IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Researches slam MasterCard and Visa 3-D Secure tech

A new paper by researchers from Cambridge has cast a shadow over online shopping technologies that are meant to improve security.

Credit cards

Cambridge researchers have cast doubt on extra credit card security measures in a paper published this week.

Highlighting both MasterCard SecureCode and Verified by Visa, Ross Anderson and Steven Murdoch from the Computer Laboratory at Cambridge University, claimed the 3-D Secure technology "breaks many established security rules" when purchasing online.

Firstly, the two researchers claim it confuses users who have become used to the traits of Transport Layer Security (TLS).

"Browsers have introduced measures to help customers, such as changing the colour of the address bar if TLS is enabled, and making it clearer who the domain name belongs to," the report claimed.

It added: "Because the 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice."

The report also criticised how a user first establishes their password as rather than sending it to a registered address, it is done the first time a card is used online. It also means the user will be keen to get the purchase finished so often wont pay much attention to terms and conditions they are agreeing too, allowing banks to "shift liability to customers."

The researchers concluded from all of these points that "customers receive little benefit in security, while suffering a huge increase in their liability for fraud. They are also trained in unsafe behaviour online."

As a result, they are calling for banks to spend more on setting this system up to make it safer and urging new regulation from the likes of the EU to ensure people follow the rules.

"Circumventing security procedures is, as always, a focus for criminals and we value the input of academia in verifying the effectiveness of security features and systems," A Visa spokesperson said in a statement issued to IT PRO.

"Visa does not however, wholly agree with the premise and conclusions set out in the new paper by Cambridge researchers, which describes theoretical scenarios in which they believe Verified by Visa could be compromised."

We also contacted MasterCard for comment but the company had not responded to this request at the time of publication.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Is the Global Talent Visa really helping the UK tech skills crisis?
recruitment

Is the Global Talent Visa really helping the UK tech skills crisis?

10 Oct 2021
Visa to acquire cross-border payments expert Currencycloud
Acquisition

Visa to acquire cross-border payments expert Currencycloud

22 Jul 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022