This week, the 2010 Financial Cryptography conference is being held in Tenerife. The
papers to be presented are likely of interest to the Finextra audience. Unfortunately, most are not available online, but searching for the title might show up a copy on the authors' home page.
My paper at FC'10 is on the security of Verified by Visa and MasterCard SecureCode (i.e. the 3-D secure protocol). My co-author, Ross Anderson, wrote:
"Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million
cardholders registered. It’s getting hard to shop online without being forced to use it.
In a paper I’m presenting today at
Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the
Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So
this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem"
Further comments about this paper can be found on
Light Blue Touchpaper. Frank Stajano has also
blogged about his paper, on using multiple channels to resist relay attacks.