This is an important point. 3DS actually trains cardholders to trust web content whose identity/authenticity they cannot verify. At the very least, the third parties that host 3DS content should be serving their content from the Visa and Mastercard domain names. (Requesting the 3DS authentication inline with the merchant's checkout flow is a no-go, though, because the merchant site could be compromised.)
I'm reminded of how my credit card issuer contracts out transaction verification to a third party, so whenever I make a large purchase, I get a phone call originating from a 1-800 number that doesn't match the one on my card, and the first thing they ask from me is sensitive information.
I'm reminded of how my credit card issuer contracts out transaction verification to a third party, so whenever I make a large purchase, I get a phone call originating from a 1-800 number that doesn't match the one on my card, and the first thing they ask from me is sensitive information.