Some credit card companies use a system called 3-D Secure (3DS) that adds an extra step to transactions that are carried out on the Internet. Visa and MasterCard tout their security, but researchers are questioning their efficacy.
When making a purchase, online shoppers are confronted with a validation check that requires them to supply a password—in addition to the standard security code that is on the card itself—in order to prove that they are the real owner of a credit card. Systems built on 3DS are better known by their brand names, which include Verified by Visa and MasterCard SecureCode.
Security researchers say that these validation systems—which are used by over 200 million cardholders—suffer from serious security deficiencies. Although the failings of 3DS and its lack of conformance with best practices are well-documented, it has still been widely adopted by online retailers because it allows them to deflect the liability for fraud back to the credit card companies.
Some of the credit card companies take advantage of 3DS by wrapping their implementations of the validation system in draconian terms of service that force users to agree to accept full liability for credit card fraud. To make matters worse, some retailers don't allow consumers to opt out. The 3DS Activation During Shopping (ADS) functionality often ropes in users and gets them to sign up without fully realizing that they are doing.
In a paper presented at the Financial Cryptography conference, researchers Ross Anderson and Steven Murdoch reveal the dark underbelly of 3DS and show how the service is detrimental to consumers.
"From the engineering point of view, [3DS] does just about everything wrong, and it's becoming a fat target for phishing," wrote Anderson in an entry at the University of Cambridge security research blog. "This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure."
The standard method of integrating 3DS verification in a website involves using HTML iframes. This is highly problematic, because it means that users won't be able to rely on the security features of their browser—such as certificate highlighting in the browser URL bar—to easily distinguish between phishing sites legitimate 3DS verification. The inability to visually ascertain whether the certificate is valid exposes users to the possible risk of man-in-the-middle attacks.
Another problems with 3DS that is highlighted in the report is that it fails to specify a consistent mechanism for verification. Individual implementors are free to determine the means for verification on their own, and often make really poor choices. For example, the report says that one bank requires cardholders to enter their ATM PIN during the verification process. This is a pretty shoddy security practice that encourages consumers to engage in risky practices that will expose them to significant risk from phishing scams.
Fixing the problems
The widespread and growing adoption of 3DS is difficult to combat because it offers built-in incentives for merchants and banks by making it easy for them to shift liability to the consumer. The researchers say that the time has come for better technology and regulatory intervention.
Financial institutions have aggressively embraced the concept of electronic passwords in some countries—such as the UK—because passwords aren't covered by the laws that protect consumers from the consequences of transactions that are carried out with forged signatures. The security researchers say that the banks should only get to shift the liability to the consumer when transactions are validated by a trustworthy payment device—a piece of hardware, similar to a CAP calculator, that connects to the user's computer and implements a two-factor authentication model.
Further reading
* Paper (PDF) (cl.cam.ac.uk)
* PCWorld (news.yahoo.com)
By Ryan Paul
http://arstechnica.com
No comments:
Post a Comment