Oh the horror! You are so right!!

Thank you a million times for summing up so succinctly the glaring issues in this system. I actually had to go into my bank with ID to ask to be removed from this ridiculous scheme, it’s just another vector for attack.

Totally agree. I’ve noticed that some sites _do_ wrap 3D Secure in an iframe, many of them saying ‘this additional step is provided by your bank’ or words to that effect.

For a long time I tried to get away without adding this layer of security to my details; I would click the tiny ‘Cancel’ link that was available at one time. Unfortunately I don’t think that’s the case any more so have had to succumb to it.

Totally true – and the daft thing is that 3D secure does little to actually make things more secure; if a bad person has managed to get someone’s card details, the chances are that the only personal information needed to reset their password is their date of birth or mother’s maiden name – can probably get one of those by looking them up on Facebook!

Another side to Verified by Visa specifically, is that Visa state (in writing) that applying the Verified by Visa checks for online purchases is *entirely optional*, and is decided by the issuing bank. It is possible with some banks to formally opt-out of the Verified by Visa on a per-card basis, however this information is not disseminated to payment providers.

Which leaves some people (such as myself) formally opted-out of the Verified by Visa program with both my issuing bank *and* with Visa itself (which means there is nothing to check, even if I go through the process of registering for Verified by Visa), yet I am unable to complete transactions as merchants claim that using Verified by Visa is required of them by Visa.

So we have Visa saying “Verified by Visa” is optional, we have merchants saying Visa requires the use of “Verified by Visa”, and we have issuing banks who know vaguely what Verified by Visa is, but don’t require it and don’t actually provide any “Verified by Visa” checks when a purchase is made online.

The more I look into Verified by Visa and how it actually works, the less sense it makes. As someone who also runs an eCommerce site, I know that requiring the use of “Verified by Visa” for an online purchase is entirely optional in the payment process – and I don’t require it for online transactions.

It appears that Verified by Visa is actually something of a smokescreen, allowing Visa and issuing banks to abrogate some responsibility for fraudulent transaction liability, rather than actually making the process more secure for consumers.

“Firstly, the URL, well that’s an easy one, embed the page within an iframe. It does of course mean one can’t check the security certificate but hey, who ever does this?”

Sorry, but if you do that, then the whole exercise is moot. If the user has no way of verifying the authenticity of the page asking for his password, then this is wide open to phishing. This also renders the one useful, understandable security advise (“don’t enter anything on a page that you have been redirected to”) ineffective. If you go down that road, you might as well just not do the whole security theater.

A much wiser design would be a form where you can submit a purchase request, then log into your bank account and have an inbox with purchase requests. Approve the merchant’s one, and you’re good. Secure and very straight forward for the user.

This is a great rundown of the problems, and a mighty fine solution. I have long known about the problems of these systems, and have actually taken to learning the process for changing the password each and everytime I come across Verified by Visa. I never remember the password, so I literally make a new one each time I come across the awful screen. It makes the steps so much longer and the user experience is appauling.

@Dave E Thanks for the kind words.

@Tom R I think if it were an option most users would opt out.

@Dave S So in pressing ‘Cancel’ you bypass 3D secure? Wow, never wold have guessed that’s what ‘Cancel’ would do. I assumed ‘Cancel’ meant cancel the transaction. That’s really bad.

@Kyle I agree – all 3D secure does is push the burden of online security on the user who is often not equipped to deal with it.

@Anon I totally agree, the system is in a real mess and Visa need to address it. It’s not helping anybody – Visa included. People want to buy things, and both Merchants and Visa want them to buy things – why make it difficult?

@Martin I totally agree. That’s how it should be implemented.

@Kevin You are not alone. I would love to see the stats on password resets.

Look I hate verified by Visa and Mastercard SecureCode as much as you do, but all the reasons you talk about are mainly style and presentation. It doesn’t break a product, but rather the product could be much better. A broken product would imply it doesn’t do what it was intend to do, that is offer secure transaction for web merchants.

The best way to fix it is to nuke it from orbit. It’s the only way to be sure.

All good insights Joe, and very positive recommendations.

