Credit card verification systems 'not secure'

Posted by Emma Woollacott

The Verified by Visa and MasterCard SecureCode credit card checks are fundamentally flawed, according to security researchers.

The 3-D Secure protocol, which underlies both, "might be a textbook example of how not to design an authentication protocol," say Steven Murdoch and Ross Anderson of the University of Cambridge Computer Lab in a research paper.

"It ignores good design principles and has signicant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics.

"While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts."

The main problem, they say, is that the system trains shoppers in bed habits. There's no visual verification for the buyer that their password is being protected.

In addition, they say, the system is also vulnerable to phishing. The password activation process is flawed, as only poor authenticators are used, such as birthdate - often easily discoverable by fraudsters.

"What's needed now is for regulators to intervene on behalf of the consumer," say the authors, calling for the EU to go one step further than planned and make secure electronic signatures compulsory.