I agree on most points that was made in the article. However a bit of advice from a former network securtiy cheif, "You can hide only one thing on the internet...nothing". Taking into context with 3D Secure we face one fact, all the pins will be stored on the Banks/Credit Cards databases. And if someone hacks it this databases, it will seem almost impossable to trace because there is no longer a need for investagation because YOU made the purchase. So good hunting.

Credit card companies can only do so much in protecting the card holder via the use of encryption and verification process. It really boils down the fact the card holders are responsible for making sure the PC is secure PRIOR to making an online purchase. So if you leave your credit card on the table at some resturant and forgot about it then you're responsible. Hopefully you realize it early and notified the bank to cancel the card. I did this once when I went to the drive through at Burger King and I was in a hurry I forgot to get my check card back. The next morning when I went to Home Depot to make a purchase I noticed the card is not in my wallet so least to say I called the bank to have the card cancelled.

If some hacker do break into the bank's database then it's their problem.

I think lately with stupid things like Iron Mountian losing client back up tapes I have to wonder when will they finally step up the plate and fix it? It's not the first time this happened. How much of this stolen / lost data are in use to commit fraud? I can only wonder.

Darkk

Yes, you are absolutely spot on. If 2 Factor Authentication is not used, then security of a static PIN or pass phrase wont last long. Next step to occur will be a challenge from someone who has been genuinely defrauded in the courts, and the usefulness of 3DS will diminnish overnight.

Pat McKenna

Hi,

keylogger would do the job nicely. This requires a 2 Factor solution generating one time PIN's for each login. Banks that are going to employ this for online banking will probably enable it for 3DS as well - we hope!

Pat MK

This article is ridiculous. This change will not suddenly make it impossible for someone to contest charges on their CC bill, and it will not create some Orwellian nightmare for online merchants.

Chargebacks will still be automatic, just as they always have been for online and offline merchants. Now, however, it is a little easier for a merchant to argue against those chargebacks and harder for a criminal to fake a transaction.

The software development costs are the same as implementing AVS, a single additional required field, labelled PIN or passcode. If that's going to break an online merchant they should stop using Accenture for their web development.

The scary 12 step process really only adds 1 possible branch and step to the user or the coder. First, a good web app should allow users to enter info in a single step instead of prompting for each input, so there will be a new textbox by the credit card input for passcode or pin and a note saying "If your credit card is secured with a SecureCode passcode enter it here:". On processing, there will be an additional branch in the logic, if the CCresult says this is transaction requires a passcode, send what the user entered. If the user left it blank, do what you always do on a required field, prompt the user. Is that so hard? If you want to see a really scary financial process, examine how checks are cleared.

The RSA key generator is cool and all, but if you want to talk about a headache for merchants and customers imagine there being a $20 fee every time you lose your credit card or leave it in a hot car, or run it through the washing mashine, or expose it to static shock. If you want to see panic, accidentally leave the key generator on a plane. Some flight attendant finds it and, "When the right combination appears the bomb goes off!" Panic!

The PINs won't be stored on the bank's side, a hash value will be stored. Same as an ATM PIN or your password in any secure software system.

And forget a keyboard logger and trying to figure out when in the last 27,000 keystrokes someone entered their CC and PIN, if you have access to the inside of their house, just empty the contents. Or watch them very closely at the ATM machine then hit them in the head with something hard. That way you'll be able to get cash, and not just iTunes.

Hi,
3D secure is absolutely not new. The specs have been out for a couple of years already. They were designed by Visa and later endorsed by Mastercard. Many Issuers and Acquirers around the world have implemented this service some years ago but the adoption rate is actually very low from the customer standpoint. You can forget about the figures given by either Mastercard or Visa because it is totally biased. Visa and MC which btw are for non profit organizations 8O basically forced their members (banks) to invest several hundred of thousands of dollars in the 3D secure infrastructure which at the end is a real pain for the customer in their online purchase experience. I would also add the yearly fee charged to the participating banks to use the Visa/MC infrastructure during the transaction process (i.e. fee for use of Directory Server)
Worst thing is: merchants are losing transactions because most of the customers are unaware of the 3Dsecure service itself and don't want to be bothered with this kind of complicated process. As a merchant I would prefer keep the liablity and have let's say 10% of fraud on my store rather than losing half of my transactions because of 3Dsecure discouraging my potential customers. And that is what is happening with several merchants not willing to support 3dsecure anymore. Just go to verified by visa website and have a look of the merchant list supporting this service. It is quite meager and most of them have stopped promoting this service.
Finally, there is also a great lack of defined specifications on the Payment Gateway on the Acquirer side (used for authorization process after authentication has taken place). As stated earlier by 2factor_login some Gateways are stated to be 3dsecure compliant but are actually not due to the lack of clearly defined specifications by the MC and Visa. This leads to unclear results on the real transaction liability itself.

Cheers,

LMA.

Hi JM,

hmmmm - MC and VISA will tell you that 3DS has progressed further in the US than anywhere else. I know that in the UK and Ireland, card holders are being informed that they will require compliance - or else. Now I'm not sure what the 'or else' is as I believe that it falls to the individual banks to implement the protocol to consumers in what ever way they see fit.

Bit of a mess, eh?

Pat MK

MK, I use a number of MC/Visa cards in a major market area and so far I've heard nothing from any of them, nor has anyone I know. However, in Europe you've had pin numbers for credit cards (not just ATM cards) for years, so I guess the idea of 3DS wouldn't be foreign to cardholders there.

What LMA says about banks' not caring that much about credit card/online transactions may be true in UK/Ireland, but not in USA. Online business is a huge industry in USA, and with the exception of PayPal, virtually all online vending is by credit card. The margins for credit cards are also huge, with rates that can only be described as usurious. I doubt if you could get an American banker to tell you honestly that credit card transactions are not very important indeed to his bottom line.

There are two kinds of frauds here: one is card use by unauthorized persons, the other is fraudulent chargeback by the cardholder. The headline and story imply that, in order to eliminate the latter, 3DS will eliminate recourse for the former. Under common law, given reasonable due diligence, we cannot be held liable for the acts of an impersonator. I'm not familiar with consumer protection laws in UK/Ireland, so I can't gauge how responsive lawmakers are to consumers over there, but you can be sure that Stateside any scheme to defeat this principle will be met with furious resistance through litigation and legislation.