Is 3-D Secure Insecure?

Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."

This could be a big deal.

In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."

According to the authors:

"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."

The results of this research could prove devastating to both the eCommerce and the credit credit card industries as the growth in eCommerce is the result of the very fact that consumers are not liable for fraudulent transactions. Cybercriminals who exploit the 3-D Secure protocol could leave innumerable consumers financially liable for their crimes. If consumers have increased liability, will they still use their credit cards as cavalierly as they do today? Most consumers are teetering on the hairy edge of confidence in credit card security anyway and the potential threat of owing lots of money to merchants for things they didn't buy could cause consumers to limit their credit card usage. The researcher includes a dire prediction:

"But 3DS ignores the other lessons learnt from earlier systems. The result is that customers receive little benefit in security, while suffering a huge increase in their liability for fraud. They are also trained in unsafe behaviour online. Now our experience in recent years is that when attacks can be profitably industrialised, they will be; the growth of man-in-the-middle attacks and malware will ensure that 3DS is not sustainable in its present form."

While a potential solution is proposed, and you can be certain that many more folks will weigh in on this topic before it is resolved, it may leave consumers in the lurch while the merits of various systems are endlessly debated.

"What should be done technically? We believe that single sign-on is the wrong model. What's needed is transaction authentication. The system should ask the customer, "You're about to pay $X to merchant Y. If this is OK, enter the auth code."

Bottom Line: Visa and MasterCard need to get in front of this issue immediately before consumers are scared away from using credit cards or governments get involved:

"Visa and MasterCard have managed to get 3DS deployed by arranging so that merchants and banks benefit (at least in the short term) while consumers lose out. What's needed now is for regulators to intervene on behalf of the consumer."

Remember, Security Pros, you are also consumers! Will this research make you think twice about buying something online using 3-D Secure? Does it affect your thoughts about using credit cards at all? We'd like to know.