3D Secure / Verified By Visa

Ben Liddicott ben at liddicott.com
Wed Apr 17 21:38:23 BST 2013

After reaching the point where I had four VBV logins, and noting that 
the only thing I had to do to create a new one, and for the transaction 
to succeed, was give my DOB, I decided it was a complete waste of time. 
I phoned my bank and told them that I didn't want to use it any more, as 
I considered it worthless from a security point of view and if anything 
an increased risk, and if they made me use it I would change banks. They 
said it was not possible to opt me out.

However immediately afterwards I found that I was no longer required to 
use it - I just got the VBV screen which immediately approved, as you 

That doesn't mean I don't deal with 3d secure though. It means that I 
keep getting "fraud calls" from them whenever I make a purchase from 
Amazon, and every Christmas. I have explained that:

* Amazon put purchases of multiple items through as multiple small 
purchases - surely you know that!!! (this issue seems to have gone away 
now, about a year ago).
* People make otherwise unusual purchases at Christmas - yes, and to 
unusual delivery addresses.
* I have no idea who that merchant account with the generic name in 
Canada is but that doesn't mean I didn't make the purchase! What was the 
trading name? What did I buy? How do you expect me to connect Secure 
Trading And Whutevar Ltd (a payment processor) with my actual purchase?

Just my tuppence.

Cheers, Ben

On 17/04/2013 13:14, Peter Tomlinson wrote:
> I have two Visa debit cards, different banks. One of them is with 
> HSBC, which uses Verified by Visa, and most (imaybe all) online 
> transactions trigger the password process. The other is with a bank 
> that is also UK situated and long standing [1], and transactions 
> trigger the V by V screen and box, but its content is blank, it very 
> quickly disappears, and then the transaction completes - mysterious. 
> This isn't because I use one card for one set of merchants and the 
> other for another set, or because I restrict which card I choose 
> according to transaction value - I don't differentiate like that.
> And, after reading Murdoch and Anderson, I can report that I have 
> never received a message 'impersonating the ADS form to ask for 
> banking details'.
> Peter
> [1] I'm not stating which, in case anyone reading this is interesting 
> in attacking such a bank
> On 17/04/2013 11:18, Ian Batten wrote:
>> Does anyone know more about how it currently works than Wikipedia and 
>> Murdoch and Anderson 2010 [1] and high-level descriptions for 
>> application writers [2]?
>> Originally, it took you to an iFrame which prompted you for a 
>> password you had previously agreed with the issuer.  Later, for me at 
>> least (Lloyds TSB) it instead put up the Verified by Visa or its 
>> Mastercard equivalent logo, said it was authenticating, and then 
>> immediately succeeded.  I assumed, without checking, that it had 
>> dropped a random cookie which the issuer regarded as sufficient proof 
>> the card hadn't been stolen.   Not ideal, but better than nothing, 
>> and avoids having to type the password.
>> This morning, I used my credit card for a transaction in my wife's 
>> name, because my wife's card had been declined [3].   It was a 
>> non-trivial amount of money to a website I have never used before, 
>> but which Sue uses regularly for small transactions. This transaction 
>> was probably two orders of magnitude greater than any previous one.   
>> Our credit cards are separate accounts.   I was using her web browser 
>> while logged in to her account.   My card went straight through, 
>> without asking for a 3DS password.
>> To which I say, huh?  What state is there in a random user account on 
>> an OSX machine which allows it to assert that it's me?  What are 3DS 
>> checking?
>> ian
>> [1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
>> [2] http://www.web-merchant.co.uk/3dsecure.asp
>> [3]  Itself an interesting point.  We suspect that as we use my card 
>> for making large online purchases, I've built up a history of doing 
>> "that sort of thing", while Sue hasn't.  Alternatively, if you do a 
>> lot of transactions of size x with a merchant, a transaction of size 
>> 100x might scream "insider fraud with stored credentials", while a 
>> first-time transaction of the same size doesn't raise the same concern.

More information about the ukcrypto mailing list