3D Secure / Verified By Visa

Roger Hayter roger at hayter.org
Wed Apr 17 22:31:51 BST 2013 






-- 

Roger Hayter




On 17 Apr 2013, at 21:38, Ben Liddicott <ben at liddicott.com> wrote:

> After reaching the point where I had four VBV logins, and noting that the only thing I had to do to create a new one, and for the transaction to succeed, was give my DOB, I decided it was a complete waste of time. I phoned my bank and told them that I didn't want to use it any more, as I considered it worthless from a security point of view and if anything an increased risk, and if they made me use it I would change banks. They said it was not possible to opt me out.
> 
> However immediately afterwards I found that I was no longer required to use it - I just got the VBV screen which immediately approved, as you describe.
> 
> That doesn't mean I don't deal with 3d secure though. It means that I keep getting "fraud calls" from them whenever I make a purchase from Amazon, and every Christmas. I have explained that:
> 
> * Amazon put purchases of multiple items through as multiple small purchases - surely you know that!!! (this issue seems to have gone away now, about a year ago).
> * People make otherwise unusual purchases at Christmas - yes, and to unusual delivery addresses.
> * I have no idea who that merchant account with the generic name in Canada is but that doesn't mean I didn't make the purchase! What was the trading name? What did I buy? How do you expect me to connect Secure Trading And Whutevar Ltd (a payment processor) with my actual purchase?
> 
> 
> Just my tuppence.
> 
> Cheers, Ben
> 
> On 17/04/2013 13:14, Peter Tomlinson wrote:
>> I have two Visa debit cards, different banks. One of them is with HSBC, which uses Verified by Visa, and most (imaybe all) online transactions trigger the password process. The other is with a bank that is also UK situated and long standing [1], and transactions trigger the V by V screen and box, but its content is blank, it very quickly disappears, and then the transaction completes - mysterious. This isn't because I use one card for one set of merchants and the other for another set, or because I restrict which card I choose according to transaction value - I don't differentiate like that.
>> 
>> And, after reading Murdoch and Anderson, I can report that I have never received a message 'impersonating the ADS form to ask for banking details'.
>> 
>> Peter
>> 
>> [1] I'm not stating which, in case anyone reading this is interesting in attacking such a bank
>> 
>> On 17/04/2013 11:18, Ian Batten wrote:
>>> Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and high-level descriptions for application writers [2]?
>>> 
>>> Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the issuer.  Later, for me at least (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard equivalent logo, said it was authenticating, and then immediately succeeded.  I assumed, without checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card hadn't been stolen.   Not ideal, but better than nothing, and avoids having to type the password.
>>> 
>>> This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been declined [3].   It was a non-trivial amount of money to a website I have never used before, but which Sue uses regularly for small transactions. This transaction was probably two orders of magnitude greater than any previous one.   Our credit cards are separate accounts.   I was using her web browser while logged in to her account.   My card went straight through, without asking for a 3DS password.
>>> 
>>> To which I say, huh?  What state is there in a random user account on an OSX machine which allows it to assert that it's me?  What are 3DS checking?
>>> 
>>> ian
>>> 
>>> [1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
>>> 
>>> [2] http://www.web-merchant.co.uk/3dsecure.asp
>>> 
>>> [3]  Itself an interesting point.  We suspect that as we use my card for making large online purchases, I've built up a history of doing "that sort of thing", while Sue hasn't.  Alternatively, if you do a lot of transactions of size x with a merchant, a transaction of size 100x might scream "insider fraud with stored credentials", while a first-time transaction of the same size doesn't raise the same concern.
>>> 
>> 
>> 
> 
> 
> 


Just to add to diversity, two of my cards (different banks) always require a password when using Firefox in Windows, but the window disappears immediately and authorisation occurs when using Safari in OS X. My cookie policy is liberal in both.

-- 

Roger Hayter

More information about the ukcrypto mailing list