3D Secure / Verified By Visa

Roland Perry lists at internetpolicyagency.com
Wed Apr 17 12:52:34 BST 2013 

In article <3AE8AEDF-AC64-4FAD-B2E3-22CCAB2D9724 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and high-level descriptions for application
>writers [2]?
>
>Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the issuer.  Later, for me at least
>(Lloyds TSB) it instead put up the Verified by Visa or its Mastercard equivalent logo, said it was authenticating, and then immediately
>succeeded.  I assumed, without checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card hadn't been
>stolen.   Not ideal, but better than nothing, and avoids having to type the password.
>
>This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been declined [3].   It was a non-trivial
>amount of money to a website I have never used before, but which Sue uses regularly for small transactions.  This transaction was probably two
>orders of magnitude greater than any previous one.   Our credit cards are separate accounts.   I was using her web browser while logged in to
>her account.   My card went straight through, without asking for a 3DS password.
>
>To which I say, huh?  What state is there in a random user account on an OSX machine which allows it to assert that it's me?  What are 3DS
>checking?

It seems to work differently for different cards.

For example, one of my cards is used regularly (at least once a week on 
average) to buy train tickets costing small amounts (maybe £30 average) 
from a nationalised rail company's website (so presumably fairly 
trustworthy). It never fails to ask me for the Verified by Visa 
information.

Another card, on the other hand, has never asked me to do VbV, and isn't 
even enrolled, even for one-off transactions with new vendors. They 
briefly wanted transactions to be verified with a keypad, but gave it up 
soon after.
-- 
Roland Perry

More information about the ukcrypto mailing list