3D Secure / Verified By Visa

Ian Hill ian at cellar.org.uk
Fri Apr 19 09:58:40 BST 2013 

On 17 April 2013 11:18, Ian Batten <igb at batten.eu.org> wrote:
> Originally, it took you to an iFrame which prompted you for a password you had
> previously agreed with the issuer.  Later, for me at least (Lloyds TSB) it instead
> put up the Verified by Visa or its Mastercard equivalent logo, said it was
> authenticating, and then immediately succeeded.  I assumed, without checking,
> that it had dropped a random cookie which the issuer regarded as sufficient proof
> the card hadn't been stolen.

No that's not quite what's happening. What happens is this:

1. Merchant submits an initial request to their payment provider
saying "I want to charge £x to card Y"
2. Payment provider responds indicating that this card is covered by
3D secure. The response includes a short piece of javascript which the
provider is obliged to present to the user.
3. Merchant does so and the user is directed to a 3D secure page
hosted entirely by the bank.
4. It is up to the bank what to do next. Originally they all asked for
some sort of password
5. Once the bank is happy it redirects you back to the merchant
6. The merchant submits a second request to the payment provider
saying "I want to charge £x to card Y and I'm pretty sure they've
passed 3D secure"
7. Payment either progresses or fails.

All that's changed in the last few years in my experience is what the
banks are dong at step 4. They are now frequently not bothering to
issue a password challenge and instead pass the stage automatically.

My guess is that this allows the bank a real time opportunity to
analyse the transaction against their fraud protection systems. It's
not even slightly about authenticating you.

See, for example, LloydsTSB's page on the subject which says:

"The service will assess each transaction and either verify it
automatically or, in some cases, ask you for some further information
to help us verify the payment. "
http://www.lloydstsb.com/debit_cards/clicksafe.asp

So when you don't get asked for a password that's everything to do
with your bank and nothing to do with cookies etc local to you.

As I understand it :-)

Cheers,
Ian

--
Ian Hill
ian at cellar.org.uk

More information about the ukcrypto mailing list