Even though there's no choice (here at least, when you want to use your Visa over the internet) I HATE, HATE, HATE the concept and here's why:
For starters I thought it's a phishing attack, when the frame popped up for the first time.
But the worst is that I don't feel it protects me, despite the marketing crap dished out by CC companies. The only reason is to protect Visa.
What happens if I book a flight at a badly infected internet cafe computer in Chiang Mai and a key logger reads my password?
"No, Mr. Zapp, our logs show irrefutable proof that your password was typed with suchandsuch transaction. Sorry, you're liable, you obviously didn't protect the password."
That is, in fact, the exact opposite of how the banks operate. You are limited to $50 in liability for any fraudulent transaction in your account that you report in a timely fashion, guaranteed by law (in the US at least), and every bank I am aware of waives the $50 for marketing purposes.
Essentially all financial risk for credit card transactions is borne by the merchants. (Which is one reason why the banks don't seem to do much about fraud -- why should they inconvenience their customers to protect someone off of the balance sheet who doesn't get a choice to not use their bank?)
While we are in public-service-announcement mode: I believe that the above protections are still a lot smaller for debit cards than credit cards. You still have $50 limit on liability with debit cards, but you must report the theft very quickly indeed and the thief is emptying your personal account in the meantime:
In defense of debit cards, in the event you do lose it and someone's emptying your account, your bank should still restore your funds after the theft. I say this because it happened to my wife; Chase's fraud prevention kicked in after about $300, all of which was refunded as soon as she figured out what had happened.
It has actually been that way for awhile. Back about 9-10 years ago someone used my wife's debit card number and after reporting it the bank restored the funds.
I lost a little over £1000 from my debit card once; the bank did refund it but it took 5 internal forms, a police fraud report and a month to get the money back.
It's worth noting that the mere _existence_ of a debit card on a checking account still opens a fraud vector, even if you never use it. If the physical card is stolen, or the bank has a security breach where the number is obtained, those are both enough information to make fraudulent transactions. Of course, using a debit card will greatly enlarge the attack surface, but not using it does not make you immune.
Back before the "cvv" number on the back of the card you could download a bit of software of the net that would generate random account numbers with valid ICA/BIN and check digit. You just picked the name of the bank you wanted the card to appear to be from.
This is not quite true in the context of 3D Secure.
You are correct in that this is how banks operated before 3D Secure. They shift all the fraud liability onto the hapless merchant and then charge them through the nose (with both the amount and the chargeback $35, as well as a potential disabling of the merchant account if it has more than 1% of fraud - which is easier to achieve that you'd think, especially if you're low-volume, e.g. if you're a small business or startup).
The purpose of 3DSecure is to "fix" this situation in favour of the merchants. Do the card companies (VISA & Mastercard, basically) now take on liability for fraud? OF COURSE NOT. With 3D Secure, they have shifted the liability from the merchant straight to the issuing bank, which can choose whether to pass it on to the cardholder, and sometimes does. It's really entirely up to them. Also, it's worth pointing out that a lot of credit card fraud is only detected months later, so "in a timely fashion" may be excessively difficult to achieve.
Now, the question to ask is, who actually benefits from 3DSecure?
- The merchants
That's it. Who bears the burden of getting everyone to sign up to 3DSecure?
- The issuing banks
Who stands to lose money if the merchants are protected?
- The issuing banks
In view of this, it's no surprise that implementations are shoddy and many people are not signed up. Why would the issuing banks want to push a scheme that makes them lose money?
This. The main driver of 3DS, as I understand it, is to sell a service to merchants which promises to lower their costs related to fraud liability. Additional security for cardholders would have been a side effect, had 3DS actually been a good security scheme.
In defense of Visa, et al, this is hard to get right. Take, for example, SET, which uses PKI and is probably much more secure, but is impractical to implement:
The first time I saw VbV I checked the frame URI. When it came up as securesite.net I phoned up the merchant to tell them their site had been hacked. It’s unbelievable that they thought that was a good idea.
Having the word 'secure' as part of the domain name is the same type of nonsense as putting a GIF image of a padlock in the page content. Guarantees nothing and promotes ignorance about how things actually work.
I'm happy I have some choice. With my bank I can refuse to enable it for my VISA, and there are some merchants I use where I can choose to use Secure3D or not when paying.
It's unfortunately obvious that the CC companies are pushing this as hard as they can, with no concern for customers, banks or merchants. :-/
When making a payment? I love the idea of forcing two-factor auth for online banking, but if it was required every time I wanted to spend £5 at a bookstore I think it could get pretty irritating.
For starters I thought it's a phishing attack, when the frame popped up for the first time.
But the worst is that I don't feel it protects me, despite the marketing crap dished out by CC companies. The only reason is to protect Visa.
What happens if I book a flight at a badly infected internet cafe computer in Chiang Mai and a key logger reads my password?
"No, Mr. Zapp, our logs show irrefutable proof that your password was typed with suchandsuch transaction. Sorry, you're liable, you obviously didn't protect the password."
Scary stuff.