Cambridge researchers have cast doubt on extra credit card security measures in a paper published this week.
Highlighting both MasterCard SecureCode and Verified by Visa, Ross Anderson and Steven Murdoch from the Computer Laboratory at Cambridge University, claimed the 3-D Secure technology "breaks many established security rules" when purchasing online.
Firstly, the two researchers claim it confuses users who have become used to the traits of Transport Layer Security (TLS).
"Browsers have introduced measures to help customers, such as changing the colour of the address bar if TLS is enabled, and making it clearer who the domain name belongs to," the report claimed.
It added: "Because the 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice."
The report also criticised how a user first establishes their password as rather than sending it to a registered address, it is done the first time a card is used online. It also means the user will be keen to get the purchase finished so often wont pay much attention to terms and conditions they are agreeing too, allowing banks to "shift liability to customers."
The researchers concluded from all of these points that "customers receive little benefit in security, while suffering a huge increase in their liability for fraud. They are also trained in unsafe behaviour online."
As a result, they are calling for banks to spend more on setting this system up to make it safer and urging new regulation from the likes of the EU to ensure people follow the rules.
"Circumventing security procedures is, as always, a focus for criminals and we value the input of academia in verifying the effectiveness of security features and systems," A Visa spokesperson said in a statement issued to IT PRO.
"Visa does not however, wholly agree with the premise and conclusions set out in the new paper by Cambridge researchers, which describes theoretical scenarios in which they believe Verified by Visa could be compromised."
We also contacted MasterCard for comment but the company had not responded to this request at the time of publication.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Mastercard scraps passwords in online security driveNews Visa will also work with Mastercard to roll out an innovative way of securing online payments
-
Hacker comes clean over Visa-Mastercard data breach claimsNews Computer hacker claims leaked contact details came from banks, not credit card companies as first suggested.
-
Visa and Mastercard at centre of alleged data breach
News Hacker claims to have leaked firms' customer details.
-
Mastercard drops Global Payments from PCI approved vendors listNews Credit card company follows Visa's lead by axing support for Global Payments over data breach.
-
IBM Impact 2012: MasterCard fights fraud with IBM techNews A partnership with IBM has helped MasterCard bring new products to market quickly, including those to meet regulatory requirements and help fight fraud.
-
Visa drops Global Payments from PCI compliant listNews Visa has droped Global Payments from its PCI compliant list, following the exposure of 1.5 million credit card numbers.
-
Visa and MasterCard WikiLeaks donations reopenedNews Julian Assange will be happy to see Visa and MasterCard donations can now be made via WikiLeaks partner DataCell.
-
Visa tech claims $1.5 billion fraud savingsNews Visa believes its updated fraud detection technology will provide some big returns.
