All the latest UK technology news, reviews and analysis
|
|
|
27 Jan 2010
University of Cambridge researchers have launched a withering attack on the 3-D Secure protocol used by Visa and MasterCard to authenticate online customers, branding it "a textbook example of how not to design an authentication protocol".
In a new piece of research entitled Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication (PDF), Steven Murdoch and Ross Anderson argue that 3-D Secure has become popular because it "got the economics right", rather than being intrinsically more secure than less popular rivals such as OpenID, InfoCard and Liberty.
The research maintains that the protocol often confuses users by running counter to traditional advice about entering credentials only into sites secured by Transport Layer Security, which browsers such as Internet Explorer 8 now recognise by displaying a green address bar.
"Because the 3-D Secure form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3-D Secure easier, but undermines other anti-phishing initiatives by contradicting previous advice," the report advised.
Customer confidence may be further undermined by the registration process, which is often completed during a shopping transaction and involves the user being asked for personal details such as date of birth.
"From the customer's perspective, an online shopping web site is asking for personal details. This further undermines customers' security usability and trust experience. And it is being exploited by criminals as phishing web sites impersonating the ADS form to ask for banking details," the report noted.
Some banks have also used the 3-D Secure system to shift liability for fraud losses unfairly onto the consumer, according to the report.
Murdoch and Anderson further warn that the system is likely to be undermined in time by man-in-the-middle attacks and the continuing growth in sophisticated malware, and that attention needs to be focused not on a single sign-on system such as this but on "transaction authentication".
"In the long term we need to move to a trustworthy payment device," the report concluded.
"This is not rocket science; rather than spending $10 [£6.15] per customer to issue chip authentication program calculators [like Barclays' PinSentry devices], banks should spend $20 [£12.30] to issue a similar device but with a USB interface and a trustworthy display."
Latest stories from Web
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
QA Lead – Agile – Java – Selenium – Behaviour Driven...
IT Project Manager - Application, offshore development...
Architect - Banking Terdata Designer/Architect - Manchester...
Technical Security Administrator / Subject Matter Expert...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
You're not kidding
A few years ago when this type of security pop up came out my hubs told me he had been filling in his details on such a pop up. I panicked and immediately phoned the CC company to ask if it WAS official. They said it was. I told them well I didn't want such a security pop up how were we to know if it was legitimate if I shopped on line. On that occasion they did something which meant when I shopped on line I didn't have to go through the security check. Great, until tonight when I tried to purchase from two on line firms which both wanted this 3D security filled in. I tried twice with BOTH firms. Neither time worked. I filled in all that was requested, even my DOB begrudgingly. I telephoned the CC firm TWICE to try to sort it out. It seems neither firm has received my order which I really NEEDED to be delivered this week. The girl from the CC gave me a new 'password' what I do with that I have no idea which will be valid for thirty days. (I won't be using it) I will phone the bank tomorrow and if they will not change it so that I do not have to go through this so called 'security' each time I buy on the web I'll find a CC company that doesn't use it.
Posted by: DHewitt 10 May 2011
:-)
This is not an analysis of the protocol but the way it is implemented by the Issuing bank. I have read 3D Secure documents myself and the protocol has no flaw. In that light tomorrow the researchers (?) will say that SAML (Security Assertion Merkup Language) is not safe. The paper should have been titled - How not to implement 3D Secure and that is where the Issuers (banks) need to put in some thought :-). Good attempt anyways
Posted by: Turk Ottman 24 Jul 2010
Researchers slam 3-D Secure as insecure
You said: ...3-D Secure has become popular because it "got the economics right", rather than being intrinsically more secure than less popular rivals such as OpenID, InfoCard and Liberty. I would submit to you that "getting the economics right" was the prime motivation for the programs. I think there was significant pressure from e-commerce merchants for the brands to offload some of the unfair liabilities for credit card fraud over to the banks where a lot of it belonged. Payer Authentication was slapped together in an attempt to appease these merchants and fails miserably. The very fact of higher fees to merchants that embrace it, only a small number of chargeback reason codes being applicable and banks not being required to support it, seem to be ample evidence that it was not designed to be secure. As long as e-commerce merchants are hit with chargeback fees for fraudulent use of a card, there is a financial disincentive for Visa, Mc, et al to be truly secure. Tom Mahoney, Director Merchant911, LLC Merchant911.org
Posted by: Tom Mahoney 10 Feb 2010
Cracking and selling 3D
The researchers are correct in every respect and have some good recommendations. This security adds virtually no additional security, yet is confusing and difficult for customers. What is particularly relevant is the fact that this security can be easily cracked by key logging spyware recording just a few instances of the 3-D entries. As key loggers are the most pervasive and common malware threat (being on a significant proportion of all computers), this is a bigger threat than the phishing or man-in-the-middle attacks the researchers mention in more detail. Such 3-D secure passwords are regularly traded on the black market as a result.
Posted by: Marcus Whittington, COO, SentryBay 28 Jan 2010