3-D Secure

From Wikipedia, the free encyclopedia

3-D Secure is an XML-based protocol used as an added layer of security for online credit and debit card transactions. It was developed by Visa to improve the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode, and by JCB International as J/Secure.

3-D Secure adds another authentication step for online payments. Merchants are encouraged to use 3-D Secure to achieve higher coverage against fraud losses. When a merchant does not use 3-D Secure they are liable for fraudulent transactions even if the transaction was properly authorized.

3-D Secure should not be confused with the Card Security Code which is a short numeric code that is printed on the card.

Contents 1 Description and basic aspects of the protocol 2 Implementing the protocol 3 ACS providers 4 MPI providers 5 Merchants 6 Buyers/credit card holders 7 Criticism 7.1 Verifiability of site identity 7.2 Password set-up and reset weaknesses 8 See also 9 References 10 External links

[edit] Description and basic aspects of the protocol

The basic concept of the protocol is to tie the financial authorization process with an online authentication. This authentication is based on a three domain model (hence the 3-D in the name). The three domains are:

• Acquirer Domain (the merchant and the bank to which money is being paid).
• Issuer Domain (the bank which issued the card being used).
• Interoperability Domain (the infrastructure provided by the credit card scheme to support the 3-D Secure protocol).

The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).

A transaction using Verified by Visa/SecureCode will initiate a redirect to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a secret password tied to the card. The Verified by Visa protocol recommends the bank's verification page to load in an inline frame session. In this way, the bank's systems can be held responsible for most security breaches.

The main difference between Visa and MasterCard implementations resides in the method to generate the AAV (Accountholder Authentication Value): MasterCard uses UCAF (Universal Cardholder Authentication Field) and Visa uses CAVV (Cardholder Authentication Verification Value).

[edit] Implementing the protocol

The specifications are currently at version 1.0.2. Previous versions 0.7 (only used by Visa USA) and 1.0.1 have become redundant and are no longer supported. MasterCard and JCB have adopted version 1.0.2 of the protocol only.

In order for a Visa or MasterCard member bank to use the service, the bank has to operate compliant software that supports the latest protocol specifications. Once compliant software is installed, the member bank will perform product integration testing with the payment system server before it rolls out the system.

[edit] ACS providers

In 3-D Secure protocol, ACS (Access Control Server) is on the issuer side (banks). Currently, most banks outsource ACS to third party. This means the buyer's web browser shows unfamiliar domain names instead of the banks' domain names.

[edit] MPI providers

Each 3-D secure transaction involves two simple internet request/response pairs: VEReq/VERes and PAReq/PARes. Visa and MasterCard don't license merchants for sending requests to their servers. They isolate their servers by licensing software providers which are called MPI (merchant plug-in) providers.

[edit] Merchants

The advantage for merchants is the reduction of "unauthorized transaction" chargebacks. The disadvantage for merchants is that they have to purchase MPI to connect to the Visa/MasterCard Directory Server. This is expensive (setup fee, monthly fee and per-transaction fee); at the same time it represents additional revenue for MPI providers. Supporting 3-D Secure is complicated and, at times, creates transaction failures.

[edit] Buyers/credit card holders

The main advantage for cardholders is that there is a decreased risk of other people being able to use their payment cards fraudulently on the Internet.

In most current implementations of 3-D Secure, the issuing bank or its ACS provider prompts the buyer for a password that is known only to the bank/ACS provider and the buyer. Since the merchant does not know this password and is not responsible for capturing it, it can be used by the issuing bank as evidence that the purchaser is indeed their cardholder. This decreases risk in two ways:

1. Copying card details, either by writing down the numbers on the card itself or by way of modified terminals or ATMs, does not result in the ability to purchase over the Internet because of the additional password, which is not stored on or written on the card.
2. Since the merchant does not capture the password, there is a reduced risk from security incidents at online merchants; while an incident may still result in hackers obtaining other card details, there is no way for them to get the associated password.

In spite of the prevalence of password-based implementations, 3-D Secure does not require the use of password authentication, and it is perfectly possible to use it in conjunction with smart card readers, security tokens and the like. These types of devices may provide a better user experience for customers as they free the purchaser from having to use a secure password. Some issuers are now using such devices as part of the Chip Authentication Program or Dynamic Passcode Authentication schemes.

