The Verified by Visa and MasterCard SecureCode online card-security protocols are relatively weak compared with other available options. And as fraud continues rising among card-not-present transactions, more-robust authentication methods will be needed to prevent online fraud from skyrocketing, two United Kingdom-based researchers contend in new research released this week.
Cambridge University researchers Steven J. Murdoch and Ross Anderson argue their contentions in a paper they presented at the Financial Cryptography and Data Security forum held Jan. 25 to 28 in Spain.
Verified by Visa and MasterCard SecureCode, also known as “3-D Secure” protocol, are among the online card security systems the card networks developed in recent years in response to fraud arising from Internet-based, card-not-present transactions. Merchants using 3-D Secure processes shift liability for disputed transactions to card issuers.
With both methods, purchasers are required to register their cards with the brands to get a secure password to use in online transactions. Merchants also must use the 3-D Secure software on their e-commerce sites. If a merchant accurately processes and verifies a transaction through the MasterCard SecureCode or Verified by Visa password, it faces no charge-back risk.
The authors argue that existing 3-D Secure processes are vulnerable to phishing fraud (in which crooks try to secure personal information from consumers using bogus Web sites or e-mails made to look like legitimate ones), documenting many examples. The systems provide cardholders with “no easy way for a customer to verify who is asking for their password,” they contend.
The weaknesses of Verified by Visa and MasterCard SecureCode are a growing concern as more countries adopt the smart card EMV standard for card-present transactions, which may shift fraud to card-not-present transactions, the authors contend. EMV, introduced in the UK in 2003, is now fully implemented. The authors report that UK card-not-present fraud soared 188% between 2003 and 2008, when it accounted for 328.4 million UK pounds (US$525.9 million) in losses to banks and merchants, more than half of all bankcard fraud.
Security could be shored up in 3-D Secure processes by requiring a unique authorization code for each transaction, sent by the bank via a mobile phone text messaging, or a chip-authentication program involving a peripheral device attached to a computer for online shopping, the authors suggest.
“What’s needed now is for regulators to intervene on behalf of the consumer,” the authors wrote, noting the European Union has proposed an Electronic Signature Directive, which would shift the liability for electronic transactions to bank customers if they are equipped with a secure electronic signature creation device.
“3-D Secure has received little public scrutiny despite the fact that with 250 million users of Verified by Visa alone, it’s probably the largest single sign-on system ever deployed,” the authors wrote.
Visa Inc. said in a statement that while it values academic input, some elements of the Cambridge report reply on “theoretical scenarios that don’t fully appreciate the multiple layers of protection encasing each Visa transaction.”
Visa said it believes the underlying technology behind Visa’s card-not-present authentication process is a “valuable security layer” for merchants, financial institutions and consumers. “With regard to the recent white paper published out of the UK, we agree with the authors’ conclusion that authentication solutions should be more inclusive of dynamic information. Many of the suggestions for improvement have already been implemented in some markets or are being worked on.”
MasterCard Worldwide did not respond by CardLine deadline.
