Item Search
     
BG-Wiki Search
Results 1 to 4 of 4
  1. #1
    Sea Torques
    Join Date
    Oct 2006
    Posts
    731
    BG Level
    5

    3D Secure online payment system not secure, researchers say

    http://www.pcworld.idg.com.au/article/334105

    A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.
    The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.
    As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.
    That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.
    One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another.
    The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.
    3DS also allows people to set their password immediately as they enroll in the system, a process called "activation during shopping" (ADS). The ADS enrollment will ask for some other piece of information, such as a birth date, in order to confirm the setting of the password. That's a security issue since birth dates are easily obtainable, the researchers argue.
    Since the password is also solicited during a transaction, people are less likely to carefully select one since they're more eager to complete the transaction, Murdoch and Anderson wrote. 3DS is vulnerable to phishing, where fraudsters use various methods such as spurious e-mails in order to elicit a person's password.
    Customers are also unlikely to closely read the terms and conditions, which means customers could end up paying for bad transactions using their card. Murdoch said he hasn't heard, however, of a customer being held liable for a fraudulent 3DS transaction.
    Murdoch said there are other systems on the market that guarantee that the person who is doing a transaction is who they say they are by using their mobile phone.
    Those systems can involve generating one-time passcodes on a person's mobile phone that are entered as part of an e-commerce purchase. Another method is sending a SMS (short message service) verification to a person's mobile phone along with a one-time passcode that can be entered during the e-commerce transaction.
    However, "most banks have chosen to go for passwords than anything better," Murdoch said. "Passwords are really cheap."
    Merchants must pay to implement SecureCode or Verified by Visa, where the systems mentioned above would likely require the banks to spend money, Murdoch said.
    In a statement, Visa defended its system, saying criminals will always try to defeat security measures but that it had reduced fraud and made consumers more comfortable with on-line transactions.
    "Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," the statement said. "Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."
    MasterCard officials could not be immediately reached for comment.
    Sorry if this is in the wrong section but it seemed more relevant to FFXI than General.

  2. #2
    Fake Numbers
    Join Date
    Jun 2008
    Posts
    76
    BG Level
    2
    FFXI Server
    Ragnarok
    WoW Realm
    Hakkar

    There is something they miss...

    When I read the iframe of VbV there's a distinctive phrase, the very one I've written at the moment of VbV activation.. something like "Hello <myname>, are you gonna re-activate FFXI or doing some other shit? It's me, <myname>.. it's funny how i'm writing something for myself.. "

    Kinda, the more complex phrase you write, and the more distinctively personal, the less scammable it should be.. you just have to pay attention to it. If it is amiss, then you are in a fake iframe, so just don't put your password in it..

  3. #3
    Relic Horn
    Join Date
    Dec 2008
    Posts
    3,313
    BG Level
    7
    FFXI Server
    Quetzalcoatl

    I tried to ask my Bank Customer Support why they don't support Verified by Visa and she had never heard of it, then did a quick google search of it and told me it was a scam...
    I /facepalmed

    I mean.... technically its bullshit, but its not a scam

  4. #4
    Warrior Tank
    Join Date
    Nov 2007
    Posts
    607
    BG Level
    5
    WoW Realm
    Burning Blade

    since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.
    This is a really good point.. Never thought of that before.
    Someone should make a firefox plugin which displays the URL of an iframe. Would be easy enough to do because its in the HTML anyway. After a quick bit of googling I was unable to find such a plugin.

Similar Threads

  1. Squareenix is wrong in using 3D secure
    By Burnsy in forum FFXI: Everything
    Replies: 27
    Last Post: 2009-08-31, 21:04
  2. Security tokens not working?
    By Dymlos in forum FFXI: Everything
    Replies: 4
    Last Post: 2009-05-20, 14:08
  3. Security Token Issue - Not 56k Friendly
    By Feolthanos in forum FFXI: Everything
    Replies: 32
    Last Post: 2009-04-18, 14:25
  4. Square Enix Security Token Fair or Not
    By dejet in forum FFXI: Everything
    Replies: 3
    Last Post: 2009-03-31, 12:49