One significant disadvantage is that cardholders may see their browser connect to unfamiliar domain names as a result of some vendors' MPI implementations and the use of outsourced ACS implementations by issuing banks, which may make it easier to perform phishing attacks on cardholders.

[edit] Criticism

[edit] Verifiability of site identity

The "Verified by Visa" system has drawn some criticism,^{[1] [2] [3]} since it is hard for users to differentiate between the legitimate Verified by Visa pop-up window or inline frame, and a fraudulent phishing site. This is because the pop-up window is served from a domain which is:

• Not the site where the user is shopping.
• Not the card issuing bank
• Not visa.com or mastercard.com

Indeed, the Verified by Visa system has been mistaken by users for a phishing scam^[4] and has itself become the target of some phishing scams^[5]. The newer recommendation to use an inline frame (IFrame) instead of a popup has reduced user confusion, but at the cost of making it harder for the user to verify that the page is genuine in the first place—as of 2008, most web browsers do not provide a simple way to check the security certificate for the contents of an iframe.

Some card issuers also use Activation During Shopping (ADS)^[6], in which cardholders who are not registered with the scheme are offered the opportunity of signing up (or forced into signing up) during the purchase process. This will typically take them to a form in which they are expected to confirm their identity by answering security questions which should be known to their card issuer. Again, this is done within the iframe where they cannot easily verify the site they are providing this information to—a cracked site or illegitimate merchant could in this way gather all the details they need to pose as the customer.

Cardholders who are not willing to take the risk of registering their card during a purchase, with the commerce site controlling the browser to some extent, can instead go to their bank's home page on the web in a separate browser window and register from there. When they go back to the commerce site and start over they should see that their card is registered. The presence on the password page of the Personal Assurance Message (PAM) that they chose when registering is their confirmation that the page is coming from the bank. This still leaves some possibility of a man-in-the-middle attack if the card holder cannot verify the SSL Server Certificate for the password page. Some commerce sites will devote the full browser page to the authentication rather than using a frame (not necessarily an iFrame, which is a less secure object anyway). In this case the lock icon in the browser should show the identity of either the bank or the operator of the verification site. The cardholder can confirm that this is in the same domain that they visited when registering their card, if it is not the domain of their bank.

[edit] Password set-up and reset weaknesses

Another weakness in the system is that the user must generally set up their account for first use, and may be able to reset their password, based on information already held by the card issuer. This information may be obtainable via social engineering or phishing attacks, even if the 3-D Secure system itself is not, and since it is generally static information about the customer, it can be used repeatedly once it has been discovered. While this is not a problem with the 3-D Secure protocol itself, "ease of use" features such as Activation During Shopping may make this easier to target.

Examples include:

• Some banks in the USA require the user to enter the last 4 digits of their Social Security number, but give an unlimited number of retry attempts.^{[citation needed]} Thus it is susceptible to a brute force attack, trying every combination from 0000 to 9999.
• MBNA allow UK and Irish cardholders to reset their password using only the details on the card, plus their date of birth. ^[7] Dates of birth are a poor choice of security information because they will be frequently recorded on forms, and may be publicly researchable, such as through the UK Registry of Births, Marriages and Deaths.

[edit] See also

• eCommerce
• Secure electronic transaction (SET)
• Merchant Plug-In (MPI)

[edit] References

1. ^ antiworm: Verified by Visa (Veriphied Phishing?)
2. ^ Industry lays into 3-D Secure - 11 Apr 2008 - IT Week
3. ^ Verified by Visa scheme confuses thousands of internet shoppers | Money | The Guardian
4. ^ Is securesuite.co.uk a phishing scam?
5. ^ Verified By Visa Activation - Visa Phishing Scams - MillerSmiles.co.uk
6. ^ http://www.visaeurope.com/documents/vbv/verifiedbyvisa_activationduringshopping.pdf Activation During Shopping
7. ^ Fundamental flaw with 3D Secure

• https://usa.visa.com/personal/security/vbv/index.html

[edit] External links

• Visa 3-D Secure Payment Program
• Visa 3-D Secure Specifications
• MasterCard SecureCode home page
• CERIAS discusses Verified by Visa shortcomings