
Verified by Visa and Mastercard SecureCode are broken and need to be fixed  - danw
http://www.cxpartners.co.uk/cxinsights/verified_by_visa_and_mastercard_securecode_are_broken_and_need_to_be_fixed.htm
======
Nitramp
He's only complaining about UX, but the bigger problem is that this doesn't
actually make things much more secure.

It is already really hard to teach casual computer users about security
online. The one thing that used to work so far was "never enter your password
on a website you've been redirected to" and "always check the site's identity
in the address bar". Verified by Visa redirects you to some website on some
random server and asks you to enter your password. There is no way for the
user to check it's authenticity.

A much more reasonable design would be to control all sales via your bank's
website, i.e. having an inbox with "purchase requests" and approving them
through your bank's interface. That would be both secure and very transparent
to the user, and the bank could easily control the level of security required
(passwords, TANs, ...).

~~~
limmeau
There's eFaktura in Norway[1]. Merchants send their bills to you
electronically, and you pay them through your homebanking interface. As I
never used it when I lived there, I don't know if the mechanism is fast enough
for immediate purchases.

1\. <http://en.wikipedia.org/wiki/EFaktura>

~~~
m_eiman
It's not fast enough. Money arrives next day, at best.

------
CaptainZapp
Even though there's no choice (here at least, when you want to use your Visa
over the internet) I _HATE, HATE, HATE_ the concept and here's why:

For starters I thought it's a phishing attack, when the frame popped up for
the first time.

But the worst is that I don't feel it protects me, despite the marketing crap
dished out by CC companies. The only reason is to protect Visa.

What happens if I book a flight at a badly infected internet cafe computer in
Chiang Mai and a key logger reads my password?

"No, Mr. Zapp, our logs show irrefutable proof that your password was typed
with suchandsuch transaction. Sorry, you're liable, you obviously didn't
protect the password."

Scary stuff.

~~~
patio11
That is, in fact, the exact opposite of how the banks operate. You are limited
to $50 in liability for any fraudulent transaction in your account that you
report in a timely fashion, guaranteed by law (in the US at least), and
_every_ bank I am aware of waives the $50 for marketing purposes.

Essentially all financial risk for credit card transactions is borne by the
merchants. (Which is one reason why the banks don't seem to do much about
fraud -- why should they inconvenience their customers to protect someone off
of the balance sheet who doesn't get a choice to not use their bank?)

~~~
mechanical_fish
While we are in public-service-announcement mode: I believe that the above
protections are still a lot smaller for debit cards than credit cards. You
still have $50 limit on liability with debit cards, but you must report the
theft very quickly indeed _and_ the thief is emptying your personal account in
the meantime:

[http://banking.about.com/od/checkingaccounts/a/stolendebitca...](http://banking.about.com/od/checkingaccounts/a/stolendebitcard.htm)

This is why I never use a debit card for anything.

We now return you to your regular HN programming.

~~~
Vivtek
In defense of debit cards, in the event you do lose it and someone's emptying
your account, your bank should still restore your funds after the theft. I say
this because it happened to my wife; Chase's fraud prevention kicked in after
about $300, all of which was refunded as soon as she figured out what had
happened.

~~~
mechanical_fish
Thanks, good to know. I've been waiting for these policies to kick in as debit
cards become more popular.

~~~
camiller
It has actually been that way for awhile. Back about 9-10 years ago someone
used my wife's debit card number and after reporting it the bank restored the
funds.

------
lemming
An additional problem with the implementation is that it requires javascript.
I was working on a project for a UK bank - their security guidelines required
securecode, but their accessibility guidelines required that the site work
without JS. Sadly achieving the two is impossible.

I agree this is an awful user experience, at a time where the trend in
payments is to make the user's experience better this is a huge step back.

~~~
kenver
I did an implementation myself a month or two ago and noticed the same thing.
The contradiction is hard to miss.

------
jessriedel
Could someone tell me why this idea wouldn't work?:

Your credit card comes with a simple communication port (usb, bluetooth,
whatever) and a two line B&W text LCD display (like on cryptocards or cheap
electronic watches). Every time you want to buy something, you connect the
card with the merchant. (This works in person and over the internet.) The
merchants sends the card an official merchant name ("Delta Airlines"), which
is registered with the credit card company, and a price ("$234"). These appear
on the first and second lines of the card readout. If you approve the charge,
you hit a single button on your credit card. Your credit card then sends an
authorization code to the merchant which is good only _one_ time, on _that_
date, for _that_ price, and with _that_ merchants (using some sort of RSA
hash).

