For starters I thought it's a phishing attack, when the frame popped up for the first time.
But the worst is that I don't feel it protects me, despite the marketing crap dished out by CC companies. The only reason is to protect Visa.
What happens if I book a flight at a badly infected internet cafe computer in Chiang Mai and a key logger reads my password?
"No, Mr. Zapp, our logs show irrefutable proof that your password was typed with suchandsuch transaction. Sorry, you're liable, you obviously didn't protect the password."
Scary stuff.
Essentially all financial risk for credit card transactions is borne by the merchants. (Which is one reason why the banks don't seem to do much about fraud -- why should they inconvenience their customers to protect someone off of the balance sheet who doesn't get a choice to not use their bank?)
http://banking.about.com/od/checkingaccounts/a/stolendebitca...
This is why I never use a debit card for anything.
We now return you to your regular HN programming.
You are correct in that this is how banks operated before 3D Secure. They shift all the fraud liability onto the hapless merchant and then charge them through the nose (with both the amount and the chargeback $35, as well as a potential disabling of the merchant account if it has more than 1% of fraud - which is easier to achieve that you'd think, especially if you're low-volume, e.g. if you're a small business or startup).
The purpose of 3DSecure is to "fix" this situation in favour of the merchants. Do the card companies (VISA & Mastercard, basically) now take on liability for fraud? OF COURSE NOT. With 3D Secure, they have shifted the liability from the merchant straight to the issuing bank, which can choose whether to pass it on to the cardholder, and sometimes does. It's really entirely up to them. Also, it's worth pointing out that a lot of credit card fraud is only detected months later, so "in a timely fashion" may be excessively difficult to achieve.
Now, the question to ask is, who actually benefits from 3DSecure?
- The merchants
That's it. Who bears the burden of getting everyone to sign up to 3DSecure?
- The issuing banks
Who stands to lose money if the merchants are protected?
- The issuing banks
In view of this, it's no surprise that implementations are shoddy and many people are not signed up. Why would the issuing banks want to push a scheme that makes them lose money?
In defense of Visa, et al, this is hard to get right. Take, for example, SET, which uses PKI and is probably much more secure, but is impractical to implement:
It's unfortunately obvious that the CC companies are pushing this as hard as they can, with no concern for customers, banks or merchants. :-/
Does VbV make this any worse? It's very difficult to protect against (other than "never use untrusted computers").
Your credit card comes with a simple communication port (usb, bluetooth, whatever) and a two line B&W text LCD display (like on cryptocards or cheap electronic watches). Every time you want to buy something, you connect the card with the merchant. (This works in person and over the internet.) The merchants sends the card an official merchant name ("Delta Airlines"), which is registered with the credit card company, and a price ("$234"). These appear on the first and second lines of the card readout. If you approve the charge, you hit a single button on your credit card. Your credit card then sends an authorization code to the merchant which is good only one time, on that date, for that price, and with that merchants (using some sort of RSA hash).
If a wireless connection is used, there is little risk of criminals trying to secretly communicate with your card sitting in your wallet; you simply won't approve the transaction (unless they have physical control of your card, at which point you're no more vulnerable than you are now).
Further, you'd know exactly how the name of the merchant would appear on your bank statement.
The only downside I can think of is that the card would by slightly thicker (like a crypto card), slightly less durable, and need a battery (which would last for the life of the card). But we already replace the physical card every few years, so is this a problem? Is the technology particularly expensive?
In a shop, the card reader is owned by the shop and is similar to point-of-sale card readers used in the USA. However, most banks now provide customers with a small reader (that looks like a calculator) for logging on to online banking, or authorising payments made via internet banking.
For example, to authorise a payment you: put your card into the reader, type in the account number you want to pay, type in the amount, and type in your pin. You then get an cryptographic authorisation code to type into online banking.
Crucially, the scheme works using cryptography, and the cryptography is performed within the chip on the bank card - it is not possible to read the PIN off the card.
(edit: and, in contrast to the scheme described in the parent post, stealing a card doesn't help much if you don't know the PIN, and the card will disable itself if the wrong PIN is used too many times)
> most banks now provide customers with a small reader (that looks like a calculator) for logging on to online banking, or authorising payments made via internet banking.
This means you can only make online purchases easily and securely at home. If I want to be able to make purchases at someone else's computer, an insecure back door must necessarily be left open even when you're not away.
> To authorise a payment you: put your card into the reader, type in the account number you want to pay, type in the amount, and type in your pin.
This doesn't solve the problem (which people may not care about) that the merchant could now have your pin.
>You then get an cryptographic authorization code to type into online banking.
This seems like a huge burden. Physically typing in long cryptographic codes? Do people actually subject themselves to this?
Thanks very much for the perspective.
EDIT: I retract the second criticism for reasons explained below.
