Get Adobe Flash player
Search
Home Dan's Blog Online Credit Card Transaction Security

Online Credit Card Transaction Security

PostAuthorIconWritten by Dan Schaefer
I’ve written many times in the past about personal security when online, and I’ve assumed all along that banks are operating in your best interest. Now, from left field, comes a recent study from the Computer Laboratory at the University of Cambridge (UK) that is highly critical of recent online security developments in the banking industry. At the heart of the matter is something called “3-D Secure” or “3DS” You may see the brand names “Verified by Visa” or “MasterCard SecureCode” being used to reference the 3DS technology.

The 3DS technology was developed for the purpose of minimizing online fraudulent credit card transactions. As such, much of its implementation consists of a new set of agreements that allows merchants to take on less liability for fraudulent transactions. (Good for merchant.) However, it also allows banks to pass more of the liability for fraudulent transactions on to the customer. (Good for bank. Bad for customer.)

In its implementation, a customer who attempts to purchase merchandise online would, after clicking on the “Pay” button in the merchant’s site, be presented with a pop-up screen that is controlled by the credit card issuer (bank). At that point, the customer would be asked to authorize the transaction by entering a secret password that he/she shares only with the bank, not the merchant. If the password is correct, the customer is redirected back to the merchant website, and, on the back-end, the bank sends a special message to the merchant that says, “This customer is authorized for the transaction.”
 
 
 
On the surface, the 3DS algorithm looks a bit more secure, as the bank authorizes the customer directly, thus hiding the customer’s sensitive credentials from the merchant. The theory is that if the merchant never has access to the customer’s sensitive credentials, then any cyber thief that breaks into the merchant company cannot acquire customer credit card numbers. But there are a few problems with this scenario:
  1. Many online customers have disabled pop-ups, thus blocking the authentication process.
  2. Even if pop-ups are allowed, most customers would become suspicious when, in the middle of a financial transaction, a pop-up comes from God-knows-where and asks for sensitive information.
  3. The pop-ups do not identify where they’re from or even if a secure protocol (like HTTPS) is being used so protect the information.
  4. If the customer has not transacted using 3DS before, the initial pop-up asks him/her to quickly sign-up for 3DS. The customer may feel pressured into signing up for fear that the transaction will be rejected.
  5. If the customer is already signed up for 3DS but has forgotten his password, the bank will help him recover it. To do this, a simple question may be asked, such as his birth date, social security number, etc. The specifics of password recovery are up to the individual bank, so this process is not subject to a high degree of security. This makes it quite easy for a cyber thief to pretend he is a legitimate customer who lost his password and is thus allowed to complete a fraudulent transaction by only knowing a birth date.
  6. When signing up for 3DS, the customer is not likely to read the fine print, which will include verbiage to the effect that he/she has accepted liability for further fraudulent transactions on that account. In effect, the customer unknowingly takes the risk associated with a bank-chosen security policy, even though he has no control over the security policy itself.
I’ve included a copy of two pop-up 3DS screens below. Can you tell the difference between the one that is legitimate and the one that's been altered by a cyber thief? (Hint: Look for grammatical or spelling errors!)
 
3DS pop-up form 1 
3DS pop-up form 2

If you see the 3DS pop-up on your screen, be aware that you’re taking a risk by interacting with it. Cyber thieves have already created fake pop-ups, so the one you see on your screen may or may not be from the bank. And even if it is from the bank, you will take on additional liability for agreeing to use it.

My advice is to refuse to deal with a merchant that forces you to use the 3DS policy. This is unfortunate for the merchant, as many of them are strong-armed into agreeing to the 3DS policy before card issuers like Visa or MasterCard will deal with them. Nevertheless, refusing to agree to this new policy will put back-pressure on the card issuers and hopefully force them to come up with a different approach. Also, check to see that your bank didn’t already implement 3DS on your credit card. If it’s there, call them and have it removed. I’m not saying that the 3DS policy doesn’t have any merit whatsoever, but in practice, any additional security it provides is offset by the liability that you are forced to take on. To add more kerosene to the fire, because it’s an easy target for cyber thieves, many security experts dispute the claim that 3DS is, in fact, secure.

Best,

Dan

Trackback(0)
Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 
Advertisements

Artisteer - CMS Template Generator

Copyright © 2010.
All Rights (and some on the Left) Reserved.

Designed by Ruysdael Design.