So very true. 3DS is technologically horrible. In exchange for protection from certain types of chargebacks, a merchant is expected to iframe a 1995-looking webpage from Visa or MasterCard asking the cardholder to create or enter a password. It's abrupt and unexpected, does not fit into the checkout process of any website, and because it's framed the customer has no idea what site they're really giving their password to. All this adds up to lowering conversion rates and undermining all the anti-phishing efforts the banks undertake by telling you to never give out a banking password without checking the address bar.<p>The paper recalls a perfect example from one of its authors -- the official 3DS page is served by securesuite.co.uk for some UK banks, so he calls his bank and they tell him it's a phishing scam. Yet merchants are expected to do this, lest their chargeback rate climb too high and the account be terminated.<p>I've only encountered 3DS in the wild once, and only after registering a card for it in the process of testing my own implementation. It only took two days of running VBV and MSc on one of my websites to see that it would be completely economically infeasible -- doesn't matter if I'm protected from chargebacks if it means half my customers abandon checkout out of fear and confusion.<p>I've had a real hard time handling card-not-present fraud on my websites. I sell packaged self-service advertising services on one site, and it's highly targeted by the do-no-goods that want to use it to push traffic to affiliate sites and phishing scams. They use stolen credit cards to buy the advertising hoping to funnel good money, or more stolen cards, from the traffic back to their accounts. I still have one merchant account in limbo (bank holding 6 months worth of payments) from spending two years working on fraud detection methods to battle this. I only got chargebacks below 1% through geolocation, country blocklists, proxy detection, my own and 3rd party blacklists, minfraud risk scoring, in-house risk scoring and pattern matching against past fraud, and phone verification of all high risk orders.