Security x.0

Online retail sales are on the way to hitting $329 billion (see Forrester) with the majority of these being credit card purchases. However, with ever increasing media reports of security and fraud risks, the "late majority" of Internet users are still not convinced and there has even been a decline in the number of "early adopters" who believe that card transactions are secure.

The mission was, and still is, to create a secure environment for online shoppers. In the early years, the main threat was perceived to be someone monitoring Internet traffic and stealing your credit card details during a purchase; hence, a great deal of effort was put into introducing SSL and site certificates (trustmarks were displayed prominently to declare the online shop secure). Long gone are the days though when it seemed so important whether your browser could use 128-bit keys for strong encryption or was limited to 40-bit keys because of US government restrictions on the export of cryptographic technology. New types of attacks have emerged, such as phishing, pharming, cross-site scripting... not much has changed, however, to protect the shopping experience. The most popular anti-fraud tool is still Address Verification Service (AVS) with Card Verification Number (CVN) more recently added to the list (see reports by CyberSource). Admittedly, checking the cardholder's address and a 3-digit number printed on the back of the card is hardly a match for the innovation of criminal minds so the credit card companies respond with the new standard. Originally designed by Visa and licensed to other cards, 3-D Secure - most commonly known as "Verified by Visa" and "MasterCard SecureCode" - enables a merchant to enlist the card issuer's help in order to confirm the cardholder's identity during the transaction. Sounds like a good idea, doesn't it?

It is indeed... for the merchant. 3-D Secure verification makes any online transaction equivalent to "card-present" and verified by usual PIN, thus reducing high processing charges associated with risky "card-not-present" transactions. Most importantly, it shifts the fraud liability from the merchant to the cardholder … but is the end user implementation really that secure?

During the normal purchasing process with a participating merchant, the user is asked to sign up to e.g. "Verified by Visa". If the user agrees, the purchase is put on hold (disrupting the transaction) and the user is transferred to the web site of the bank that issued the card. The intention is that the bank will then ask the user a number of questions that will prove the user's identity and will set up a special password. This new password will have to be provided to complete any online transaction with this card, adding a second authentication factor. The password is effectively another card PIN for online transactions, and is supposed to fit with the consumer model of how cards work and benefit from the recent "success" of Chip and PIN introduction in the UK.

Is this equivalent of "offline PIN" secure? Without questioning the effectiveness of Chip and PIN in the real world (although here is a demonstration by the Security Group at the University of Cambridge Computer Laboratory of an impressive but relatively simple to execute attack), it does not seem too difficult too steal this new online second authentication factor. Infecting a user's computer with a trojan keylogger for example is much more effective and significantly cheaper than shoulder-surfing by an ATM. What does it mean practically? Without even realising it, the user trades off a small reduction in fraud risk for a significantly higher exposure (liability). With more and more merchants implementing 3-D Secure, some even try to force the user to enrol (only a verified purchase is allowed).

Even worse is a lack of security for enrolment; consider this real user's account:

I was forced to register for 3D secure recently and was appalled at the lack of security around the registration process for that. I had a bad experience whereby I abandoned the Web transaction because it was trying to force me to enrol with 3D Secure, I decided to call and do a MOTO [over the phone] transaction to avoid 3D and got as far as the girl saying 'you need to choose a password now' before I realised that SHE was enrolling me via her Web Browser!!! The only extra bit of info she asked from me was my date of birth(!), which since I was buying travel tickets didn't seem unreasonable. I had to stop the card!

Imagine if your postman delivered your credit card PIN in an open envelope and asked for your card number and date of birth - a full package for stealing your identity. Also imagine trying to prove to your bank later that this verified by PIN transaction wasn't performed by you. Think it is easy? - just read this account.

3-D Secure standard was designed to support multiple strong authentication mechanisms and the passwords are the weakest, but even the preferred alternative - smartcard-based authentication (CAP) isn't as strong as users are led to believe. Online transactions have to become more secure and 3-D Secure could probably help. Unfortunately, its current implementation is flawed from the user's point of view: increasing the liability without making transactions more secure is hardly an attractive proposition.