Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication
Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Verified by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and elsewhere. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants and customers – given a gentle regulatory nudge.
KeywordsAuthentication Protocol Online Banking Bank Customer Secure Electronic Transaction Academic Scrutiny
Unable to display preview. Download preview PDF.
- 1.3-D Secure system overview, https://partnernetwork.visa.com/vpn/global/retrieve_document.do?documentRetrievalId=119
- 3.APACS. 2008 fraud figures announced by APACS (March 2009), http://www.ukpayments.org.uk/media_centre/press_releases/-/page/685/
- 4.Bohm, N., Brown, I., Gladman, B.: Electronic commerce: Who carries the risk of fraud? The Journal of Information, Law and Technology 2000(3) (2000)Google Scholar
- 7.EMVCo, LLC. EMV 4.1 (June 2004), http://www.emvco.com/
- 8.Internet Retailer. Verified by Visa security program used as bait in phishing scams (January 6, 2005), http://www.internetretailer.com/dailyNews.asp?id=13764
- 9.Varco, J.: Verified by Visa update, http://www.barclaycardbusiness.co.uk/information_zone/customer_forum/pdf/1315_jon_varco_visa.pdf