He's only complaining about UX, but the bigger problem is that this doesn't actually make things much more secure.
It is already really hard to teach casual computer users about security online. The one thing that used to work so far was "never enter your password on a website you've been redirected to" and "always check the site's identity in the address bar". Verified by Visa redirects you to some website on some random server and asks you to enter your password. There is no way for the user to check it's authenticity.
A much more reasonable design would be to control all sales via your bank's website, i.e. having an inbox with "purchase requests" and approving them through your bank's interface. That would be both secure and very transparent to the user, and the bank could easily control the level of security required (passwords, TANs, ...).
There's eFaktura in Norway[1]. Merchants send their bills to you electronically, and you pay them through your homebanking interface. As I never used it when I lived there, I don't know if the mechanism is fast enough for immediate purchases.
Even though there's no choice (here at least, when you want to use your Visa over the internet) I HATE, HATE, HATE the concept and here's why:
For starters I thought it's a phishing attack, when the frame popped up for the first time.
But the worst is that I don't feel it protects me, despite the marketing crap dished out by CC companies. The only reason is to protect Visa.
What happens if I book a flight at a badly infected internet cafe computer in Chiang Mai and a key logger reads my password?
"No, Mr. Zapp, our logs show irrefutable proof that your password was typed with suchandsuch transaction. Sorry, you're liable, you obviously didn't protect the password."
That is, in fact, the exact opposite of how the banks operate. You are limited to $50 in liability for any fraudulent transaction in your account that you report in a timely fashion, guaranteed by law (in the US at least), and every bank I am aware of waives the $50 for marketing purposes.
Essentially all financial risk for credit card transactions is borne by the merchants. (Which is one reason why the banks don't seem to do much about fraud -- why should they inconvenience their customers to protect someone off of the balance sheet who doesn't get a choice to not use their bank?)
While we are in public-service-announcement mode: I believe that the above protections are still a lot smaller for debit cards than credit cards. You still have $50 limit on liability with debit cards, but you must report the theft very quickly indeed and the thief is emptying your personal account in the meantime:
In defense of debit cards, in the event you do lose it and someone's emptying your account, your bank should still restore your funds after the theft. I say this because it happened to my wife; Chase's fraud prevention kicked in after about $300, all of which was refunded as soon as she figured out what had happened.
It has actually been that way for awhile. Back about 9-10 years ago someone used my wife's debit card number and after reporting it the bank restored the funds.
I lost a little over £1000 from my debit card once; the bank did refund it but it took 5 internal forms, a police fraud report and a month to get the money back.
It's worth noting that the mere _existence_ of a debit card on a checking account still opens a fraud vector, even if you never use it. If the physical card is stolen, or the bank has a security breach where the number is obtained, those are both enough information to make fraudulent transactions. Of course, using a debit card will greatly enlarge the attack surface, but not using it does not make you immune.
Back before the "cvv" number on the back of the card you could download a bit of software of the net that would generate random account numbers with valid ICA/BIN and check digit. You just picked the name of the bank you wanted the card to appear to be from.
This is not quite true in the context of 3D Secure.
You are correct in that this is how banks operated before 3D Secure. They shift all the fraud liability onto the hapless merchant and then charge them through the nose (with both the amount and the chargeback $35, as well as a potential disabling of the merchant account if it has more than 1% of fraud - which is easier to achieve that you'd think, especially if you're low-volume, e.g. if you're a small business or startup).
The purpose of 3DSecure is to "fix" this situation in favour of the merchants. Do the card companies (VISA & Mastercard, basically) now take on liability for fraud? OF COURSE NOT. With 3D Secure, they have shifted the liability from the merchant straight to the issuing bank, which can choose whether to pass it on to the cardholder, and sometimes does. It's really entirely up to them. Also, it's worth pointing out that a lot of credit card fraud is only detected months later, so "in a timely fashion" may be excessively difficult to achieve.
Now, the question to ask is, who actually benefits from 3DSecure?
- The merchants
That's it. Who bears the burden of getting everyone to sign up to 3DSecure?
