Friday, February 5, 2010

Credit card companies covering their asse(t)s

Exactly whose security does your credit card company have in mind? Here's a hint: It's probably not yours.

I often use Mastercard SecureCode as an example of a usability failure in online security: in order to order plane tickets where SecureCode is used, I found I had to disable many of the browser security measures I have in place for regular browsing. So, that time when I'm making an expensive transaction is thus the time when I'm at most risk... Not exactly trust-inspiring, is it?

But Steven J. Murdoch and Ross Anderson of Cambridge do more than just complain about "Verified by VISA” and “MasterCard SecureCode.” They presented a detailed analysis of the '3-D Secure' card protocol. Check out the abstract:

Abstract. Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Verified by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and elsewhere. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants and customers – given a gentle regulatory nudge.

So, basically, 3-D Secure provides economic security rather than technical security -- but not for you, the customer. It's providing extra security for the banks by passing the buck.

This is hardly the only way in which the banks protect themselves above the consumer. Take a look at Security and Usability: The Gap in Real-World Online Banking for some fascinating insight into what your bank thinks you should do to be secure online, and how few people do these things in practice. And this is especially worrisome now that, as Mannan anticipated in that paper in 2007, banks have started suing their customers when breaches occur.

I'll be really curious to see if this paper about 3-D Secure manages to make changes in industry or government legislation. Amusingly, this paper about how insecure they are makes me feel more secure -- at least if a bank sues me because someone's stolen my money, I'll have more evidence to claim in court that the bank wasn't trying hard enough to protect me.

1 comment:

Anonymous said...

The first thing that I noticed about "Verified by VISA" was that all I needed to get a password for it was the card number and an e-mail address...