The Verified by Visa and MasterCard SecureCode online card-security protocols are weak compared with other available options, a report concluded.
The two formats, collectively known as 3-D Secure, were developed by Visa Inc. and MasterCard Inc. in recent years to increase security for online, card-not-present purchases. Merchants that use 3-D Secure shift liability for disputed transactions to payment card issuers.
Cambridge University researchers Steven J. Murdoch and Ross Anderson claim that the existing 3-D Secure processes are vulnerable to phishing fraud. And with fraud rates for card-not-present transactions growing, stronger authentication methods will be needed to prevent online fraud from skyrocketing, they said. The researchers presented their findings at the Financial Cryptography and Data Security forum last week in Spain.
Both methods require consumers to register their cards with the brands to obtain a secure password that can be used for online transactions.
Merchants also must use the 3-D Secure software on their Web sites. If a merchant accurately processes and verifies a transaction through the MasterCard SecureCode or Verified by Visa password, it faces no chargeback risk.
The costs of fraudulent transactions have typically been borne by the merchants, and Anderson said that the formats have become widely used because they enable merchants to shift the liability to the issuers.
Because 3-D secure passes on the responsibility, merchants have been eager to use it, despite the flaws identified by the two researchers.
"This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure," he wrote.
The weaknesses of Verified by Visa and MasterCard SecureCode are a growing concern as more countries adopt the EMV Integrated Circuit Card Specifications for card-present transactions, which may shift fraud to card-not-present transactions, the authors contend.
The U.K. began transitioning its payments industry to EMV in 2003; that process is now complete. The authors report that U.K. card-not-present fraud soared 188% between 2003 and 2008, when it accounted for $525.9 million of losses to banks and merchants, more than half of all bank card fraud in the country.
The researches said that the 3-D Secure system typically opens a pop-up window on a shopper's screen, where they enter their account number. However, these windows do not feature an address bar that would make it easier for users to determine if they are visiting a fake Web site.
The 3-D Secure systems provide cardholders with "no easy way for a customer to verify who is asking for their password," they wrote in the report.
Security could be shored up in the 3-D Secure processes by requiring a unique authorization code for each transaction, sent by the bank via mobile phone text messaging, or a chip-authentication program involving a peripheral device attached to a computer for online shopping, the authors suggest.
"What's needed now is for regulators to intervene on behalf of the consumer," the authors wrote, noting the European Union has proposed an electronic signature directive, to encourage the use of secure, electronic signature-creation devices by consumers.
The authors wrote: "3-D Secure has received little public scrutiny despite the fact that, with 250 million users of Verified by Visa alone, it's probably the largest single sign-on system ever deployed."
A Visa representative said in a statement that while it values academic input, some elements of the Cambridge report address "theoretical scenarios that don't fully appreciate the multiple layers of protection encasing each Visa transaction."
MasterCard representatives did not reply to questions.
Visa said it believes the technology underlying its card-not-present authentication process is a "valuable security layer" for merchants, financial institutions and consumers.
"With regard to the recent white paper published out of the U.K., we agree with the authors' conclusion that authentication solutions should be more inclusive of dynamic information. Many of the suggestions for improvement have already been implemented in some markets or are being worked on."