- The issuing banks
Who stands to lose money if the merchants are protected?
- The issuing banks
In view of this, it's no surprise that implementations are shoddy and many people are not signed up. Why would the issuing banks want to push a scheme that makes them lose money?
This. The main driver of 3DS, as I understand it, is to sell a service to merchants which promises to lower their costs related to fraud liability. Additional security for cardholders would have been a side effect, had 3DS actually been a good security scheme.
In defense of Visa, et al, this is hard to get right. Take, for example, SET, which uses PKI and is probably much more secure, but is impractical to implement:
The first time I saw VbV I checked the frame URI. When it came up as securesite.net I phoned up the merchant to tell them their site had been hacked. It’s unbelievable that they thought that was a good idea.
Having the word 'secure' as part of the domain name is the same type of nonsense as putting a GIF image of a padlock in the page content. Guarantees nothing and promotes ignorance about how things actually work.
I'm happy I have some choice. With my bank I can refuse to enable it for my VISA, and there are some merchants I use where I can choose to use Secure3D or not when paying.
It's unfortunately obvious that the CC companies are pushing this as hard as they can, with no concern for customers, banks or merchants. :-/
When making a payment? I love the idea of forcing two-factor auth for online banking, but if it was required every time I wanted to spend £5 at a bookstore I think it could get pretty irritating.
An additional problem with the implementation is that it requires javascript. I was working on a project for a UK bank - their security guidelines required securecode, but their accessibility guidelines required that the site work without JS. Sadly achieving the two is impossible.
I agree this is an awful user experience, at a time where the trend in payments is to make the user's experience better this is a huge step back.
Could someone tell me why this idea wouldn't work?:
Your credit card comes with a simple communication port (usb, bluetooth, whatever) and a two line B&W text LCD display (like on cryptocards or cheap electronic watches). Every time you want to buy something, you connect the card with the merchant. (This works in person and over the internet.) The merchants sends the card an official merchant name ("Delta Airlines"), which is registered with the credit card company, and a price ("$234"). These appear on the first and second lines of the card readout. If you approve the charge, you hit a single button on your credit card. Your credit card then sends an authorization code to the merchant which is good only one time, on that date, for that price, and with that merchants (using some sort of RSA hash).
If a wireless connection is used, there is little risk of criminals trying to secretly communicate with your card sitting in your wallet; you simply won't approve the transaction (unless they have physical control of your card, at which point you're no more vulnerable than you are now).
Further, you'd know exactly how the name of the merchant would appear on your bank statement.
The only downside I can think of is that the card would by slightly thicker (like a crypto card), slightly less durable, and need a battery (which would last for the life of the card). But we already replace the physical card every few years, so is this a problem? Is the technology particularly expensive?
A very similar system is already in use in the UK and other parts of Europe. It's called "chip & pin". You plug your card in to a card reader and check the LCD display and type in your PIN to authorise a transaction.
In a shop, the card reader is owned by the shop and is similar to point-of-sale card readers used in the USA. However, most banks now provide customers with a small reader (that looks like a calculator) for logging on to online banking, or authorising payments made via internet banking.
For example, to authorise a payment you: put your card into the reader, type in the account number you want to pay, type in the amount, and type in your pin. You then get an cryptographic authorisation code to type into online banking.
Crucially, the scheme works using cryptography, and the cryptography is performed within the chip on the bank card - it is not possible to read the PIN off the card.
(edit: and, in contrast to the scheme described in the parent post, stealing a card doesn't help much if you don't know the PIN, and the card will disable itself if the wrong PIN is used too many times)
> most banks now provide customers with a small reader (that looks like a calculator) for logging on to online banking, or authorising payments made via internet banking.
This means you can only make online purchases easily and securely at home. If I want to be able to make purchases at someone else's computer, an insecure back door must necessarily be left open even when you're not away.
> To authorise a payment you: put your card into the reader, type in the account number you want to pay, type in the amount, and type in your pin.
This doesn't solve the problem (which people may not care about) that the merchant could now have your pin.
