As we consider emerging online and mobile payment technologies, a crucial aspect of their innovation lies in their approach to cardholder verification. The most prevalent verification online technology is 3 Domain Secure, or 3-DS, which was first introduced by Visa, and has later been adopted by MasterCard, JCB International and American Express.
Traditionally, the card industry has relied on a two-part verification process, where the customer produces their physical card along with their PIN-code. This is of course not possible with online transactions, also referred to as ‘card-not-present’ transactions. As these transactions are more vulnerable to fraud, the industry has shifted the liability for fraud from the card issuer to the merchant.
3 Domain Secure was developed as an additional layer of security for online transactions. Before online transactions are completed, users will be re-directed to a webpage associated with the issuing bank to authorize the transaction. Banks are free to adopt any method of verification they prefer, but most opt for a simple password.
Although 3-DS is expensive for merchants (set-up fee, monthly fees and transaction fees), they benefit from fewer chargebacks, as it enables the issuing bank to properly authorize the transaction and thereby shifts the liability for fraudulent transactions from the merchant to the issuer and cardholder. This shift in incentives differentiates 3-DS technology from previous verification technologies and has been a crucial element to encourage the broad adoption.
However, in their article titled: “Verified by Visa and MasterCard SecureCode: How Not to Design Authentication”, Steven Murdoch and Ross Anderson argued that 3-DS has considerable security weaknesses. To summarise:
· Confusing the user: the industry generally tells users to only enter sensitive data in webpages that use TLS technology, which is recognized by most browsers. However, 3-DS windows are not TLS secure and generally display the URL of the issuer’s software partner, not the issuer
· Activated during shopping: the activating the verification technology during shopping, the user is given the impression that they are providing personal details and passwords to the merchant, not the issuer
· Password choice: the user will generally be more concerned with shopping than security and is less likely to provide a strong password
· Liability shifting: the shopping process is not an appropriate time to introduce new terms and conditions that fundamentally shift the liability of the user
· Inconsistent verification: 3-DS leaves the actual method of verification open to the issuing bank, and there are several examples of banks that have made unwise choices, such as using the cardholders PIN-code
· Privacy: 3-DS specifies that for a user to be provided with transaction-level details, this information must be shared with the issuing bank. This information enables issuers to profile their customers and may be counter to privacy regulation in some European countries
Murdoch and Anderson conclude that 3-DS has enabled the payment networks to shift liability from merchants to cardholders, without providing cardholders with sufficient security. To solve for this, the authors recommend transaction authorization.
From personal experience, I have seen HSBC implement an SMS solution in the UK, where you authorize each payment with a transaction-specific code that is sent to your mobile phone. Similarly, in Norway we use a key fob that produces transaction-specific codes.
Interestingly, we have seen that although 3-DS is being promoted as a universal solution to online security, it does not solve the crucial issue of verification. Issuers have mostly opted for a password approach, which does not provide the level of security we need. SMS-codes and key-fobs offer improvements, but are surely not the technologies of tomorrow. We have already seen plenty of interesting innovations and should realistically expect this to continue for many years before the industry agrees on one solution.
No comments:
Post a Comment