Verified by Visa bitchslapped by Cambridge researchers (go.theregister.com)
A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.
The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a passwordor portions of a password to complete an on-line purchase.
As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.
That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.
One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another.
The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.
Continue Reading at PC World
Here's More: (gotta love the title)
Secondary credit card security systems for online transactions such as Verified by Visa are all about shifting blame rather then curtailing fraud, Cambridge University security researchers argue.
The 3D Secure system - branded as either Verified by Visa or MasterCard SecureCode - has become a ubiquitous extra line of security for many online transactions, with over 200 million cardholders registered. The number of merchants who insist that users submit an additional password and re-submit a CVV code in order to authorise a transaction makes it hard to shop online without using the technology.