Communications of the ACM
Researchers Criticize 3D Secure Credit Card Authentication
An example of a 3DS phishing site.
Credit: Heise Media
University of Cambridge Computer Laboratory researchers Steven J. Murdoch and Ross Anderson contend in a paper that the 3D Secure (3DS) credit card authentication system branded as the MasterCard SecureCode and Verified by Visa schemes is deeply flawed. The researchers call attention to a number of vulnerabilities.
For instance, the mechanism used to display the 3DS form is incorporated within an iframe or pop-up with no address bar, leaving no clue as to the form's origin. This conflicts with banks' recommendation to customers to avoid phishing sites by only entering bank passwords into sites they can identify as the bank's own site. The initial password entry process that takes place the first time a cardholder uses a 3DS-enabled card to shop online also is a point of criticism, as the user is asked to enter a new password as part of the process of facilitating the purchase. Murdoch and Anderson argue that the timing of this request is wrong, as the shopper is probably more interested in the transaction than security and is more likely to select a weak password.
The paper cites the single sign-on model that the 3DS system deploys as inappropriate, and says that it should be supplanted by a transaction authentication system in which a user receives a SMS message asking for an authorization code from the shopper.
From Heise Online (United Kingdom)
View Full Article
Abstracts Copyright © 2010 Information Inc., Bethesda, Maryland, USA 
No entries found