3D-Insecure: Cambridge researchers expose Verified by Visa

Credit-card companies claim their 3D-Secure system – branded as Verified by Visa and Mastercard SecureCode – provides an extra layer of security against online fraud. Back in November I suggested that, rather than protecting consumers, the extra security appears to benefit banks and merchants by pushing fraud liability onto card-holders.

Now Ross Anderson and Steven Murdoch, computer security researchers at the University of Cambridge, have published a paper [PDF] analysing 3D-Secure. Announcing the work on his blog, Prof. Anderson said,

From the engineering point of view, [3D-secure] does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace? Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. … This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.

The paper concludes by recommending technical measures that would improve security for card-holders. It also calls for regulation to protect consumers from being forced to accept liability for online fraud.

I hope that the academic rigour of Anderson and Murdoch’s work, backed by the formidable reputation of the University of Cambridge Security Research Laboratory, will help to focus mainstream attention on Visa and Mastercard’s selfish treatment of their customers.