Trend Micro warns of Verified by Visa 3DS password reset flaw

Trend Micro has called for an update to the 3 Domain Secure (3DS) credit card online authentication system, after revealing that cyber criminals could take advantage of a basic design flaw in some implementations of the protocol to commit ID fraud.

Trend Micro EMEA director of security research Rik Ferguson explained on his CounterMeasures blog that the 3DS system, branded as Verified by Visa and MasterCard SecureCode in the UK, could be subverted by fraudsters owing to a weakness in the password reset process of some versions of the system.

Ferguson said that his card provider's implementation of Verified by Visa's password reset page asks for three pieces of information obtainable from the card and a fourth which is easy for a cyber criminal to find out.

"Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn't the criminal already have access to this?" he asked.

"So what remains? One piece of information that is not included on the card. Trouble is, it's information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret."

To make matters worse, once the password has been reset and the fraudster is able to use the card, no email notification is sent to the customer about the changes.

Ferguson recommended a few basic changes to the system to make it fit for purpose.

"Upon enrolling in the system, cardholders should be requested to set a 'secret question' which will later serve as authentication data for a passsword change. Instead of simply clicking through to the reset screen, a one-time password reset URL should be delivered to a registered email address," he said.

"Whenever a change to the account details is requested, or is successful, the registered email address should receive a notification message. Oh, one more thing, it would be really great if I could use special characters in my password, please."

A Visa Europe spokesperson defended the firm's track record in fighting fraud, and said that Verified by Visa had helped to reduce card-not-present losses by eight per cent year on year.

The spokesperson added that the scheme manages a careful balance between simplicity for customers, ease of implementation for banks and retailers and blocking fraudulent transactions.

"The information that Verified by Visa provides is invaluable in helping card issuers identify and prevent fraud. They can, for example, tell when a card is being used on a PC that is not usually used by the cardholder and take action accordingly," the spokesperson told V3.

"If a transaction has been authenticated following a password reset, this fact will be known to the card issuer in the event that the transaction is subsequently queried. In addition, consumers using Visa cards are always protected if they are innocent victims of fraud."