Blog article
See all stories »

3D, 2D or 1D Secure?

Thanks to all those who responded to my earlier comments about card security. It seems there are different implementations of Verified by Visa and MasterCard SecureCode. Some issuers request only a number of characters from your password to verify the transaction whereas others ask for the full password.


Some issuers also annoyingly set certain password standards so a password may have to include both upper and lower case letters as well as numerals and characters.  While they think that this makes the password more secure in fact the reverse is true. The more complex the password the more likely the user will have to record it thus making the additional complexity self defeating.


Passwords aside I received a disturbing letter from the Co-operative Bank this week about their implementation of Verified by Visa.  It said that they were going to register me for VbV in a month's time and would set my established "memorable name" as the password. While I'm happy that they are joining VbV I'm not happy about the way they're doing it.


Firstly my "memorable name" isn't really secure since I have to speak to a member of Bank staff to set it. Secondly, and I called Co-op to raise my concerns about this, there seems to be no stage in the process where I can set a validation phrase or personal message. This means that whenever I use Verified by Visa I have no way of confirming that the VbV window I am using is genuine and not spoofed. The employee I spoke to kept saying that it was OK because I would be diverted to the Co-op's website to input my password. She couldn't understand that without a validation phrase displayed I couldn't be sure that this was their site and wouldn't be entering any password!


In theory 3D Secure is a good system but it seems to me that the various ways in which banks are implementing it leave it open to fraud.



Comments: (4)

A Finextra member
A Finextra member 09 November, 2008, 00:37Be the first to give this comment the thumbs up 0 likes

The conclusion?

It just isn't secure, it is not easy to use and the customer just gets confused.


Paul Penrose
Paul Penrose - Finextra - London 09 November, 2008, 11:06Be the first to give this comment the thumbs up 0 likes

Couldn't agree with you more Michael. it's a total lash-up with different rules and conventions applied by different banks and merchants. This kind of haphazard introduction smacks of desperation and panic measures. Where are the standards when you need them?

A Finextra member
A Finextra member 10 November, 2008, 15:34Be the first to give this comment the thumbs up 0 likes

The real problem is that a lot of bank employed security people are little more than electronic door lockers and badge checkers.     

Michael Fuller
Michael Fuller - None - London 19 November, 2008, 16:48Be the first to give this comment the thumbs up 0 likes

Well Visa have now responded to my concerns saying:

"The Verified by Visa service is offered to Cardholders and Merchants by Visa's Member banks and financial organisations. Please note that Visa Europe does not regulate the data standards that members use. We recommend best practise but ultimately at this moment in time issuers are able to decide which data elements they hold and are therefore able to use in this process. Different issuers use different type of data to authenticate."

So I've now asked them why if the service bears the VISA brand they don’t set standards for security the same way they no doubt do for branding. So far silence…..

The VISA response holds out a little hope though in referring to “at this moment” which suggests they may regulate data standards.

Come on VISA (and MasterCard) the time is now!