Researchers criticise 3D Secure credit card authentication
The researchers, Steven J Murdoch and Ross Anderson, criticises the current method of Credit-Card verification Scheme. They found that the current mechanism used by "Verified by Visa" from Visa and "MasterCard SecureCode" from Master Card are flawed.Banks worldwide are starting to authenticate online card transactions using the `3-D Secure' protocol.
They observe that:
The mechanism used to display the 3DS form is embedded within an iframe or pop-up with no address bar, so there is no indication of where the form has come from. This goes against banks advice to their customers to avoid phishing sites by only entering bank passwords into sites they can identify as the bank's own site.
The researchers also criticise the initial password entry process which occurs the first time a card holder uses a 3DS enabled card to shop online. The user is asked to enter a new password as part of the process of making the purchase, which the researchers feel is a bad time to ask for the password as the user is probably more interested in shopping and more likely to choose a weak password.
The 3DS speci cation only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer veri fication is performed.
This is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder's ATM PIN.
Their Paper can be referenced for more information :http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf