Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication

(Short Paper)
  • Steven J. Murdoch
  • Ross Anderson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6052)


Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Verified by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and elsewhere. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants and customers – given a gentle regulatory nudge.


Authentication Protocol Online Banking Bank Customer Secure Electronic Transaction Academic Scrutiny 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    RBS Secure Terms of Use (December 2009),
  3. 3.
    APACS. 2008 fraud figures announced by APACS (March 2009),
  4. 4.
    Bohm, N., Brown, I., Gladman, B.: Electronic commerce: Who carries the risk of fraud? The Journal of Information, Law and Technology 2000(3) (2000)Google Scholar
  5. 5.
  6. 6.
    Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to fail: Card readers for online banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    EMVCo, LLC. EMV 4.1 (June 2004),
  8. 8.
    Internet Retailer. Verified by Visa security program used as bait in phishing scams (January 6, 2005),
  9. 9.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Steven J. Murdoch
    • 1
  • Ross Anderson
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeUK

Personalised recommendations