3D Secure / Verified By Visa

Peter Tomlinson pwt at iosis.co.uk
Wed Apr 17 13:14:44 BST 2013

I have two Visa debit cards, different banks. One of them is with HSBC, 
which uses Verified by Visa, and most (imaybe all) online transactions 
trigger the password process. The other is with a bank that is also UK 
situated and long standing [1], and transactions trigger the V by V 
screen and box, but its content is blank, it very quickly disappears, 
and then the transaction completes - mysterious. This isn't because I 
use one card for one set of merchants and the other for another set, or 
because I restrict which card I choose according to transaction value - 
I don't differentiate like that.

And, after reading Murdoch and Anderson, I can report that I have never 
received a message 'impersonating the ADS form to ask for banking details'.


[1] I'm not stating which, in case anyone reading this is interesting in 
attacking such a bank

On 17/04/2013 11:18, Ian Batten wrote:
> Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and high-level descriptions for application writers [2]?
> Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the issuer.  Later, for me at least (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard equivalent logo, said it was authenticating, and then immediately succeeded.  I assumed, without checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card hadn't been stolen.   Not ideal, but better than nothing, and avoids having to type the password.
> This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been declined [3].   It was a non-trivial amount of money to a website I have never used before, but which Sue uses regularly for small transactions.  This transaction was probably two orders of magnitude greater than any previous one.   Our credit cards are separate accounts.   I was using her web browser while logged in to her account.   My card went straight through, without asking for a 3DS password.
> To which I say, huh?  What state is there in a random user account on an OSX machine which allows it to assert that it's me?  What are 3DS checking?
> ian
> [1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
> [2] http://www.web-merchant.co.uk/3dsecure.asp
> [3]  Itself an interesting point.  We suspect that as we use my card for making large online purchases, I've built up a history of doing "that sort of thing", while Sue hasn't.  Alternatively, if you do a lot of transactions of size x with a merchant, a transaction of size 100x might scream "insider fraud with stored credentials", while a first-time transaction of the same size doesn't raise the same concern.

More information about the ukcrypto mailing list