You suggest that no-body checks the security certificate though. I’m not completely with you there. Unfortunately Verified by Visa DO agree with you that the cert is not important.
As I wrote some time ago (http://saulcozens.co.uk/2008/11/22/verified-by-visa-supporting-phishing-attacks/) they don’t think it is worth adding the ownership information to the cert so that the organisation name is clearly visible in the location bar.

There are mechanisms to help people tell genuine sites from scams, why are Visa (and others) teaching them to ignore them. *sigh*

Nice analysis – you might be interested in the similar work on this by Ross Anderson and Steven Murdoch at Cambridge University earlier this year; see http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-security-fails/ for details.

I agree with the problems you’ve listed but think you’re missing a critical one. One that’s pointed out by Martin Probst in your comments, and documented in the past by myself, and by Ben Laurie on our respective blogs.

Large numbers of current implementations embed the verification UI using an iframe. Internet users don’t generally have a way of telling which content is in an iframe and which isn’t, let alone whether that iframe originates from a reputable source. Even with a verifiable URL the source of a page is easy to overlook, which is why modern browsers try to detect phishing sites automatically, and companies like Verisign can market extended verification products for a huge premium.

What verification methods like this are doing is training the (already security-poor) users of the internet to provide their personal security data to anyone who shows them a Visa logo. This is precisely the opposite thing to be doing if your motivation is increasing security.

If however your motivation is merely to improve your margins, then an effective way to do that is to provide a cheap “authentication” mechanism and use that to justify moving liability for subsequent fraud onto your customers.

If the public are trained to be security-illiterate we will never reduce fraud, only change who pays for it.

@user Yes you are right if the purpose of the system is to offer secure payments for web merchants, However what I am saying is that there are a significant number of users who can’t use the system effectively blocking sales. See here for an example: http://www.northsouthmedia.co.uk/blog/3d-secure-might-bust-your-conversions/

@Bill dramatic but sums up feeling about it

@Saul I agree. It should be important to people but the page serving the request should be covered by the merchant’s certificate not sadly Securesuite.net Great article!

Even a secure bank with a secure certificate can cause issues. See this list of bank domains that look like spoofs:
http://www.planetbods.org/blog/2009/02/05/bankurls

@Joe

There’s a couple of slight error between your wire frames – the first states that the price includes “free” postage and packing whilst the second adds up to the correct amount of £123.13 but shows that postage and packing was actually 2.95. In addition to this, your verified by visa insert shows a purchase of £236.22.

I realize they’re just hypothetical wire frames, but the truth is in the details ;)

Cheers,

Ben

P.S. Forgot to mention that I agree with everything you wrote.

Joe,

You suggest that the merchant’s cert should cover the transaction rather than the bank’s (obfuscated one). I agree to a point that the merchants brand is probably more trusted than the bank’s (at least by the customer) most of the time. But we often buy from merchants we don’t know and I am constantly concerned of where my card details go after the transaction is complete.

Richard Marr is correct, the bank are trying to move the risk to the user without giving them any choice about who they trust. If we want to live the (pipe)dream then the transaction (and any other transaction requiring personal information) should be brokered by a personal data locker provider that the user has selected and trusts. This federated approach to personal data transfer is the one that authentication mechanisms like OpenID use to allow websites to check you are who you say you are without ever having to see your password.

Great post Joe & I totally agree. As both a developer and an end-user I absolutely despise vBv and the other one. It’s a painful step that interferes with my purchase and serves only one meaningful goal; to make me responsible for any potential misuse of my money.

I’d like to mention that the fact that because the pop-up authentication windows depend on JavaScript events, such as a form redirection once the purchase button has been hit also causes problems for the end-user and violates the concept of progressive enhancement / graceful degradation. A wary end-user with a plugin like NoScript enabled, or a corporate user that does not have permission to run javascript will find they can’t get through the form; it’s either bypassed altogether or the action fails. What’s more, it’s often difficult to whitelist the domain – as you’ve pointed out, they’re uncommon and pretty hard to identify. There is no recourse for users without javascript which to me means it is fundamentally flawed.