>You then get an cryptographic authorization code to type into online banking.
This seems like a huge burden. Physically typing in long cryptographic codes? Do people actually subject themselves to this?
Thanks very much for the perspective.
EDIT: I retract the second criticism for reasons explained below.
> This means you can only make online purchases easily and securely at home.
Fair point - I had this problem when wanting to use Internet banking at work, but these pin readers are compact (smaller than an iPhone, marginally thicker) so I just keep mine in my bag now.
> This doesn't solve the problem (which people may not care about) that the merchant could now have your pin.
Only if the reader itself is compromised (very unlikely with the small ones provided by banks for online banking, and pretty unlikely in a shop too). However, note that the PIN is useless without the card, because the crypto chip is on the card, and it can't be cloned by a reader.
> This seems like a huge burden. Physically typing in long cryptographic codes?
They are only 8 digits long. And yes, I don't want fraudulent use of my account so I don't mind.
> However, note that the PIN is useless without the card, because the crypto chip is on the card, and it can't be cloned by a reader.
Ahh. So then the merchant could only really make use of a pin (which it would have to do by compromising the pin reader--a tall order for small time crooks) if he also stole your physical credit card. I agree that this isn't much of a risk, and retract that criticism.
Someone wrote a criticism of the chip&pin system a while ago. I don't remember the link, but they were arguing that this system also had serious security flaws. The most memorable one was that while before people who held you up for your ATM card and PIN had to physically go to an actual ATM to see if the PIN you gave them worked, now they can get to work on you with a pair of pliers and a blowtorch until the card reader says "Pin OK" without risk of revealing themselves to an ATM camera. They claimed that this has already happened.
The fix for that, if we're remembering the same article, was simply to have the card reader display junk output instead of "bad pin". The bad output could then be entered into the bank website three times, and then block the account from there too.
That might be the deal-breaker here. People with wallets sit on their credit cards daily. I've split the plastic on mine a few times, even though I've gotten into the habit of taking my wallet out when I sit down.
Credit card purchase authorization over SMS might be more sturdy, although that has its own security considerations (I think this exists somewhere already though).
> How is this supposed to work? They send you a text, and you reply to confirm? The inability to make purchases without a signal seems fatal.
Yes, that sounds about right. You have a mobile number associated with your account, and your bank texts you when you make a purchase. I don't think it would be required that you confirm every purchase - it would be more of a notification system. You could require it, but there's a balance of convenience and security that people are already used to.
As for not being able to purchase without a signal, I posit that in the case where you need to authorize purchases, it has the same limitations as your credit-card-communication concept :)
> As for not being able to purchase without a signal, I posit that in the case where you need to authorize purchases, it has the same limitations as your credit-card-communication concept :)
No, see that's the thing. With the right cryptography, the credit card itself can compute an authorization code. There's no need for the credit card to contact the credit card company. It's authorization from the consumer (by way of a button they press on the card), not from the card company, that is imporant.
There's an open secret in the Information Security industry (at least here in the UK), which is that the Payment Card Industry don't care about your security. What they care about is shifting as much of the liability onto the consumer, the merchant, anyone other than themselves as is possible.
We have a system in place here called Chip and Pin (http://en.wikipedia.org/wiki/Chip_and_PIN) which was supposed to protect people by requiring them to type in a personal PIN code. The only problem was that there were plenty of ways to commit fraud without knowing the PIN, and until new regulations came into force the banks would reject claims of fraudulent transactions and require the victim to prove that such transactions weren't fraudulent.
VbV is badly broken, but the suggestions here miss one of the most important points. The use of an iframe means that users can't tell where VbV is coming from and can't be sure either that it is secured or that it's really coming from the bank.
This is just begging for copycat phising and MITM attacks.
Yes, this article is long on alarmism and short on serious critique:
> The design of the form does not match the design of either the merchant or the issuing bank. The design looks ‘cheap’. It doesn’t look trustworthy.
> No telephone number. When a user sees a telephone number it gives them a feeling legitimacy. They may not phone, they just want to see the number just in case.
