worse than before? It was just
the
same when cash machines first came out, credit cards, online banking,
chip &
pin etc.

You don't need to worry, because banks are fine institutions and they
are always the first to admit to their mistakes and to refund monies
wrongly taken from their customers' accounts and they would never
dream of prosecuting a customer for complaining about phantom
withdrawals.

Nah, they're all *******s - don't trust them. Insist on getting paid in cash
and shove it all under the mattress. Much safer.

--
Andy

"GSV Three Minds in a Can" wrote in message
...
Bitstring , from the wonderful
person Postman Pat said

Anyway, even when it works, it fails to recognise my password, so I go
for the "not yet enrolled" option and knock up a pwd there and then.
They have have dozens of passwords for me now, and I am sure I am not
alone.

Me too, mostly caused by the fact that my wife and I had joint cards and
she could never remember the password I used, nor I the one she set
(assuming even she could remember it).

I might be missing something - but WTF is the point of VBV if you can simply
set up a new password each time? I thought the idea was you registered a
password against a card and you could then only use that card for online
purchases with that password.

Only one of my cards has insisted on me registering, I've not used it since
the initial registration.

--
Andy

A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.

The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.

As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.

That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.

One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another.

The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.

3DS also allows people to set their password immediately as they enroll in the system, a process called "activation during shopping" (ADS). The ADS enrollment will ask for some other piece of information, such as a birth date, in order to confirm the setting of the password. That's a security issue since birth dates are easily obtainable, the researchers argue.

Since the password is also solicited during a transaction, people are less likely to carefully select one since they're more eager to complete the transaction, Murdoch and Anderson wrote. 3DS is vulnerable to phishing, where fraudsters use various methods such as spurious e-mails in order to elicit a person's password.

Customers are also unlikely to closely read the terms and conditions, which means customers could end up paying for bad transactions using their card. Murdoch said he hasn't heard, however, of a customer being held liable for a fraudulent 3DS transaction.

Murdoch said there are other systems on the market that guarantee that the person who is doing a transaction is who they say they are by using their mobile phone.

Those systems can involve generating one-time passcodes on a person's mobile phone that are entered as part of an e-commerce purchase. Another method is sending a SMS (short message service) verification to a person's mobile phone along with a one-time passcode that can be entered during the e-commerce transaction.

However, "most banks have chosen to go for passwords than anything better," Murdoch said. "Passwords are really cheap."

Merchants must pay to implement SecureCode or Verified by Visa, where the systems mentioned above would likely require the banks to spend money, Murdoch said.

In a statement, Visa defended its system, saying criminals will always try to defeat security measures but that it had reduced fraud and made consumers more comfortable with on-line transactions.

"Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," the statement said. "Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."

MasterCard officials could not be immediately reached for comment.