Evan Schuman, Editor of StorefrontBacktalk.com, released the full text of the recent Cambridge Report that, in no uncertain terms, states that: Verified by Visa is a "Textbook Example of How NOT to Design an Authentication Protocol"
If you are unfamiliar with Evan's blog, take a moment to visit. I've provided a link (title of post) to StorefrontBacktalk below:
Full Text Of Cambridge Report On Verified by Visa and MasterCard SecureCode
Written by Evan Schuman, today, February 6th, 2010
Verifed by Visa and MasterCard SecureCode: or, How Not to Design Authentication
Steven J. Murdoch and Ross Anderson: Computer Laboratory, University of Cambridge, UK
Editor's Note: Way back, In October 2008 I posted a story from The Register regarding the the lack of protection afforded Verified by Visa users. Is Verified by Visa also Verified by Hackers? Here's what they had to say about VbV back then. I dug it back up and am republishing a comment that stuck in my head at the time.
Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.
The issue has been noted, and commented on in the blogosphere as far back as June 2008, but has received little attention in the mainstream media, despite the obvious security implications.
Editor's Note from October 2008: The more I learn about securing a transaction on the web, the more I realize how unsafe many transactions actually are. Here's an interesting article in the Register regarding Visa's supposedly more secure program designed to fool cardholders into thinking their transactions are more secure. They call it "Verified by Visa." Caveat: First it has to verified by consumers, (by typing into a web browser) which means it can also be keystroke logged and "Verified by Hackers." (VbH?)
"VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction".
Since card information is can be bought online for as low as $2.50, "Stolen Card Info Plunges to $2.50 in Black Market" and obtaining a DOB is so easy a caveman could do it, it's looking like VbV is more of a marketing ploy than of any real value when it comes to protecting the security of an online transaction. What I found even more interesting was Visa's declination to comment about the story which the Register tells us at the end of this article:
VbyV password reset is childishly simple • The Register
Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme. But unlike robust authentication techniques, hackers don't have a hardware token generating one-time passwords to worry about - it's just more of the same.
And since card details + CVV number is no longer considered as secure enough then it's hard to see how card details + CVV number + VbyV login is any more robust. Much was made of how easy it was for a hacker to reset Sarah Palin's webmail account password and gain illicit access to emails, but resetting passwords for Verified by Visa - which supposedly makes online transactions more secure is arguably even easier. To reset Palin's email account a hacker needed to know the Republican VP candidate's birth date, her zip code and the answer to a secret question on where she met her husband. Resetting a Verified by Visa password, by contrast, requires only card details (got $2.50?) and a date of birth.
Register commenter Anthony explains. Verified by Visa (VbV) allows anyone who has the credit card number in their hands to set a new password for VbV with just the card details and the card owner's date of birth. Since the latter is trivial to discover for most people, this adds almost no additional security to the process.
Register reader Jusme reports the same issue. Verified by Visa is one of the reasons I no longer use Barclaycard. Pretty much every time I had to use it the password was not recognised and I had to "reset it", which just meant entering my DOB and a new password, hardly very secure.
Online shoppers who buy goods and service with participating retailers are asked to submit a VbyV or SecureCode password to authorise transactions. These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank. Punters aren't informed up front that a merchant has signed up to Verified by Visa. Sites used to authenticate a VbyV or SecureCode password routinely deliver a dialogue box using a pop-up window or inline frame, making it difficult to detect whether or not a site is genuine. The appearance of phishing attacks hunting for Verified by Visa passwords are among the reasons some punters are wary of the technology. Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery,
An anonymous commenter to our original stories agrees:
Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.The issue has been noted, and commented on in the blogosphere as far back as June, but has received little attention in the mainstream media, despite the obvious security implications.
Read more: http://pindebit.blogspot.com/2008/10/is-verified-by-visa-also-verified-by.html#ixzz0emaZgxJW
