Visa and the woes of 3D Secure

Trend Micro’s Rik Ferguson alerted me on Friday to a persistent problem with the credit card authentication system Verified by Visa relating to the password reset.

Basically, this ongoing problem, which I think The Register covered about three years ago, could allow a fraudster to reset the VbyV password and start using a stolen card.

Now, this isn’t exhaustive research and the exact implementation of the 3D Secure system, which is designed to make transactions more secure, probably changes from card provider to card provider.

However, in certain instances it asks for three pieces of info obtainable from the card and a fourth (birth date) which is obtainable from just about anywhere online.

Ferguson suggested, very sensibly, that birth date should never be used as a secret question. Instead a one-time password reset URL should be delivered to a registered email address.

Most disappointing in all of this was a very lengthy but ultimately unsatisfying response from Visa which basically amounted to “VbyV does a good job of cutting fraud and any further tweaks to it would tip the anti-fraud/convenience balance dangerously the wrong way for users, retailers and card providers”.

I guess we’ll have to wait until that tipping point when it becomes a tried and tested method of bypassing 3DS, then the card giants will have to sit up and listen.

Link to my original story is here.