Researches slam MasterCard and Visa 3-D Secure tech

News 29 Jan, 2010

A new paper by researchers from Cambridge has cast a shadow over online shopping technologies that are meant to improve security.

Cambridge researchers have cast doubt on extra credit card security measures in a paper published this week.

Highlighting both MasterCard SecureCode and Verified by Visa, Ross Anderson and Steven Murdoch from the Computer Laboratory at Cambridge University, claimed the 3-D Secure technology “breaks many established security rules” when purchasing online.

Firstly, the two researchers claim it confuses users who have become used to the traits of Transport Layer Security (TLS).

Browsers have introduced measures to help customers, such as changing the colour of the address bar if TLS is enabled, and making it clearer who the domain name belongs to," the report claimed.

It added: “Because the 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice.”

The report also criticised how a user first establishes their password as rather than sending it to a registered address, it is done the first time a card is used online. It also means the user will be keen to get the purchase finished so often wont pay much attention to terms and conditions they are agreeing too, allowing banks to “shift liability to customers.”

The researchers concluded from all of these points that “customers receive little benefit in security, while suffering a huge increase in their liability for fraud. They are also trained in unsafe behaviour online.”

As a result, they are calling for banks to spend more on setting this system up to make it safer and urging new regulation from the likes of the EU to ensure people follow the rules.

"Circumventing security procedures is, as always, a focus for criminals and we value the input of academia in verifying the effectiveness of security features and systems," A Visa spokesperson said in a statement issued to IT PRO.

"Visa does not however, wholly agree with the premise and conclusions set out in the new paper by Cambridge researchers, which describes theoretical scenarios in which they believe Verified by Visa could be compromised."

We also contacted MasterCard for comment but the company had not responded to this request at the time of publication.