3D Secure / Verified By Visa
Ben Liddicott
ben at liddicott.com
Wed Apr 17 21:38:23 BST 2013
After reaching the point where I had four VBV logins, and noting that
the only thing I had to do to create a new one, and for the transaction
to succeed, was give my DOB, I decided it was a complete waste of time.
I phoned my bank and told them that I didn't want to use it any more, as
I considered it worthless from a security point of view and if anything
an increased risk, and if they made me use it I would change banks. They
said it was not possible to opt me out.
However immediately afterwards I found that I was no longer required to
use it - I just got the VBV screen which immediately approved, as you
describe.
That doesn't mean I don't deal with 3d secure though. It means that I
keep getting "fraud calls" from them whenever I make a purchase from
Amazon, and every Christmas. I have explained that:
* Amazon put purchases of multiple items through as multiple small
purchases - surely you know that!!! (this issue seems to have gone away
now, about a year ago).
* People make otherwise unusual purchases at Christmas - yes, and to
unusual delivery addresses.
* I have no idea who that merchant account with the generic name in
Canada is but that doesn't mean I didn't make the purchase! What was the
trading name? What did I buy? How do you expect me to connect Secure
Trading And Whutevar Ltd (a payment processor) with my actual purchase?
Just my tuppence.
Cheers, Ben
On 17/04/2013 13:14, Peter Tomlinson wrote:
> I have two Visa debit cards, different banks. One of them is with
> HSBC, which uses Verified by Visa, and most (imaybe all) online
> transactions trigger the password process. The other is with a bank
> that is also UK situated and long standing [1], and transactions
> trigger the V by V screen and box, but its content is blank, it very
> quickly disappears, and then the transaction completes - mysterious.
> This isn't because I use one card for one set of merchants and the
> other for another set, or because I restrict which card I choose
> according to transaction value - I don't differentiate like that.
>
> And, after reading Murdoch and Anderson, I can report that I have
> never received a message 'impersonating the ADS form to ask for
> banking details'.
>
> Peter
>
> [1] I'm not stating which, in case anyone reading this is interesting
> in attacking such a bank
>
> On 17/04/2013 11:18, Ian Batten wrote:
>> Does anyone know more about how it currently works than Wikipedia and
>> Murdoch and Anderson 2010 [1] and high-level descriptions for
>> application writers [2]?
>>
>> Originally, it took you to an iFrame which prompted you for a
>> password you had previously agreed with the issuer. Later, for me at
>> least (Lloyds TSB) it instead put up the Verified by Visa or its
>> Mastercard equivalent logo, said it was authenticating, and then
>> immediately succeeded. I assumed, without checking, that it had
>> dropped a random cookie which the issuer regarded as sufficient proof
>> the card hadn't been stolen. Not ideal, but better than nothing,
>> and avoids having to type the password.
>>
>> This morning, I used my credit card for a transaction in my wife's
>> name, because my wife's card had been declined [3]. It was a
>> non-trivial amount of money to a website I have never used before,
>> but which Sue uses regularly for small transactions. This transaction
>> was probably two orders of magnitude greater than any previous one.
>> Our credit cards are separate accounts. I was using her web browser
>> while logged in to her account. My card went straight through,
>> without asking for a 3DS password.
>>
>> To which I say, huh? What state is there in a random user account on
>> an OSX machine which allows it to assert that it's me? What are 3DS
>> checking?
>>
>> ian
>>
>> [1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
>>
>> [2] http://www.web-merchant.co.uk/3dsecure.asp
>>
>> [3] Itself an interesting point. We suspect that as we use my card
>> for making large online purchases, I've built up a history of doing
>> "that sort of thing", while Sue hasn't. Alternatively, if you do a
>> lot of transactions of size x with a merchant, a transaction of size
>> 100x might scream "insider fraud with stored credentials", while a
>> first-time transaction of the same size doesn't raise the same concern.
>>
>
>
More information about the ukcrypto
mailing list