Researches slam MasterCard and Visa 3-D Secure tech

A new paper by researchers from Cambridge has cast a shadow over online shopping technologies that are meant to improve security.

Credit cards

Cambridge researchers have cast doubt on extra credit card security measures in a paper published this week.

Highlighting both MasterCard SecureCode and Verified by Visa, Ross Anderson and Steven Murdoch from the Computer Laboratory at Cambridge University, claimed the 3-D Secure technology "breaks many established security rules" when purchasing online.

Firstly, the two researchers claim it confuses users who have become used to the traits of Transport Layer Security (TLS).

"Browsers have introduced measures to help customers, such as changing the colour of the address bar if TLS is enabled, and making it clearer who the domain name belongs to," the report claimed.

Advertisement - Article continues below
Advertisement - Article continues below

It added: "Because the 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice."

The report also criticised how a user first establishes their password as rather than sending it to a registered address, it is done the first time a card is used online. It also means the user will be keen to get the purchase finished so often wont pay much attention to terms and conditions they are agreeing too, allowing banks to "shift liability to customers."

The researchers concluded from all of these points that "customers receive little benefit in security, while suffering a huge increase in their liability for fraud. They are also trained in unsafe behaviour online."

As a result, they are calling for banks to spend more on setting this system up to make it safer and urging new regulation from the likes of the EU to ensure people follow the rules.

"Circumventing security procedures is, as always, a focus for criminals and we value the input of academia in verifying the effectiveness of security features and systems," A Visa spokesperson said in a statement issued to IT PRO.

"Visa does not however, wholly agree with the premise and conclusions set out in the new paper by Cambridge researchers, which describes theoretical scenarios in which they believe Verified by Visa could be compromised."

Advertisement - Article continues below

We also contacted MasterCard for comment but the company had not responded to this request at the time of publication.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Policy & legislation

US demands social media details from visa applicants

3 Jun 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020