Back in April I wrote about problems with the credit-industry password scheme Verified by Visa. At the time I compared it to so-called phishing scams – fraud committed by tricking unwary email users into handing over their passwords, bank account details or credit-card numbers, then ordering goods or transfering cash from their accounts.
It turns out I wasn’t the only one to notice this potential. Reports last week indicate that a Verified by Visa phishing scam is now circulating by email:
Webroot’s Andrew Brandt claimed that the scam begins with an email that appears to be targeted at holiday shoppers who buy gifts online. Brandt said: “Once you register with the (real) Verified by Visa service, participating merchants permit you to enter a password in addition to your card information.
“In addition to providing the purchaser with an additional layer of safety, the password also gives the merchant some assurance that larger-than-normal transactions (like the ones you make during holiday shopping season) will be approved quickly, without triggering fraud alerts.”
However Brandt pointed that in the email, the user is sent to a web page that asks you for the information you gave the card-issuing bank at the time you first signed up for the credit card. He also commented that the page is clearly more professional, slick and clean than most phishing pages as the form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.
You might think that credit-card companies have a vested interest in reducing fraud however the reality is subtly different. Their interests lie in reducing their liability not the overall fraud-loss figures. Like chip-and-pin before it, the main benefit to banks and merchants of the 3D-secure system is that it transfers liability for fraud onto the card-holder, not that it improves the intrinsic security of transactions.
Here’s my understanding of how it works: banks first offer to indemnify merchants from any fraudulent transactions they charge that have been authenticated using the scheme. This is a strong incentive for merchants and has ensured widespread adoption. Next the banks adjust their terms and conditions to make their customers liable for all password-authenticated transactions and impose on them a duty to protect their password. Lastly the bank asserts that any password-authenticated transaction must either have originated with the cardholder or be as a result of their neglect – i.e. they have allowed their password to become known to someone else. The customer is then held liable for the cost of the fraud unless they can somehow prove they are not to blame for their password being used without their consent. Both the bank and merchant are protected from loss at the expense of the card-holder.
Is it reasonable to expect credit-card customers to shoulder the blame for the failure of such a fragile security system given the prevelance and increasing sophistication of phishing attacks such as the one reported by Webroot? Implementations of 3D-Secure vary between banks and card companies, however the technology is inherently susceptible to social-engineering attacks, as I noted in my previous post. In addition, even if your password security is meticulous, in some cases all a fraudster needs to reset it are the details on the card and the holder’s date of birth. Hardly a challenge for criminals with a passing knowledge of social-networking and the darknets.
I think fraud liablility should remain with banks and credit-card companies except in cases where they can prove their customers are trying to rip them off. The card companies are best placed to solve the problem of online fraud but there’s no incentive for them to do so if they don’t stand to lose from it.