Liability for fraud said to be unfairly shifted from merchants to customers

A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.

The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.

As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.

That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.

One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another.

The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.

3DS also allows people to set their password immediately as they enroll in the system, a process called "activation during shopping" (ADS). The ADS enrollment will ask for some other piece of information, such as a birth date, in order to confirm the setting of the password. That's a security issue since birth dates are easily obtainable, the researchers argue.

Since the password is also solicited during a transaction, people are less likely to carefully select one since they're more eager to complete the transaction, Murdoch and Anderson wrote. 3DS is vulnerable to phishing, where fraudsters use various methods such as spurious e-mails in order to elicit a person's password.

Customers are also unlikely to closely read the terms and conditions, which means customers could end up paying for bad transactions using their card. Murdoch said he hasn't heard, however, of a customer being held liable for a fraudulent 3DS transaction.

Murdoch said there are other systems on the market that guarantee that the person who is doing a transaction is who they say they are by using their mobile phone.

Those systems can involve generating one-time passcodes on a person's mobile phone that are entered as part of an e-commerce purchase. Another method is sending a SMS (short message service) verification to a person's mobile phone along with a one-time passcode that can be entered during the e-commerce transaction.

However, "most banks have chosen to go for passwords than anything better," Murdoch said. "Passwords are really cheap."

Merchants must pay to implement SecureCode or Verified by Visa, where the systems mentioned above would likely require the banks to spend money, Murdoch said.

In a statement, Visa defended its system, saying criminals will always try to defeat security measures but that it had reduced fraud and made consumers more comfortable with on-line transactions.

"Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," the statement said. "Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."

MasterCard officials could not be immediately reached for comment.