If a wireless connection is used, there is little risk of criminals trying to
secretly communicate with your card sitting in your wallet; you simply won't
approve the transaction (unless they have physical control of your card, at
which point you're no more vulnerable than you are now).

Further, you'd know exactly how the name of the merchant would appear on your
bank statement.

The only downside I can think of is that the card would by slightly thicker
(like a crypto card), slightly less durable, and need a battery (which would
last for the life of the card). But we already replace the physical card every
few years, so is this a problem? Is the technology particularly expensive?

~~~
Tibbes
A very similar system is already in use in the UK and other parts of Europe.
It's called "chip & pin". You plug your card in to a card reader and check the
LCD display and type in your PIN to authorise a transaction.

In a shop, the card reader is owned by the shop and is similar to point-of-
sale card readers used in the USA. However, most banks now provide customers
with a small reader (that looks like a calculator) for logging on to online
banking, or authorising payments made via internet banking.

For example, to authorise a payment you: put your card into the reader, type
in the account number you want to pay, type in the amount, and type in your
pin. You then get an cryptographic authorisation code to type into online
banking.

Crucially, the scheme works using cryptography, and the cryptography is
performed within the chip on the bank card - it is not possible to read the
PIN off the card.

(edit: and, in contrast to the scheme described in the parent post, stealing a
card doesn't help much if you don't know the PIN, and the card will disable
itself if the wrong PIN is used too many times)

~~~
jessriedel
I see three problems.

> most banks now provide customers with a small reader (that looks like a
> calculator) for logging on to online banking, or authorising payments made
> via internet banking.

This means you can only make online purchases easily and securely at home. If
I want to be able to make purchases at someone else's computer, an insecure
back door must necessarily be left open _even when you're not away_.

> To authorise a payment you: put your card into the reader, type in the
> account number you want to pay, type in the amount, and type in your pin.

This doesn't solve the problem (which people may not care about) that the
merchant could now have your pin.

>You then get an cryptographic authorization code to type into online banking.

This seems like a huge burden. Physically typing in long cryptographic codes?
Do people actually subject themselves to this?

Thanks very much for the perspective.

EDIT: I retract the second criticism for reasons explained below.

~~~
Tibbes
> This means you can only make online purchases easily and securely at home.

Fair point - I had this problem when wanting to use Internet banking at work,
but these pin readers are compact (smaller than an iPhone, marginally thicker)
so I just keep mine in my bag now.

> This doesn't solve the problem (which people may not care about) that the
> merchant could now have your pin.

Only if the reader itself is compromised (very unlikely with the small ones
provided by banks for online banking, and pretty unlikely in a shop too).
However, note that the PIN is useless without the card, because the crypto
chip is on the card, and it can't be cloned by a reader.

> This seems like a huge burden. Physically typing in long cryptographic
> codes?

They are only 8 digits long. And yes, I don't want fraudulent use of my
account so I don't mind.

~~~
jessriedel
> However, note that the PIN is useless without the card, because the crypto
> chip is on the card, and it can't be cloned by a reader.

Ahh. So then the merchant could only really make use of a pin (which it would
have to do by compromising the pin reader--a tall order for small time crooks)
if he _also_ stole your physical credit card. I agree that this isn't much of
a risk, and retract that criticism.

------
iuguy
There's an open secret in the Information Security industry (at least here in
the UK), which is that the Payment Card Industry don't care about your
security. What they care about is shifting as much of the liability onto the
consumer, the merchant, _anyone_ other than themselves as is possible.

We have a system in place here called Chip and Pin
(<http://en.wikipedia.org/wiki/Chip_and_PIN>) which was supposed to protect
people by requiring them to type in a personal PIN code. The only problem was
that there were plenty of ways to commit fraud without knowing the PIN, and
until new regulations came into force the banks would reject claims of
fraudulent transactions and require the victim to prove that such transactions
weren't fraudulent.