That might be the deal-breaker here. People with wallets sit on their credit cards daily. I've split the plastic on mine a few times, even though I've gotten into the habit of taking my wallet out when I sit down.
Credit card purchase authorization over SMS might be more sturdy, although that has its own security considerations (I think this exists somewhere already though).
I would think it's surmountable, but point taken.
>Credit card purchase authorization over SMS might be more sturdy
How is this supposed to work? They send you a text, and you reply to confirm? The inability to make purchases without a signal seems fatal.
Thanks for the feedback.
This is just begging for copycat phising and MITM attacks.
> The design of the form does not match the design of either the merchant or the issuing bank. The design looks ‘cheap’. It doesn’t look trustworthy.
> No telephone number. When a user sees a telephone number it gives them a feeling legitimacy. They may not phone, they just want to see the number just in case.
> The calls to action at the bottom of the page really don’t work. ‘Submit’ is rather generic and does not give an indication of the next step. ‘Cancel’ gives no indication what will happen next and really should be removed.
> There is still very little recognition by users. Visa and Mastercard have done a poor job of marketing and raising awareness.
> The text is American "Expiration date" should be "Expiry date"
> Once the customer has overcome all 11 of those issues they can purchase. 11 issues. 11 serious issues.
Serious issues? Let's tally: cheap design, no phone number, button names, lack of marketing, bad copy. These are not serious issues that make a technology "broken" -- at least, not in the sense that, say, MD5 is broken. The points about the phone number, cheap design, and lack of marketing should not even be in this list.
And then there is this gem, from the guy who is going to fix our "broken" security technology:
> Firstly, the URL, well that’s an easy one, embed the page within an iframe. It does of course mean one can’t check the security certificate but hey, who ever does this?
> About the author: Joe specialises in designing every aspect of the user experience from initial research to developing a robust, measurable online strategy to producing beautiful, easy to use wireframes and website information architectures.
Oh, I see.
If you're losing customers for a bit of security theater, I think "broken" is a pretty good term from the perspective of the retailer.
I'm reminded of how my credit card issuer contracts out transaction verification to a third party, so whenever I make a large purchase, I get a phone call originating from a 1-800 number that doesn't match the one on my card, and the first thing they ask from me is sensitive information.
I have Australian and UK bank accounts. Both require Verified by Visa. The Australian account asks me to enter a single-use number from a battery-powered token. The UK account asks me to enter three randomly-selected digits of my password. The former is obviously immune to phishing attacks. The latter is not completely, but to get the complete password would require several sessions. Neither of them are immune to MITM attacks, but I'm not sure how MITM would help an attacker here: VbV authorises a transaction but doesn't allow you to place one. You can't do anything with the information you have snooped upon because it's single-use (in the first case) or because you don't have enough of the password (in the second case).
It's disturbing to say the least.
I'd much rather type an extra password during the checkout process instead of being charged $700 for hardware and Windows Vista DVDs (thieves aren't always the brightest).
It is already really hard to teach casual computer users about security online. The one thing that used to work so far was "never enter your password on a website you've been redirected to" and "always check the site's identity in the address bar". Verified by Visa redirects you to some website on some random server and asks you to enter your password. There is no way for the user to check it's authenticity.
A much more reasonable design would be to control all sales via your bank's website, i.e. having an inbox with "purchase requests" and approving them through your bank's interface. That would be both secure and very transparent to the user, and the bank could easily control the level of security required (passwords, TANs, ...).
I agree this is an awful user experience, at a time where the trend in payments is to make the user's experience better this is a huge step back.
We have a system in place here called Chip and Pin (http://en.wikipedia.org/wiki/Chip_and_PIN) which was supposed to protect people by requiring them to type in a personal PIN code. The only problem was that there were plenty of ways to commit fraud without knowing the PIN, and until new regulations came into force the banks would reject claims of fraudulent transactions and require the victim to prove that such transactions weren't fraudulent.
If you want to see how bad the card industry and banks can 'do security', just look here: http://www.cl.cam.ac.uk/research/security/banking/
Until 3DS implements some out-of-band authentication, you won't have something secure. Implementing OoB auth isn't difficult, either. The technology has been around for a LONG time, with proven results.
For instance, I've never had to put in my 3D Secure code on Amazon, BackBlaze, Syncplicity or ZumoDrive. The problem is that at least here in Finland, the only company (representing all the local banks) offering credit card processing practically requires 3D Secure unless you implement everything yourself (e.g. can't use their CC vault) - and no, unfortunately the US subscription API services don't work here, unless you somehow manage to get a merchant account in a UK bank.
There doesn't ever seem to be a permanent opt-out, so anytime I want to buy something from a merchant that uses it, I have to hunt for the magic button to get around it again.