> The calls to action at the bottom of the page really don’t work. ‘Submit’ is rather generic and does not give an indication of the next step. ‘Cancel’ gives no indication what will happen next and really should be removed.
> There is still very little recognition by users. Visa and Mastercard have done a poor job of marketing and raising awareness.
> The text is American "Expiration date" should be "Expiry date"
> Once the customer has overcome all 11 of those issues they can purchase. 11 issues. 11 serious issues.
Serious issues? Let's tally: cheap design, no phone number, button names, lack of marketing, bad copy. These are not serious issues that make a technology "broken" -- at least, not in the sense that, say, MD5 is broken. The points about the phone number, cheap design, and lack of marketing should not even be in this list.
And then there is this gem, from the guy who is going to fix our "broken" security technology:
> Firstly, the URL, well that’s an easy one, embed the page within an iframe. It does of course mean one can’t check the security certificate but hey, who ever does this?
> About the author: Joe specialises in designing every aspect of the user experience from initial research to developing a robust, measurable online strategy to producing beautiful, easy to use wireframes and website information architectures.
This is an important point. 3DS actually trains cardholders to trust web content whose identity/authenticity they cannot verify. At the very least, the third parties that host 3DS content should be serving their content from the Visa and Mastercard domain names. (Requesting the 3DS authentication inline with the merchant's checkout flow is a no-go, though, because the merchant site could be compromised.)
I'm reminded of how my credit card issuer contracts out transaction verification to a third party, so whenever I make a large purchase, I get a phone call originating from a 1-800 number that doesn't match the one on my card, and the first thing they ask from me is sensitive information.
The security is up to the bank. Some banks implement "something you have" security which mitigates the risk.
I have Australian and UK bank accounts. Both require Verified by Visa. The Australian account asks me to enter a single-use number from a battery-powered token. The UK account asks me to enter three randomly-selected digits of my password. The former is obviously immune to phishing attacks. The latter is not completely, but to get the complete password would require several sessions. Neither of them are immune to MITM attacks, but I'm not sure how MITM would help an attacker here: VbV authorises a transaction but doesn't allow you to place one. You can't do anything with the information you have snooped upon because it's single-use (in the first case) or because you don't have enough of the password (in the second case).
3DS being broken was known long before 3DS was finalized. It's not new. However, it's successful because of the security it brings to merchants. Merchants implement it because they get covered. It's the perception of security that works.
Until 3DS implements some out-of-band authentication, you won't have something secure. Implementing OoB auth isn't difficult, either. The technology has been around for a LONG time, with proven results.
So, how common is the 3D Secure code on websites? I thought it was a local/European annoyance, since I haven't run into it outside EU webshops?
For instance, I've never had to put in my 3D Secure code on Amazon, BackBlaze, Syncplicity or ZumoDrive. The problem is that at least here in Finland, the only company (representing all the local banks) offering credit card processing practically requires 3D Secure unless you implement everything yourself (e.g. can't use their CC vault) - and no, unfortunately the US subscription API services don't work here, unless you somehow manage to get a merchant account in a UK bank.
I've always managed to not enable Verified by Visa on any of my credit cards, but another huge problem with it is that doing so is nearly impossible. Once you get redirected to that popup, it's very hard to not signup without canceling your transaction with the original merchant. Or getting dumped back to your shopping cart, trying to check out again only to get dumped straight back into Verified by Visa's signup process.
There doesn't ever seem to be a permanent opt-out, so anytime I want to buy something from a merchant that uses it, I have to hunt for the magic button to get around it again.
Every now and then when I purchase something from a Verified by Visa-"friendly" site (Newegg comes to mind), I often find that I'm able to complete the purchase without entering my password.
3DS doesn't work that way. It's not mandatory. Newegg isn't using it to fight friendly fraud. They are using it to fight actual fraud. You've done it once, why should they force it on you again? You are who you say you are, and if their is a problem with your purchase, they're confident that they can resolve it without a chargeback.
