In 2001 Visa introduced a security protocol they called 3DS, short for 3 Domain Secure in an attempt to reduce the incidence of credit card fraud in online purchases. 3DS is better known by the names used by the various card issuers when they implement the system “Verified by Visa“, “MasterCard Secure Code“, “J/Secure” (JCB International) and “SafeKey” (American Express).
The trouble is that 3DS doesn’t really present any barrier at all, to even the average fraudster, at least in the way that is is implemented by card issuers that I tested.
In the FAQ published by Visa they say “Verified by Visa protects your card against unauthorised transactions, giving you complete confidence when shopping online“. Later in the same FAQ they also state “If you forget your password you can easily reset it” and therein lies the problem. The following relates to implementations by the credit card issuers I was able to test, not necessarily to the entire 3DS system.
The problem stems from a very basic design flaw. If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but…
What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.
The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitmate account holder, let’s have a look at that “Identification” phase.
Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.
Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.
So what should be improved? There’s nothing new or amazing here, just some really basic steps that need to be incorporated into the process. Upon enrolling in the system, cardholders should be requested to set a “Secret question” which will later serve as authentication data for a passsword change.
Instead of simply clicking through to the reset screen, a one time password reset URL should be delivered to a registered email address. Whever a change to the account details is requested, or is succesful, the registered email address should receive a notification message. Oh, one more thing, it would be really great if I could use special characters in my password, please.