As for the passwords, you are absolutely right – for most users pulling out the 3rd, 5th and 8th character of your password is a painful process of counting out the letters on their fingers and then trying to match those to the password request. Personally I think a move towards visual passwords; a swype-style gesture would be much more effective and memorable. Perhaps one day when tech is sufficiently advanced, we can go back to using our signatures to sign on for things…

Saying they are broken implies they ever worked in the first place.

I don’t have a VISA, so I can’t speak about Verified, but Secure Code is a farce. As mentioned, the criteria for the passwords are so complex that my normally highly secure passwords don’t work with it, so I have to come up with something entirely different. I then promptly forget it. However, that’s not a problem because I can reset it with information that is far too easily accessible any time I need to. Makes me think I could do that with anyone’s card, or anyone could do it with mine.

I’ve always had my doubts about the real efficacy of 3D Secure for the single reason that the barrier to commit fraud is not significantly raised: let’s say you’ve managed to get somebody’s credit card details and you’re ordering a fresh load of plasma screens or whatever. When presented with the ‘Verified by Visa’ dialog the only extra piece of personal info you need to reset the password (which even the victim has probably forgotten for the nth time) is a DOB. DOBs are typically a hell of a lot easier for an identity thief to recover than CC details.

In addition, I assume the passwords are stored in plain text or hashed but unsalted if the system can tell you if you’ve used a particular one in the past. Was the whole thing architected by a 3 year old?

I hateed it so much I avoided shops that required it !

Fortunately, in the UK at least, you can get a free credit card online from Cahoot, that doesn’t appear to be enrolled in the scheme at all, and just skips past to the end.

Win.

You have missed the most important issue – Verified by visa is insecure!

It could easily be a man-in-the-middle attack, and you would never know!

Most implementations I have seen are actually iFrames (and this is “recommended” in the official Visa docs for setting up verified by visa). The problem with this is that because it is in an iFrame it is difficult to verify the certificate – and if it isn’t obvious, then you won’t do it.
This is very bad, as it makes the system insecure and therefore worse than having no system at all.

Ideally you should be redirected to your bank’s website, or visa.com. That should process the verified by visa part, and then you should be redirected back to your merchant (exactly how paypal does it, and has done for years!)

Joe – great post and nicely summed up. I’m going to come from a marketing angle here, and agree that the banks and to some extent companies signing up for this secure process would do to ease peoples expectations and frustrations by providing some form of awareness. That together with, as you rightly suggested, copy at each stage of the process would go some way to rectifying the problem.

The password issue is another interesting point. It took several calls to Visa and to my bank before realising that I could alter this on my internet banking site. Again no awareness or communication.

All too often the financial sector designs sites and processes based on their own internal systems rather than how their customers would use it. This one is particularly bad. I hope it gets you noticed.

The purpose of 3D Secure is not to protect the customer; it’s to protect the bank. If a fraudulent transaction goes through, the bank can claim you did it as no-one else could possibly have broken through this infallible security.

@Richard M Great points. I’m coming at this from the user’s point of view. Any initiative that needs user education is flawed. That’s both in the implementation of SSL and third party certificate holders (a crazy situation). Users want to see a padlock and don’t and shouldn’t care who takes care of their security. That’s the job of the merchant and Visa.

@Ben it’s a wireframe.

@Saul I agree. The current model is broken. SSL only offers the trust of encrypted card details. Nothing about the reliability of the merchant. Trust is more than SSL. If I go into a shop on the high street I don’t care if they encrypt my card details. The trust comes from the fact that they are a shop on the high street. Merchants online need to appeal to that. What Verified by Visa does is get in the way of that trust

@Rob L Great advice on JavaScript implementations. Passwords as a concept are flawed. Again we should learn from the real world. 4 digit PINs work a treat.

@Jon
@Chris M
I agree. It makes a farce of secruity.

@Tom good advice

@Anton See my comments on verification of SSL certificates. See @Jared’s comment further down.

An excellent post, and some good ideas, however I’m afraid Visa won’t be getting in touch to “fix this for everybody”. 3D secure isn’t broken from Visa and Mastercard’s points of view. In fact it’s working exactly as they intended.

Anonymous and Will Holley above nail the real incentives that have brought this system about. Rather than being designed to reduce fraud 3D secure is actually a way for banks and merchants to shift *liability* for fraud away from themselves and onto card-holders.

