The 3-D Secure protocol adopted by banks and card schemes under the Verified by Visa and MasterCard SecureCode banners has been branded by Cambridge University academics as "a textbook example of how not to design an authentication protocol" by ignoring good design principles and presenting "significant vulnerabilities".
In a paper submitted to the Financial Cryptography Conference in Tenerife, Spain, Cambridge researchers Ross Anderson and Steven Murdoch say 3-D Secure has "lousy technology", but triumphed over better authentication schemes by getting the economics right.
The protocol has been widely adopted by online merchants, many of which insist on using it for card authentication at the check-out. Strong economic incentives have fostered the practice by pushing liability for fraudulent transactions back on to merchants who refuse to participate. As a consequence, the scheme now has hundreds of millions registered users.
Ross and Anderson say inconsistent implementation at the merchant and bank end confuses customers and undermines standard industry advice on phishing avoidance. Verified by Visa has also been shown to be vulnerable to criminal attacks as the password can easily be reset by simply knowing a cardholder's card details and date of birth.
The Cambridge researchers suggest a number of alternative technical approaches to improve the scheme and are calling on the EU and bank regulators to step in and intervene on behalf of consumers. Further details and links to the presentation can be found here in a blog post by Finextra Community member Steven Murdoch.