Current authentication methods proposed by payment schemes are a joke for fraudsters. Not only are the credentials information static, but also very easy to get on the web.
The fact that the code is static makes it replayable. Meaning once found, the fraudster can use it several times until he gets caught (if he gets caught).
The fact that it’s an easy to get static passcode makes it even easier. The fraudster has the choice between phishing the static credentials or he can make a deal with a friend, asking him for his VBV or UCAF/SPA credentials then disputing all charges with
the issuing bank after.
Registration methods used by VBV or UCAF/SPA ask the user to enter a static password. So far, I’ve been asked a few times to fill in personal information, such as my birthdate. And each time it made me laugh. What is easier than a birthdate to get with all
the social networks available today?
Not only this, but what prevents a fraudster to ask a friend to register a valid card with VBV or UCAF/SPA, to pass to him these credentials, to perform several online payments with online merchants that use VBV or UCAF/SPA, then the friend can dispute all
these online payments with the Issuing Bank? How can the bank prove that the cardholder is part of the fraudulent action? There is simply no way.
Either the security system has to make sure that the user and only the user can perform a transaction, or it becomes not only useless but also dangerous for cardholders and issuing banks.
Feel free to leave your comments and feedback.
Cédric Pariente, CEO of B32TRUST