If you want to see how bad the card industry and banks can 'do security', just
look here: <http://www.cl.cam.ac.uk/research/security/banking/>

------
omh
VbV is badly broken, but the suggestions here miss one of the most important
points. The use of an iframe means that users can't tell where VbV is coming
from and can't be sure either that it is secured or that it's really coming
from the bank.

This is just begging for copycat phising and MITM attacks.

~~~
RickHull
Yes, this article is long on alarmism and short on serious critique:

> _The design of the form does not match the design of either the merchant or
> the issuing bank. The design looks ‘cheap’. It doesn’t look trustworthy._

> _No telephone number. When a user sees a telephone number it gives them a
> feeling legitimacy. They may not phone, they just want to see the number
> just in case._

> _The calls to action at the bottom of the page really don’t work. ‘Submit’
> is rather generic and does not give an indication of the next step. ‘Cancel’
> gives no indication what will happen next and really should be removed._

> _There is still very little recognition by users. Visa and Mastercard have
> done a poor job of marketing and raising awareness._

> _The text is American "Expiration date" should be "Expiry date"_

> _Once the customer has overcome all 11 of those issues they can purchase. 11
> issues. 11 serious issues._

Serious issues? Let's tally: cheap design, no phone number, button names, lack
of marketing, bad copy. These are not serious issues that make a technology
"broken" -- at least, not in the sense that, say, MD5 is broken. The points
about the phone number, cheap design, and lack of marketing should not even be
in this list.

And then there is this gem, from the guy who is going to fix our "broken"
security technology:

> _Firstly, the URL, well that’s an easy one, embed the page within an iframe.
> It does of course mean one can’t check the security certificate but hey, who
> ever does this?_

> _About the author: Joe specialises in designing every aspect of the user
> experience from initial research to developing a robust, measurable online
> strategy to producing beautiful, easy to use wireframes and website
> information architectures._

Oh, I see.

~~~
Lewisham
You've taken a very specific definition of "broken", then decided that the
article doesn't meet your definition, so the article is worthless?

If you're losing customers for a bit of security theater, I think "broken" is
a pretty good term from the perspective of the retailer.

------
jasonlotito
3DS being broken was known long before 3DS was finalized. It's not new.
However, it's successful because of the security it brings to merchants.
Merchants implement it because they get covered. It's the perception of
security that works.

Until 3DS implements some out-of-band authentication, you won't have something
secure. Implementing OoB auth isn't difficult, either. The technology has been
around for a LONG time, with proven results.

------
willholley
Very similar to the analysis by Steven Murdoch and Ross Anderson published in
January: see <http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf>

------
mixu
So, how common is the 3D Secure code on websites? I thought it was a
local/European annoyance, since I haven't run into it outside EU webshops?

For instance, I've never had to put in my 3D Secure code on Amazon, BackBlaze,
Syncplicity or ZumoDrive. The problem is that at least here in Finland, the
only company (representing all the local banks) offering credit card
processing practically requires 3D Secure unless you implement everything
yourself (e.g. can't use their CC vault) - and no, unfortunately the US
subscription API services don't work here, unless you somehow manage to get a
merchant account in a UK bank.

------
cowpewter
I've always managed to not enable Verified by Visa on any of my credit cards,
but another huge problem with it is that doing so is nearly impossible. Once
you get redirected to that popup, it's very hard to _not_ signup without
canceling your transaction with the original merchant. Or getting dumped back
to your shopping cart, trying to check out again only to get dumped straight
back into Verified by Visa's signup process.

There doesn't ever seem to be a permanent opt-out, so anytime I want to buy
something from a merchant that uses it, I have to hunt for the magic button to
get around it again.

------
thisisblurry
Every now and then when I purchase something from a Verified by
Visa-"friendly" site (Newegg comes to mind), I often find that I'm able to
complete the purchase without entering my password.

It's disturbing to say the least.

~~~
jasonlotito
3DS doesn't work that way. It's not mandatory. Newegg isn't using it to fight
friendly fraud. They are using it to fight actual fraud. You've done it once,
why should they force it on you again? You are who you say you are, and if
their is a problem with your purchase, they're confident that they can resolve
it without a chargeback.

