

Ask HN: Why does VISA/MasterCard provide 3-D Secure? - AnnMarie

3-D Secure (or &quot;verified by visa&#x2F;mastercard&quot;) has a really bad user experience! Hate when I have to enter the password!!<p>I understand that for merchants that enable this the fraud liability shifts to banks.<p>I also know that Amazon can get away without enabling this since they have in-house fraud team.<p>It seems that VISA&#x2F;MasterCard is NOT taking any liability in either case (with 3-D Secure or without). So, what is the incentive for them to provide this system, given they might lose transactions from cart abandonment?
======
junto
Actually, in some cases the liability shifts to the customer:

    
    
      As few customers object to terms and conditions, banks are 
      free to set terms that shift liability to customers. For
      example, the Royal Bank of Scotland says [2]:
    
      “You understand that you are financially responsible for 
      all uses of RBS Secure.”
    
      So despite the bank having made many poor security choices,
      the customer must accept the losses – a clear example of 
      misplaced incentives. The use of password also harms 
      customer interests because they no longer have the 
      statutory protection afforded by signatures where, in the 
      UK at least, the law makes a forged signature void and thus
      prevents banks from using their terms and conditions to
      make customers liable for forged cheques. It has already 
      been documented that many banks used the move away from 
      manuscript signatures to make customers liable for fraud 
      [4].
    

See "Verified by Visa and MasterCard SecureCode: or, How Not to Design
Authentication"

[http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf](http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf)

In other words, the customer gets both a user interface problem and a
liability shift.

It is called in the trade "getting shafted"!

~~~
jasonjei
I just find it hard to believe a bank can be absolved of any liability since
fraud can still happen electronically, just like signatures are forged. Most
Internet users aren't savvy enough to look for SSL or legit looking URLs.
There's still the possibility of a MITM attack. Does case law actually allow
credit card companies to shift liability just like that?

------
Kjeldahl
Card fraud was a huge problem in Europe/Russia/Asia etc, but less so in the US
(probably related to US's dependency on credit and "credit history"). The
internet was taking off and magnified this problem exponentially. To counter
this the card companies decided they needed more security in all/most markets
outside of the US.

In the "Amazon" type of model, Amazon collects card details and more or less
keeps it on file. When a customer wants to buy something, the card companies
and Amazon's bank more or less trust that Amazon will keep fraud to a minimum
by looking at usage patterns, doing proper card authorizations etc.

They allowed this in the US, but decided to forbid this model more or less
everywhere else. Everybody else had to start using 3DSecure.

With 3DSecure the purchaser's bank gets a say in each and every transaction.
So you've now got Amazon, Amazon's bank, the customers AND the customer's
bank. So when a purchase gets done, the card companies now demands that the
customers bank (who know their customers) guarantees that it is the actual
customer who is at the other end. The customer's bank can decide not to do any
checks, but then if there IS fraud, that's the customer's bank's problem.

So most customer's bank require that the customer - at the time of purchase -
identifies himself. Very often this is done by throwing the customer back to
the customer's web-based banking solution (which already has identification
procedures in place), or something similar, where the customer's bank can
authenticate the customer (with passwords/2-factor etc).

The technical details of how 3DSecure actually works sucks bigtime. At least
when it was launched it involved using encryption and signing xml-based
documents. To make this work those documents had to be "normalized" etc - a
huge mess.

Because of the mess, there probably is very little competition in implementing
solutions for 3DSecure. Which again is probably why most 3DSecure feels like a
throwback into the "Web 1.0" area, with the customer being thrown back and
forth between the store and his own bank, typically with a user interface
reminiscent of the "CGI" area.

Another consequence is that the US have had a huge advantage (and probably
still do) when it comes to everything related to internet e-commerce, simply
because the card companies and banks do not allow deviations from 3DSecure
anywhere (mostly) but the US.

~~~
desas
Not sure about the rest of Europe but in the UK it's standard for Amazon and
many other online places to keep your card details on file.

Halifax, a bank in the UK didn't require 3d secure though did encourage it.
Recently I used a site I'd not used before and they declined the transaction
on my credit card and sent me a SMS which I had to reply to in order to use my
card at that site.

~~~
Kjeldahl
It's quite common for these companies to push their transactions through their
US subsidiaries. If a company can convince their bank there will be little or
no fraud they can convince their bank to avoid 3DS as well. E.g. if you have
lots of transactions and other attributes keeping fraud low, like airlines who
check your identity later anyway.

------
joshmn
> I also know that Amazon can get away without enabling this since they have
> in-house fraud team.

Their fraud team isn't that great, but that's a whole different subject.

It's not like there's a magic switch that enables 3DS. Still, 3DS isn't
bulletproof. There was a time (it might still be true) where all you'd need is
the card holders last name, their billing zip, and the last four of the card
number, to create the 3DS password if it wasn't already created.

Albeit, this wasn't the case for the larger banks, where you'd need their SSN
most of the time. However, in most shops, you can search by BIN, so again,
defeated...

If you were carding (verb: to use someone else's credit/debit card to
fraudulently conduct a transaction), depending on the dump, you'd already have
this information. Of course, there's no way for the processor to check verify
the name of the cardholder*, so the info on the card might be incomplete in
that sense, but it's still easy to get.

3DS isn't meant to be a catch-all for fraud. Depending on how a card is
acquired, the 3DS code can come with it (keylogger).

------
eveningcoffee
I do not know my password. It is senseless to know it as it does not provide
more entropy as the backup mechanism to retrieve the password.

To retrieve the password, I have to enter 4 fixed digits of my account number
and my birth date. As I have quite unique name then also my birth date is not
very hard to find.

That leaves 14 +/\- 2 to 4 bits of entropy and makes it pointless to actually
somehow keep track of the real password.

So I just generate a temporary password.

Edit: This is of course how my bank has implemented it. Your experience my
possibly vary.

------
AnnMarie
So does the VISA/MC take on any liability? If not, why is VISA/MC providing
the 3-D Secure service and not banks themselves?

In addition, given fraud, does VISA/MC incur any loses themselves with and
without the 3D?

