

Veriﬁed by Visa and MasterCard SecureCode: or, How Not to Design Authentication - evdawg
http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

======
dangrossman
So very true. 3DS is technologically horrible. In exchange for protection from
certain types of chargebacks, a merchant is expected to iframe a 1995-looking
webpage from Visa or MasterCard asking the cardholder to create or enter a
password. It's abrupt and unexpected, does not fit into the checkout process
of any website, and because it's framed the customer has no idea what site
they're really giving their password to. All this adds up to lowering
conversion rates and undermining all the anti-phishing efforts the banks
undertake by telling you to never give out a banking password without checking
the address bar.

The paper recalls a perfect example from one of its authors -- the official
3DS page is served by securesuite.co.uk for some UK banks, so he calls his
bank and they tell him it's a phishing scam. Yet merchants are expected to do
this, lest their chargeback rate climb too high and the account be terminated.

I've only encountered 3DS in the wild once, and only after registering a card
for it in the process of testing my own implementation. It only took two days
of running VBV and MSc on one of my websites to see that it would be
completely economically infeasible -- doesn't matter if I'm protected from
chargebacks if it means half my customers abandon checkout out of fear and
confusion.

I've had a real hard time handling card-not-present fraud on my websites. I
sell packaged self-service advertising services on one site, and it's highly
targeted by the do-no-goods that want to use it to push traffic to affiliate
sites and phishing scams. They use stolen credit cards to buy the advertising
hoping to funnel good money, or more stolen cards, from the traffic back to
their accounts. I still have one merchant account in limbo (bank holding 6
months worth of payments) from spending two years working on fraud detection
methods to battle this. I only got chargebacks below 1% through geolocation,
country blocklists, proxy detection, my own and 3rd party blacklists, minfraud
risk scoring, in-house risk scoring and pattern matching against past fraud,
and phone verification of all high risk orders.

------
forkqueue
If you want to accept Maestro payments you _have_ to implement 3DS or face a
£25000 fine - at least in the UK.

