3-D Secure
3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems, Inc and first deployed[1] by Visa with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa. Services based on the protocol have also been adopted by MasterCard as MasterCard SecureCode, and by JCB International as J/Secure. American Express added 3-D Secure on November 8, 2010, as American Express SafeKey, in select markets and continues to launch additional markets.[2] Analysis of the protocol by academia has shown it to have many security issues that affect the consumer, including greater surface area for phishing and a shift of liability in the case of fraudulent payments.[3]
3-D Secure adds an authentication step for online payments.
Description and basic aspects
The basic concept of the protocol is to tie the financial authorization process with an online authentication. This authentication is based on a three-domain model (hence the 3-D in the name). The three domains are:
- Acquirer Domain (the merchant and the bank to which money is being paid).
- Issuer Domain (the bank which issued the card being used).
- Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D Secure protocol). Interoperability Domain includes the Internet, MPI, ACS and other software providers
The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).
A transaction using Verified-by-Visa or SecureCode will initiate a redirection to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a password tied to the card. The Verified-by-Visa protocol recommends the bank's verification page to load in an inline frame session. In this way, the bank's systems can be held responsible for most security breaches. Today, with the ease of sending white-listed text messages from registered bank senders, it is easy to send a one-time password as part of an SMS text message to users' mobile phones and emails for authentication, at least during enrollment and for forgotten passwords.
The main difference between Visa and MasterCard implementations lies in the method to generate the UCAF (Universal Cardholder Authentication Field): MasterCard uses AAV (Accountholder Authentication Value) and Visa uses CAVV (Cardholder Authentication Verification Value).
Since January 2015 , EMVCo, a company which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa, is responsible for the development of the EMV 3DS 2.0 Specification.[4]
Implementations
The specifications are currently at version 1.0.2. Previous versions 0.7 (only used by Visa USA) and 1.0.1 have become redundant and are no longer supported. MasterCard and JCB have adopted version 1.0.2 of the protocol only.
In order for a Visa or MasterCard member bank to use the service, the bank has to operate compliant software that supports the latest protocol specifications. Once compliant software is installed, the member bank will perform product integration testing with the payment system server before it rolls out the system.
ACS providers
In the 3-D Secure protocol, ACS (Access Control Server) is on the issuer side (banks). Currently, most banks outsource ACS to a third party. Commonly, the buyer's web browser shows the domain name of the ACS provider, rather than the bank's domain name; however, this is not required by the protocol. Dependent on the ACS provider, it is possible to specify a bank-owned domain name for use by the ACS.
MPI providers
Each 3-D Secure transaction involves two Internet request/response pairs: VEReq/VERes and PAReq/PARes. Visa and MasterCard don't license merchants for sending requests to their servers. They isolate their servers by licensing software providers which are called MPI (merchant plug-in) providers.
Merchants
The advantage for merchants is the reduction of "unauthorized transaction" chargebacks. One disadvantage for merchants is that they have to purchase MPI to connect to the Visa or MasterCard Directory Server. This is expensive (setup fee, monthly fee and per-transaction fee); at the same time, it represents additional revenue for MPI providers. Supporting 3-D Secure is complicated and, at times, creates transaction failures. Perhaps the biggest disadvantage for merchants is that many users view the additional authentication step as a nuisance or obstacle, which results in a substantial increase in transaction abandonment and lost revenue.[5]
Buyers and credit card holders
The intention behind the system is that cardholders will have a decreased risk of other people being able to use their payment cards fraudulently on the Internet.
In most current implementations of 3-D Secure, the issuing bank or its ACS provider prompts the buyer for a password that is known only to the bank/ACS provider and the buyer. Since the merchant does not know this password and is not responsible for capturing it, it can be used by the issuing bank as evidence that the purchaser is indeed their cardholder. This is intended to help decrease risk in two ways:
- Copying card details, either by writing down the numbers on the card itself or by way of modified terminals or ATMs, does not result in the ability to purchase over the Internet because of the additional password, which is not stored on or written on the card.