But then why bother using it at all? Do they assume that no one malicious could ever get into my account (for argument's sake)? If you're going to make me set a password, make me enter it each time I "use" your service. My gripe isn't with the vendors per sé, but with how Verified by Visa and SecureCode operate.
I'd much rather type an extra password during the checkout process instead of being charged $700 for hardware and Windows Vista DVDs (thieves aren't always the brightest).
> But then why bother using it at all? Do they assume that no one malicious could ever get into my account (for argument's sake)? ... instead of being charged $700 for hardware and Windows Vista DVDs
You're making an awful lot of assumptions you shouldn't be making.
First, 3DS doesn't provide you any more security than you really had before. It helps the merchant secure their transactions, however. But even if someone did charge $700 to your card, it's an easy phone call to get it resolved. Not only this, but I'm sure Newegg would require another check if something was amiss with the transaction. Any sizable operation will work to make sure that legit users can make purchases as fast as possible with as little hassle, but that doesn't mean it's not verifying things in the background.
So why would Newegg use 3DS? Simple. They want to verify that a new account is who they say they are, and not a stolen card. You're a legit user. You make a purchase. Next time you come back, you'll probably be making the purchase using the same billing address and the same shipping address. Even if you didn't make the order, you'll call up Newegg to complain, and they'll work to refund the order and resolve the matter as quickly as possible.
But you as a cardholder have always been safe. A simple call to the bank, and "No, I don't recognize the transaction" and you get your chargeback and you owe no money. However, with 3DS, you can't just say it wasn't you. If the merchant doesn't provide the service, then yes, you can still get it. 3DS for legit users prevents them from committing friendly fraud.
I recall creating my password for Verified by Visa, but never successfully entering it again. It's never stopped me from getting the goods and getting charged, though.
Strange. I've never seen a VbV open a new frame or pop-up - it's always a series of redirects for me. May be it depends on what bank and/payment gateway is been used.
Not really. It's usually the merchant implementation that decides how it's displayed. All the 3DS I've implemented have also recommended using iframes in their API.
Nothing in the article is actually a technical flaw - it's mostly UX. That's not to say the system is good, but I think the title is misleading. If you look at the paper "Chip and PIN is Broken" by Murdoch et al (http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5504...) they actually point out a MITM attack which is a technical vulnerability.
Wow. This is entirely different here in India. First of all, it has been made mandatory (it's slightly inconvenient). This is not implemented as a popup. It redirects to the Issuing Bank's website for verification. Signup should be done in the bank's site as well (e.g.: https://www.3dsecure.icicibank.com/ACSWeb/EnrollWeb/ICICIBan...).
Verified by Visa is a horrible horrible implementation, I spent an hour in the bank last month trying to sort out why my company card wouldn't let us buy train tickets ) VbV had my date of birth wrong for some reason) oh yeah if yuo have any problems with VbV you have to call an 0845 number, which although only 5p a minute on my plan... it soon adds up
I have credit cards at a bunch of banks here in Russia and what they do is they send you a one-time password in a text message every time you make a purchase online. It's the same VbV/SecureCode window and everything but you don't get to create your own password.
I found this interesting because it provides helpful advice on how to handles 3DS as it currently is. It's a flawed system but it's not going away any time soon. In the meantime finding ways to make it suck less is all a merchant can do.
Best part? If you ignore it and never set it up, it still lets payments through (at least with Mastercard). I really, really wish they had an opt-out button...
For 3DS enabled site in France (don't know if it's the same elsewhere) it sends you a code by SMS that you have to enter in the popup. I think this is a much better way. But I have to agree, the process is really not well thought out and as bad as it can be UX wide.
It is already really hard to teach casual computer users about security online. The one thing that used to work so far was "never enter your password on a website you've been redirected to" and "always check the site's identity in the address bar". Verified by Visa redirects you to some website on some random server and asks you to enter your password. There is no way for the user to check it's authenticity.
A much more reasonable design would be to control all sales via your bank's website, i.e. having an inbox with "purchase requests" and approving them through your bank's interface. That would be both secure and very transparent to the user, and the bank could easily control the level of security required (passwords, TANs, ...).