Industry lays into 3-D Secure

Verified by Visa and MasterCard SecureCode are flawed, say experts

Payments experts have rounded on the 3-D Secure identity verification scheme, which was set up to secure online transactions. The system is vulnerable to fraud and non-intuitive, they argue.

At a recent roundtable event hosted by fraud detection firm CyberSource, experts from banking, e-commerce and academia argued that 3-D Secure – which comprises Verified by Visa and Mastercard SecureCode – is fundamentally insecure.

Criminals can potentially set up fake 3-D Secure enrolment screens to harvest customer details, warned Mike Levi of Cardiff University. "How can you tell if it is genuine 3-D Secure?" he added.

And merchants, including Lastminute.com, are already reporting difficulties. Mick Scott of lastminute.com said the firm had found one case of fraudulent activity on a UK card which was nevertheless authorised using Verified by Visa.

Security firm Sophos this week confirmed that phishers are undermining the integrity of the system. It discovered emails claiming to be from MasterCard that are being mass-mailed out to entice consumers to click on a link in order to sign up to SecureCode. The link then takes them to a false registration page where card and other details are harvested for future use by the phishers.

"The thing I can see being more confusing than anything else is that you can go to a number of places to sign up for [the genuine SecureCode] – even local banks," argued Sophos' Carole Theriault. "There should be only one official site."

Lastminute's Scott also expressed concern that the complexity of the system was off-putting for customers. "We turned on Verified by Visa in Spain and it was horrific," said Scott. "There was a 30 per cent drop off in completed purchases."

Further problems included the difficulties of training customers to use the system. The amount of user training necessary was unexpectedly high, suggested Ken Muir, British Airways' global payments manager. The problem was compounded by the risk that users would wrongly perceive training material to be a phishing attack. "There were a whole load of things we'd like to do but we couldn't because it would look like phishing," he added.

"There's nowhere we can send the customer to for information they can trust… because fraudsters will do the same."

Muir argued that even if it were successful, the 3D Secure scheme would only push fraudsters into different ways of defrauding customers. "We invested all that money and there was a slow shift [to other methods] rather than a prevention of fraud."

The only secure method of safeguarding transactions is to provide two-factor authentications tools which rely on dynamic encryption keys, said Phil Curtis, managing director of First Data, which provides data processing for Bank of Scotland. He cited the one-time passcode card readers distributed by Barclays to its customers as a prime example of good practice.

"Apacs is trying to force the banks to get together but it has no teeth – we need a mechanism to bang their heads together and you can only do this if you are the government," he added.

Users should be the ultimate arbiter of authentication methods argued Mike Davies of secure authentication firm VeriSign. "Organisations have to take a pragmatic view and not mandate [card readers] like Barclays, but offer it to those who want it and understand there are those who won't and take that as part of their business model."

Visa and MasterCard declined to comment on 3-D Secure.