- Since the merchant does not capture the password, there is a reduced risk from security incidents at online merchants; while an incident may still result in hackers obtaining other card details, there is no way for them to get the associated password.
3-D Secure does not strictly require the use of password authentication. It is said to be possible to use it in conjunction with smart card readers, security tokens and the like. These types of devices might provide a better user experience for customers as they free the purchaser from having to use a secure password. Some issuers are now using such devices as part of the Chip Authentication Program or Dynamic Passcode Authentication schemes.
One significant disadvantage is that cardholders are likely to see their browser connect to unfamiliar domain names as a result of vendors' MPI implementations and the use of outsourced ACS implementations by issuing banks, which might make it easier to perform phishing attacks on cardholders.
American Express SafeKey
American Express SafeKey is live in the following markets: Algeria, Australia, Austria, Bahrain, Bangladesh, China, Cyprus, Egypt, Finland, France, Germany, Greece, Hong Kong, India, Iraq, Italy, Japan, Jordan, Kenya, Kuwait, Lebanon, Lesotho, Libya, Malaysia, Mauritania, Mongolia, Morocco, Nambia, Netherlands, New Zealand, Oman, Peru, Philippines, Qatar, Russia, San Marino, Singapore, Somalia, South Africa, Spain, Sweden, Switzerland, Tanzania, Tunisia, Turkey, UAE, Uganda, United Kingdom, Vatican City, Vietnam, Yemen.[6]
General 3-D Secure criticism
Verifiability of site identity
The system involves a pop-up window or inline frame appearing during the online transaction process, requiring the cardholder to enter a password which, if the transaction is legitimate, their card-issuing bank will be able to authenticate. The problem for the cardholder is determining if the pop-up window or frame is really from their card issuer, when it could be from a fraudulent website attempting to harvest the cardholder's details. Such pop-up windows or script-based frames lack any access to any security certificate, eliminating any way to confirm the credentials of the implementation of 3-DS.
The Verified-by-Visa system has drawn some criticism,[7][8][9][10] since it is hard for users to differentiate between the legitimate Verified-by-Visa pop-up window or inline frame, and a fraudulent phishing site. This is because the pop-up window is served from a domain which is:
- Not the site where the user is shopping.
- Not the card issuing bank
- Not visa.com or mastercard.com
In some cases, the Verified-by-Visa system has been mistaken by users for a phishing scam[11] and has itself become the target of some phishing scams.[12] The newer recommendation to use an inline frame (IFrame) instead of a pop-up has reduced user confusion, at the cost of making it harder, if not impossible, for the user to verify that the page is genuine in the first place. As of 2011, most web browsers do not provide a way to check the security certificate for the contents of an iframe.
Some card issuers also use Activation During Shopping (ADS),[13] in which cardholders who are not registered with the scheme are offered the opportunity of signing up (or forced into signing up) during the purchase process. This will typically take them to a form in which they are expected to confirm their identity by answering security questions which should be known to their card issuer. Again, this is done within the iframe where they cannot easily verify the site they are providing this information to—a cracked site or illegitimate merchant could in this way gather all the details they need to pose as the customer.
Implementation of 3-D Secure sign-up will often not allow a user to proceed with a purchase until they have agreed to sign up to 3-D Secure and its terms and conditions, not offering any alternative way of navigating away from the page than closing it, thus suspending the transaction.
Cardholders who are unwilling to take the risk of registering their card during a purchase, with the commerce site controlling the browser to some extent, can in some cases go to their bank's home page on the web in a separate browser window and register from there. When they return to the commerce site and start over they should see that their card is registered. The presence on the password page of the Personal Assurance Message (PAM) that they chose when registering is their confirmation that the page is coming from the bank. This still leaves some possibility of a man-in-the-middle attack if the card holder cannot verify the SSL Server Certificate for the password page. Some commerce sites will devote the full browser page to the authentication rather than using a frame (not necessarily an iFrame, which is a less secure object). In this case, the lock icon in the browser should show the identity of either the bank or the operator of the verification site. The cardholder can confirm that this is in the same domain that they visited when registering their card, if it is not the domain of their bank.
Mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. Even if the merchant has a mobile Web site, unless the issuer is also mobile-aware, the authentication pages may fail to render properly, or even at all. In the end, many analysts have concluded that the Activation During Shopping (ADS) protocols invite more risk than they remove and furthermore transfer this increased risk to the consumer.
In some cases, 3-D Secure ends up providing little security to the cardholder, and can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. Legal conditions applied to the 3-D Secure service are sometimes worded in a way that makes it difficult for the cardholder to escape liability from fraudulent "cardholder not present" transactions.[14]
Limited mobility
When a 3-D Secure confirmation code is required, if the confirmation code is sent by SMS on mobile phone (assuming she/he owns one) the customer may be unable to receive it depending on the country he currently is in (not every mobile network accepts SMS). The system is also not convenient for customers who tend to change mobile numbers from time to time - such as due to travelling (and some banks require a visit to their office to change the mobile number on the account). Some Wifi providers who charge for usage by credit card don't actually allow accessing the 3-D Secure site before the payment is completed, so the user is unable to purchase Internet access.
Geographic discrimination
Banks and merchants may use 3-D Secure systems unevenly with regard to banks that issue cards in several geographic locations, creating differentiations, for example, between domestic US- and non-US-issued cards. For example, since VISA and MasterCard treat the United States territory of Puerto Rico as a non-US international, rather than a domestic US location, cardholders there may confront a greater incidence of 3-D Secure queries than cardholders in the 50 states. Complaints to that effect have been received by Puerto Rico's Department of Consumer Affairs "equal treatment" economic discrimination site.[15]
3D Secure as Strong authentication
The newest variant of 3D Secure, which incorporates one time passwords, is a form of software based Strong Authentication. However, the legacy variant with static password does not meet the European Central Bank's (ECB) January 2013 requirements.
3D Secure relies upon the issuer actively being involved and ensuring that any card issued becomes enrolled by the cardholder, making it very much an issuer focused solution.
The ECB has mandated in its January 2013 requirements 'Security for Internet Payments'[16] that all transactions acquired within the Single Euro Payment Area (SEPA) must be authenticated using strong customer authentication by 1 February 2015. This mandate by the ECB, and supported by the European Commission's Payment Services Directive Mk2 (PSD2), is intended to provide a level and technology neutral playing field within SEPA to foster eCommerce, mCommerce and supporting technologies, including competitive forms of strong customer authentication.
As 3D Secure relies upon issuer advance involvement and enrollment of cards, acquirers cannot rely upon 3D Secure to meet their acquiring side authentication requirements, until such time as 3D Secure has a meaningful enrollment approaching 100% of all cards issued.
This in turn makes 3D Secure a weak solution for the acquiring side strong customer authentication requirements, particularly as 3D Secure is not available on the 25 smaller card schemes recognised by the ECB. 3D Secure must also be implemented for each card scheme to which it is to be applied, generally on a case by case basis, unless a specialist integration company is used.
Thus, acquirers may be faced with either accepting cards that are not enrolled and susceptible to fraud, or, to reject such cards until a means of strong authentication is available. As acquirers and payment gateways are liable for fraud on their networks from 1 February 2015, unless they have strong customer authentication in place, it is unclear what impact the ECB's requirements will have on SEPA eCommerce.
Acquiring side authentication differs from issuing side authentication, in that cards are enrolled upon being acquired as part of a transaction, rather than requiring to be pre-enrolled following issue. Acquiring side authentication can thus enroll cards progressively on demand, achieving an effective enrollment rate of 100%. Card enrollment and authentication can thus be at the same time.
