Researchers slam 3-D Secure as insecure

University of Cambridge researchers have launched a withering attack on the 3-D Secure protocol used by Visa and MasterCard to authenticate online customers, branding it "a textbook example of how not to design an authentication protocol".

In a new piece of research entitled Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication (PDF), Steven Murdoch and Ross Anderson argue that 3-D Secure has become popular because it "got the economics right", rather than being intrinsically more secure than less popular rivals such as OpenID, InfoCard and Liberty.

The research maintains that the protocol often confuses users by running counter to traditional advice about entering credentials only into sites secured by Transport Layer Security, which browsers such as Internet Explorer 8 now recognise by displaying a green address bar.

"Because the 3-D Secure form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3-D Secure easier, but undermines other anti-phishing initiatives by contradicting previous advice," the report advised.

Customer confidence may be further undermined by the registration process, which is often completed during a shopping transaction and involves the user being asked for personal details such as date of birth.

"From the customer's perspective, an online shopping web site is asking for personal details. This further undermines customers' security usability and trust experience. And it is being exploited by criminals as phishing web sites impersonating the ADS form to ask for banking details," the report noted.

Some banks have also used the 3-D Secure system to shift liability for fraud losses unfairly onto the consumer, according to the report.

Murdoch and Anderson further warn that the system is likely to be undermined in time by man-in-the-middle attacks and the continuing growth in sophisticated malware, and that attention needs to be focused not on a single sign-on system such as this but on "transaction authentication".

"In the long term we need to move to a trustworthy payment device," the report concluded.

"This is not rocket science; rather than spending US$10 [$11] per customer to issue chip authentication program calculators, banks should spend US$20 to issue a similar device but with a USB interface and a trustworthy display."