~~~
thisisblurry
But then why bother using it at all? Do they assume that no one malicious
could ever get into my account (for argument's sake)? If you're going to make
me set a password, make me enter it each time I "use" your service. My gripe
isn't with the vendors per sé, but with how Verified by Visa and SecureCode
operate.

I'd much rather type an extra password during the checkout process instead of
being charged $700 for hardware and Windows Vista DVDs (thieves aren't always
the brightest).

~~~
jasonlotito
> But then why bother using it at all? Do they assume that no one malicious
> could ever get into my account (for argument's sake)? ... instead of being
> charged $700 for hardware and Windows Vista DVDs

You're making an awful lot of assumptions you shouldn't be making.

First, 3DS doesn't provide you any more security than you really had before.
It helps the merchant secure their transactions, however. But even if someone
did charge $700 to your card, it's an easy phone call to get it resolved. Not
only this, but I'm sure Newegg would require another check if something was
amiss with the transaction. Any sizable operation will work to make sure that
legit users can make purchases as fast as possible with as little hassle, but
that doesn't mean it's not verifying things in the background.

So why would Newegg use 3DS? Simple. They want to verify that a new account is
who they say they are, and not a stolen card. You're a legit user. You make a
purchase. Next time you come back, you'll probably be making the purchase
using the same billing address and the same shipping address. Even if you
didn't make the order, you'll call up Newegg to complain, and they'll work to
refund the order and resolve the matter as quickly as possible.

But you as a cardholder have always been safe. A simple call to the bank, and
"No, I don't recognize the transaction" and you get your chargeback and you
owe no money. However, with 3DS, you can't just say it wasn't you. If the
merchant doesn't provide the service, then yes, you can still get it. 3DS for
legit users prevents them from committing friendly fraud.

------
andrewl-hn
Strange. I've never seen a VbV open a new frame or pop-up - it's always a
series of redirects for me. May be it depends on what bank and/payment gateway
is been used.

~~~
jasonlotito
Not really. It's usually the merchant implementation that decides how it's
displayed. All the 3DS I've implemented have also recommended using iframes in
their API.

------
staktrace
Nothing in the article is actually a technical flaw - it's mostly UX. That's
not to say the system is good, but I think the title is misleading. If you
look at the paper "Chip and PIN is Broken" by Murdoch et al
([http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5504...](http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5504801))
they actually point out a MITM attack which is a technical vulnerability.

~~~
jeffreymcmanus
User experience flaws are technical flaws.

------
sankara
Wow. This is entirely different here in India. First of all, it has been made
mandatory (it's slightly inconvenient). This is not implemented as a popup. It
redirects to the Issuing Bank's website for verification. Signup should be
done in the bank's site as well (e.g.:
[https://www.3dsecure.icicibank.com/ACSWeb/EnrollWeb/ICICIBan...](https://www.3dsecure.icicibank.com/ACSWeb/EnrollWeb/ICICIBank/main/index.jsp)).

------
thehodge
Verified by Visa is a horrible horrible implementation, I spent an hour in the
bank last month trying to sort out why my company card wouldn't let us buy
train tickets ) VbV had my date of birth wrong for some reason) oh yeah if yuo
have any problems with VbV you have to call an 0845 number, which although
only 5p a minute on my plan... it soon adds up

------
pp
I have credit cards at a bunch of banks here in Russia and what they do is
they send you a one-time password in a text message every time you make a
purchase online. It's the same VbV/SecureCode window and everything but you
don't get to create your own password.

------
danw
I found this interesting because it provides helpful advice on how to handles
3DS as it currently is. It's a flawed system but it's not going away any time
soon. In the meantime finding ways to make it suck less is all a merchant can
do.

------
paddy_m
I wrote about this about a year ago. <http://paddymullen.com/2009/05/21/yaron-
shohat/>

------
bryanh
Best part? If you ignore it and never set it up, it still lets payments
through (at least with Mastercard). I really, really wish they had an opt-out
button...

------
maximebf
For 3DS enabled site in France (don't know if it's the same elsewhere) it
sends you a code by SMS that you have to enter in the popup. I think this is a
much better way. But I have to agree, the process is really not well thought
out and as bad as it can be UX wide.

------
billpg
The best way to fix it is to nuke it from orbit. It's the only way to be sure.

