3D (in)Secure
It’s not news that the 3D Secure system that gets branded as ‘Verified by Visa’ is a steaming pile of something that should be scraped off shoes rather than presented on screens. Ben Laurie was the first serious voice of dissent (that I noticed), but then along came Ross Anderson and Steven Murdoch to ensure that we were left in no doubt – how online card security fails [paper].
There is however an insidious problem that none of these worthy security researchers seem to have noticed, which is that the system doesn’t deal with additional cards.
It’s common practice for couples to have joint bank accounts, but there’s not really such a thing as a joint credit card. With credit cards there’s an individual card hold, and there can be additional cards. My wife has a number of these additional cards that she considers to be joint, but they aren’t (even if they’re paid from our joint account) – I’m the cardholder. This is where 3D Secure breaks down (again), as purchases made with additional cards (e.g. my wife) lead to a request for authentication by the cardholder (i.e. me). If I’m not there to type in my password then she can’t buy stuff online, which is kind of inconvenient.
Of course I’m sure that many couples just share their 3D Secure password, this is after all what the banks tell them to do, sadly it’s also directly in contravention of the terms and conditions:
FAQ ‘Only the primary cardholder can enrol with xxx Secure. All other additional cardholders on the same account should use the same login and password as established by the primary cardholder.’
Ts&Cs – ‘You are responsible for keeping your password and username secret. You must not write down, store (whether encrypted or otherwise) on your computer or mobile phone handset or let anyone else know your password or username, and the fact that they are for use with this service.’
I’m sure that the banks don’t care much about this obvious conflict. As Ross and Steven point out the whole purpose of the scheme is to pass liability to the customer, and of course that customer becomes more liable the moment that they break the Ts&Cs (even if the FAQ tells them to).
Clearly whoever contrived the system (as it would be foolish to say that it was designed) forgot to have a conversation with a business analyst about additional cardholders.
Filed under: could_do_better, security | 2 Comments
Tags: 3D Secure, additional cardholder, cardholder not present, CNP, credit, credit card, joint account, liability, payments, phishing, security, Verified by Visa
Another perspective here – Verified by Visa and Mastercard SecureCode are broken and need to be fixed