Examples of acquiring side authentication include PayPal's patented 'verification'[17] method, where one or more dummy transactions are directed towards a credit card, and the cardholder must confirm the value of these transactions. The iSignthis patented[18] method uses the transaction value at the point of sale, such that the sales amount as agreed between the eMerchant and cardholder, is split into two (or more) amounts, with the first amount being a randomly generated value, and the second value being the balancing amount between sales amount and the random value.
Both of these methods rely upon the card holder accessing the account associated with the credit card, and confirming the value of the random transaction in order to prove that they are the owner of the account. PayPal's method however does not specifically relate to a transaction between an eMerchant and card holder, so unless it is augmented with another process that relates directly to a transaction, the method is not a form of strong customer authentication as is thus not an alternative to 3D Secure.[19]
See also
References
- ↑ "Visa USA tightens security with Arcot". ZDnet.
- ↑ "SafeKey". AmericanExpress.com. Retrieved 2010-08-11.
- ↑ "Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication" (PDF).
- ↑ "EMVCo to Manage Next Generation of 3D-Secure Specification" (PDF). EMVCo.
- ↑ "Are Verified by Visa and MasterCard SecureCode Conversion Killers?". practicalecommerce.com. Retrieved 2013-07-30. This 2010 study documented increases in the number of abandoned transactions of 10% to 12% for merchants newly joining the program.
- ↑ "Home | American Express SafeKey". Network.americanexpress.com. Retrieved 2015-03-02.
- ↑ "Antiworm: Verified by Visa (Veriphied Phishing?)". Antiworm.blogspot.com. 2006-02-02. Retrieved 2010-08-11.
- ↑ Muncaster, Phil. "Industry lays into 3-D Secure - 11 Apr 2008". IT Week. Retrieved 2010-08-11.
- ↑ Brignall, Miles (2007-04-21). "Verified by Visa scheme confuses thousands of internet shoppers". The Guardian (London). Archived from the original on 6 May 2010. Retrieved 2010-04-23.
- ↑ "Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication" (PDF). Retrieved 2010-08-11.
- ↑ "Is securesuite.co.uk a phishing scam?". Ambrand.com. Retrieved 2010-08-11.
- ↑ "Verified By Visa Activation - Visa Phishing Scams". MillerSmiles.co.uk. 2006-08-22. Archived from the original on 8 July 2010. Retrieved 2010-08-11.
- ↑ "Activation During Shopping" (PDF). Visaeurope.com. Retrieved 2010-08-11.
- ↑ "Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication" (PDF). Retrieved 2012-04-23.
- ↑ "daco.pr.gov". daco.pr.gov. Retrieved 2014-07-17.
- ↑ http://ecb.eu/press/pr/date/2013/html/pr130131_1.en.html
- ↑ "US2001021725 SYSTEM AND METHOD FOR VERIFYING A FINANCIAL INSTRUMENT". Patentscope.wipo.int. 2002-01-17. Retrieved 2014-07-17.
- ↑ "AU2011000377 METHODS AND SYSTEMS FOR VERIFYING TRANSACTIONS". Patentscope.wipo.int. Retrieved 2014-07-17.
- ↑ "EPCA Payment Summit: iSignthis presents its authentication service as an alternative to 3D Secure". The Paypers. Retrieved 2014-07-17.
External links
- American Express Japan Issuer Cardmember SafeKey Information site
- American Express Spain Issuer Cardmember SafeKey Information site
- American Express India Issuer Cardmember SafeKey Information site
- American Express Hong Kong Issuer Cardmember Safekey Information site
- American Express United Kingdom Issuer Cardmember SafeKey Information site
- American Express Singapore Issuer Cardmember Security Site
- American Express Germany Issuer Cardmember Information Site
- American Express Italy Issuer Cardmember Information Site
- American Express Netherlands Issuer Cardmember Information Site
- Verified by Visa
- Activating Verified by Visa
- Verified by Visa Partner Network
- MasterCard SecureCode home page
- CERIAS discusses Verified by Visa shortcomings
- usa.visa.com
- about.americanexpress.com