20 February 2018
Steven Murdoch

Steven Murdoch

Steven Murdoch - University College London

9Posts 60,671Views 35Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Verified by Visa and MasterCard SecureCode

27 January 2010  |  8910 views  |  3

This week, the 2010 Financial Cryptography conference is being held in Tenerife. The papers to be presented are likely of interest to the Finextra audience. Unfortunately, most are not available online, but searching for the title might show up a copy on the authors' home page.

My paper at FC'10 is on the security of Verified by Visa and MasterCard SecureCode (i.e. the 3-D secure protocol). My co-author, Ross Anderson, wrote:

"Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.

In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?

Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem"

Further comments about this paper can be found on Light Blue Touchpaper. Frank Stajano has also blogged about his paper, on using multiple channels to resist relay attacks.


Comments: (5)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 29 January, 2010, 03:00

Steven Murdoch and Ross Anderson raise many good points, including the phishability of 3D Secure, and the way it will train people to stray from standard security advice.

One quibble: I wouldn't call 3D Secure a "Single Sign On" system. If I have two Visa cards from different issuers, then my 3D Secure experiences will not interoperate, and will look and feel quite different, because as the authors point out, the real time authentication mechanism is left to the choice of the issuer.

They're right of course that economics trumps security in this exercise.  Yet there's still a stark architectural question that begs answering in all this.  What really necessitated such a radical change to the decades old Four Party card settlement model? 

An important feature of the Four Party model is that it means customers’ transactions are distanced from the issuer; as the authors say, this is good for customer privacy.  It’s also architecturally elegant for payment information to flow between cardholder and merchant in real time, and between acquiring bank and issuing bank in batch time.

In contrast, 3D Secure joins the cardholder to their issuer in real time, to effect the authentication step. This forces unusual and inconsistent behaviour onto the user, creates bottlenecks, and probably creates new vulnerabilities due to the sheer complexity and novelty. 


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steven Murdoch
Steven Murdoch - University College London - London | 29 January, 2010, 17:40

Hi Stephen,

Thanks for your comment. I think the architectural change to the four-party model which 3DS introduces is a useful insight. Your point about whether 3DS is single sign-on is also interesting, so I have published a separate blog post on this question.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 01 February, 2010, 14:47

What is most telling about 3D Secure is that it merely adds a layer of complexity rather than get to the root of the problem in the CNP space ' "is John Smith using John Smith's payment card?".

People point to the low fraud numbers with VbV and MSC as proof positive the system works, the fact is that as only 200 million people (perhaps less) use the system the feeding grounds for hackers is too small for them to start poaching. 

PayPal went from being the most secure payment system to the most hacked as its numbers grew, making it a more attractive target for hackers who need a lot of activity to mask their work. The same will happen to 3D Secure.

The holy grail is for a CNP anti-fraud system to offer the same level of protection as a customer walking itno a shop, presenting his payment card and proof of identity before the merchant gives him his purchases.

In the interests of full disclosure, my company GenMobi Technologies will be unveiling later this year a new technology that will offer a more secure verification that "John Smith using John Smith's payment card" without the need for the consumer to memorize PINs or passwords.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steven Klebe
Steven Klebe - Google - Mountain View | 01 February, 2010, 18:16

Just to clarify, there are a lot of people who read Finextra, like me, from the US.  Neither of these programs have gained serious adoption here.  The banks stopped promoting it actively years ago.  Something like ~5% are enrolled but that includes people like me who did it once and now avoid it like a root canal.  Just the other day, I was buying my daughter a plane ticket on Jet Blue and when I noticed they supported VbV, I simply switched and paid with my Discover Card.  It was easier to do that than remember what my password from 4 years ago might be for my Visa card.

There has been a lot of talk in the last 2-3 years of updating the program to default to risk based authentication, mostly behind the scenes, rather than interrupting the check-out experience.  Some issuing banks are now supporting this approach whereby the consumer, enrolled or not, would only see the authentication frame if some attribute of the tx looked suspicious like cardholder from US and IP from Singapore.  This would work like many of the 3rd party fraud screening solutions work.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Steven

Chip and Skim: cloning EMV cards with the pre-play attack

11 September 2012  |  8412 views  |  3 comments | recomends Recommends 1 TagsSecurityPaymentsGroupInformation Security

UK Cards Association attempt to supress Cambridge research

25 December 2010  |  8167 views  |  4 comments | recomends Recommends 1 TagsCardsSecurityGroupInformation Security

Reliability of Chip and PIN evidence in banking disputes

26 February 2010  |  6224 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Chip and PIN is broken

12 February 2010  |  10649 views  |  13 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Verified by Visa and MasterCard SecureCode

27 January 2010  |  8910 views  |  3 comments | recomends Recommends 1 TagsSecurityPaymentsGroupInformation Security

Steven's profile

job title Royal Society University Research Fellow
location London
member since 2009
Summary profile See full profile »
Dr Steven J. Murdoch is a Royal Society University Research Fellow in the Information Security Research Group of University College London, working on developing metrics for security and privacy.

Steven's expertise

Member since 2009
9 posts35 comments
What Steven reads
Steven's blog archive
2012 (1)2010 (5)2009 (3)

Who's commenting on Steven's posts