Fixing verified by Visa

Ok short post again. What's wrong with verified by Visa / Mastercard securecode and how to fix it.
Background

Verified by Visa (VbV) is basically Visa/Mastercard's attempt to add two factor authentication (or chip and pin) to online credit card transactions. You register a password with your provider and then when you use your Visa card online you have to enter your password as well as your card details. The idea is if someone steals your card or card details they also don't know your password therefore they can't steal your money.

Good idea in theory, badly designed and implemented

What are the problems?

There are a number of key problems, a few with the design and a few with the implementation:

Design:
  • It has the standard problems with secret questions, you take what is a strong password and then make it a easy to guess 5 letter lower case word like mothers maiden name or Jesus
  • Users can reset/recover their password in-band - i.e. via the website asking them for the password so it is not true two factor
  • All the problems with a static password - i.e. it can be shared, written down, re-used, captured by a trojan on a compromised system
  • Relies on website redirection to get the password - in theory vulnerable to man in the middle (although TLS maybe enough) but there is still DNS, and also trains users to provide details to a website that is not the one that they are buying stuff from
Implementation:
  • It is not mandated, so some sites use it some don't. If a bad guy has your card details they just buy stuff from a website that doesn't have verified by visa


How does Visa and Mastercard fix it?

Design:
  • No secret questions - you have to login to your providers internet banking / telephone banking or call the provider, authenticate yourself and then reset your password
  • No recovery in band - as above
  • One time password - no static password, use a soft token, EMV reader, or one of the more innovative and cheap two factor authentication technologies such as Voicevault or Hawk and Seal
  • No website redirection - the card processing providers such as RBS Worldpay are forced to provide this as part of authenticating the payment
Implementation:
  • Mandatory after 6 month period to comply - if you want to accept Visa or Mastercard payments you implement this or go with a payment processing provider that does
  • PCI DSS - to comply with PCI DSS you need to support VbV or Mastercard Securecode


Conclusion
I'm sure (at least I hope) that the security architects at Visa and Mastercard suggested the above simple (and probably better) steps to fix these problems but they were over-ruled by the lobbies or because of cost. Lets hope Visa and Mastercard take the incremental improvement approach.

As always if you disagree please comment, email or twitter me.

2 comments:

  1. Agree with you, but would point out that mandating compliance is a big problem. Coming back to Australia has shown me just how far behind much of the world is compared to the online shops in the .eu. The added complexity of complying with this would be significant, and given that most end shops wouldn't have the in house expertise it would mean that they would have to pay someone else to implement it. It's the right thing to do for security, but the wrong thing for the company.

    ReplyDelete
  2. Yes that's why I suggested it be mandated on the payment processors e.g. RBS Worldpay, therefore the merchant would not pay the upfront cost. It is also the right thing not just for security but for the public good in terms of reducing the transaction cost of online commerce but reducing security incidents and increasing user trust

    ReplyDelete

Author

Written by