The security problems you’ve documented (asking for personal info, ridiculous password requirements) are a side-product of this shift: 3D secure reduces the incentives for card companies and merchants to protect their consumers against fraud and phishing. In other words they care less about the total amount of card fraud than they do about their exposure to it. It doesn’t matter to them if customer security is reduced because any fraud that occurs is suddenly the customer’s problem.

Good web-design practices won’t be sufficient to fix 3D secure. This is a consumer-rights issue and, as Anderson and Murdoch argue (see Will Holley’s link), it will require legislation to fix.

I’ve written more about 3D secure here: http://www.richardskingdom.net/tag/visa

For the bigger part of what you state here, you are absolutely right. Your example of what could be is also really nice.

Except, what I can’t fully agree with is the following:

“Firstly, the URL, well that’s an easy one, embed the page within an iframe. It does of course mean one can’t check the security certificate but hey, who ever does this?”

Many people do pay attention to the security certificate. These people will leave the page as soon as they don’t see the symbol for an https secured environment. This I know as I work for a company where I get in touch with a lot of people working with e-Commerce.

Anyway, I hope something will change eventually, because it’s a necessity.

Good luck!

@Richard I understand the business motives I just wish they had designed it better to reduce the risk to the consumer. They could have achieved their goals and kept the customer happy.

@G Vermeulen The page should be secure, the issue comes as to who the issuer is. If it’s securesuite even though there is a certificate doesn’t mean I trust the company. All an SSL cert shows is encryption.

We had NatWest Visa credit cards with the usual Secure Code protection until NatWest renewed them 5 months early, during October, with Mastercard in place of Visa. We found this week the hard way that there’s a problem with the Secure Code rigmarole when the cards are used online – they don’t work. When we rang them, NatWest said they knew all about the problem, were working on it, but didn’t know when it would be fixed; and until they fix it, the cards can’t be used online (but work in shops). They said they had known about the problem for 5-7 days but couldn’t explain why customers hadn’t been notified about the problem or whether there was any plan to tell them. Unbelievable! Has anyone else come across this?

i too have been bullied into signing up for this scheme & despite contacting my bank to say I wish to be removed from it, they tell me this is not an option!
If I open another account at my bank & ask for another debit card for it will that card be free from the VbV?
Like most people posting my main concern is security because of the amateurish pop up that appears! ( with NO warning!)Im certain any decent hacker could make one of those for phishing purposes in a matter of minutes!

@John the system is in a real mess

@Simon it would be easy to scam. The fact that the iframe has to be used means a scammer can insert their code in and the user would have no idea.

…looks like I’m late to the party.

A great write-up. The company I work for binned it as an addition to our already bloated (my opinion) booking / payment journey. Just having an additional step and another form was viewed as a sufficient obstacle for customers.

A personally hate the format. Especially when I’m asked to input character X, Y and Z of my password. A task that I’ve been unable to do first time on about a dozen occasions!

I can only concur with all the above sentiments.
I’ve had varied replies when contacting card issuers asking to be removed from the service (having had to opt-in to complete a purchase).
Usually they’ll say I can’t opt-out.
I then tell them I will wilfully violate their T&C’s (by telling the person on the phone that I will disclose my password) and thus by their own T&C’s they must discontinue my use of the ‘service’. It’s amazing how I can suddenly get opted-out at that point.

There are wider issues too. VbV and MSSC allow you to add cards to your existing account, so if you have 2 or more cards covered under the scheme then you can use one account.

EXCEPT the only way to actually take advantage of this is to be a good little consumer and go to your banks version of the VdV/MSSC website as soon as your new card arrives and add the card.

If, like me and everybody else in the world, you don’t bother signing up until forced to for each new card (I’ve found you can usually only opt out 3-5 times before there’s no way of completing a transaction without doing so), then it helpfully creates a new account (with a guessable username) on your behalf. After that a) you can’t add the card to your existing account, because it already belongs to another account, b) you can’t delete the card from the new “dummy” account, and c) you can’t easily delete the “dummy” account even if you ring customer services – they tell you the only way is to close your card account.

Now it could be argued, of course, that having separate accounts with the potential for different passwords on each is actually a more secure option, but that does lead to one wondering – why have the option to add cards in the first place?

