3D Secure / Verified By Visa
Roland Perry
lists at internetpolicyagency.com
Wed Apr 17 12:52:34 BST 2013
In article <3AE8AEDF-AC64-4FAD-B2E3-22CCAB2D9724 at batten.eu.org>, Ian
Batten <igb at batten.eu.org> writes
>Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and high-level descriptions for application
>writers [2]?
>
>Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the issuer. Later, for me at least
>(Lloyds TSB) it instead put up the Verified by Visa or its Mastercard equivalent logo, said it was authenticating, and then immediately
>succeeded. I assumed, without checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card hadn't been
>stolen. Not ideal, but better than nothing, and avoids having to type the password.
>
>This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been declined [3]. It was a non-trivial
>amount of money to a website I have never used before, but which Sue uses regularly for small transactions. This transaction was probably two
>orders of magnitude greater than any previous one. Our credit cards are separate accounts. I was using her web browser while logged in to
>her account. My card went straight through, without asking for a 3DS password.
>
>To which I say, huh? What state is there in a random user account on an OSX machine which allows it to assert that it's me? What are 3DS
>checking?
It seems to work differently for different cards.
For example, one of my cards is used regularly (at least once a week on
average) to buy train tickets costing small amounts (maybe £30 average)
from a nationalised rail company's website (so presumably fairly
trustworthy). It never fails to ask me for the Verified by Visa
information.
Another card, on the other hand, has never asked me to do VbV, and isn't
even enrolled, even for one-off transactions with new vendors. They
briefly wanted transactions to be verified with a keypad, but gave it up
soon after.
--
Roland Perry
More information about the ukcrypto
mailing list