Thought it was about time I got round to writing this post after reading another article highlighting some of the many flaws of Verified by Visa and Mastercard SecureCode today. Unfortunately the solutions described in that article are a little suspect and, while they might result in fewer people dropping out of sales, a better solution would be to scrap the whole crazy scheme completely. For a much better insight in to the security issues with 3D-Secure, have a look at Stewart’s post, which has some superb bonus features in the form of (attempted) discussions with various Financial Institutions!
And if there is still any doubt that banks have a problem with online security:
- How online card security fails
- Optimised to fail: Card readers for online banking
- Fraudsters ‘copying online banking security’
The underlying problem however isn’t a technical one. For a clue, have a look at ’2.4 Liability shifting’ in Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication.
It doesn’t make any sense to me for the merchant or card holder to be liable for a security scheme which they have no say in.
A while ago I started thinking about various techniques that could be used to ensure that it would be completely safe to carry out any transaction on any computer, even if you knew it was logging every key you pressed. There’s no real point though: until the law makes it wholly the bank’s liability, where’s the incentive for them to stop making things worse with the current half-baked schemes?
It’s not like it’s rocket science, or even vaguely new technology:
- Security token. Check.
- I favoured a USB/Bluetooth/wireless device of some sort. Too big? Maybe a credit card sized device instead? Check.
- Some kind of open, verifiable security standard. Check.
I won’t be holding my breath.
Update: some good comments on Richard’s, “Verified by Visa: bad for security, worse for business” post. Worrying if the Chase Bank comment is true! (17 Nov 2010)
Photo © David Neubert. Some rights reserved.