3D Secure / Verified By Visa

[Ian Batten]

Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and high-level descriptions for application writers [2]?

Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the issuer.  Later, for me at least (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard equivalent logo, said it was authenticating, and then immediately succeeded.  I assumed, without checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card hadn't been stolen.   Not ideal, but better than nothing, and avoids having to type the password.

This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been declined [3].   It was a non-trivial amount of money to a website I have never used before, but which Sue uses regularly for small transactions.  This transaction was probably two orders of magnitude greater than any previous one.   Our credit cards are separate accounts.   I was using her web browser while logged in to her account.   My card went straight through, without asking for a 3DS password.  

To which I say, huh?  What state is there in a random user account on an OSX machine which allows it to assert that it's me?  What are 3DS checking?

ian

[1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

[2] http://www.web-merchant.co.uk/3dsecure.asp

[3]  Itself an interesting point.  We suspect that as we use my card for making large online purchases, I've built up a history of doing "that sort of thing", while Sue hasn't.  Alternatively, if you do a lot of transactions of size x with a merchant, a transaction of size 100x might scream "insider fraud with stored credentials", while a first-time transaction of the same size doesn't raise the same concern.