“why have the option to add cards in the first place?”
Because the aim of the scheme is not to make it easier or more secure for us to shop. It’s to shift blame and risk away from the bank.

I have also been pushed into makeing a securecode for my mastercard for a “more secure way of eshoping”. Only to find out that when I use my code the company wont finalize my order because it says that my info is incorrect. I call the mastercard securecode number from there website to get help, they cant help me because they say that my card is not supported by thier company and tell me to call my bank. Hmmmm funny thing is just 2 days ago I log into there website and change my code. And now all of a sudden they dont support my card? So now I call my bank, the person at the bank now tells me they have never heard of securecode for mastercard, and they cant help me. Now I call mastercard directly and ask them what to do to get the securecode off of my card because it has caused nothing but problems for me. Now the person I talk to at mastercard says that the only person that can change my information is me or the bank. Well now I cant do anything because if I try to log into securecode it wont let me, the bank has no record of it because they dont support it, the securecode people cant help me because they say they dont support my card from that bank, I cant purchase what I want fromt the Internet because it says my info is incorrect. And so I have now had my bank issue me a new card because every option I have tried to rectify this situation has failed. The entire system of 3D security is a failure and I do think that it hurts e-commerce because of this. I truly will avoid buying from a site that makes you use 3D. It truly is broken and unuable.

@Ted it is a real mess. Visa / MasterCar, please get in touch and let’s fix it.

I have come across this problem same as Ted above and been unable to purchase my selected product several times eventually using my Paypal account instead. The system sucks, the banks don’t care and deny responsibility, totally unworkable.

The BIGGEST farce of all is that if I forget my password, I can just re-enter a new one at any time.

I have seen this on so many occasions – effectively this makes the use of the password completely redundant, as if I forget it I just set a new one and carry on.

Utterley the biggest scam and waste of time to plague ecommerce that I know of.

HATE HATE HATE VERIFIED BY VISA.

Verified by Visa isn’t working in my experience with Firefox 4 or 5.Gets to the “submit” stage then tells you that the site has timed out!!Yet when I check with my Bank secure code site the purchase has been authorised!! Have to use IE8 for online purchases!

WFM, but if it’s working but pretending to break for you, just carry on with it and keep IE8 uninstalled :-)

@Dave @Tom – The current version of Firefox (correctly) spots Verified by Visa when embedded in an iFrame as a security risk and blocks parts of it (UK only).

More details here:
https://bugzilla.mozilla.org/show_bug.cgi?id=672469

@Tom Chiverton- sorry, comment was obviously misleading -the money transaction between Bank and merchant doesn’t take place but the receipt for the Verified by Visa transaction appears as if it has!!
I’m now being told that I have to allow 3rd party cookies for V by V to work in Firefox.Think I’ll stick with IE or Chrome for online purchases that need V by V!

Or get a card, like Cahoot, that doesn’t have VbV :-)

Great post. I’ve begged Chase to turn VbV off. Begged them!! The ironic part is I now use PayPal to checkout and pay with my Visa card just to avoid VbV.

ive recently found Im no longer being asked for this by LLyods TSB. Im wondering if its because I purposely clicked “forgot password” each & EVERY time it popped up & I always used an obscenity as the new p/w?! Maybe they got fed up? I thought up some really vile stuff too! LOL!

Try it everyone!

I’ve just received an email from Natwest confirming that they are now dropping support for “3D secure” – don’t hold your breath but I think they’re starting to listen to us…

Robin

@simon

[background: my job involves implementing/maintaining 3DS-capable merchant websites]

From where I’m sat, it appears that many/most UK banks have given up on 3DS. Even if the card is flagged as 3DS-enabled, and payment processors flag a transaction as “use 3DS, please” the issuers’ websites are just returning every transaction as “authorised”. You probably ARE rattling around the 3DS system, but all the security barriers have been (deliberately) left open.

My hope is that the banks have finally cottoned on to what a pile of crud it all is, and given up, but I’m not aware of any official communication on the subject.

@Blufive

Thank you for the comment. Really interesting to hear that it’s not being enforced. You’re right, for my most recent transactions I haven’t been asked.

Hallelujah!