He's only complaining about UX, but the bigger problem is that this doesn't actually make things much more secure.<p>It is already really hard to teach casual computer users about security online. The one thing that used to work so far was "never enter your password on a website you've been redirected to" and "always check the site's identity in the address bar". Verified by Visa redirects you to some website on some random server and asks you to enter your password. There is no way for the user to check it's authenticity.<p>A much more reasonable design would be to control all sales via your bank's website, i.e. having an inbox with "purchase requests" and approving them through your bank's interface. That would be both secure and very transparent to the user, and the bank could easily control the level of security required (passwords, TANs, ...).
Even though there's no choice (here at least, when you want to use your Visa over the internet) I <i>HATE, HATE, HATE</i> the concept and here's why:<p>For starters I thought it's a phishing attack, when the frame popped up for the first time.<p>But the worst is that I don't feel it protects me, despite the marketing crap dished out by CC companies. The only reason is to protect Visa.<p>What happens if I book a flight at a badly infected internet cafe computer in Chiang Mai and a key logger reads my password?<p>"No, Mr. Zapp, our logs show irrefutable proof that your password was typed with suchandsuch transaction. Sorry, you're liable, you obviously didn't protect the password."<p>Scary stuff.
An additional problem with the implementation is that it requires javascript. I was working on a project for a UK bank - their security guidelines required securecode, but their accessibility guidelines required that the site work without JS. Sadly achieving the two is impossible.<p>I agree this is an awful user experience, at a time where the trend in payments is to make the user's experience better this is a huge step back.
Could someone tell me why this idea wouldn't work?:<p>Your credit card comes with a simple communication port (usb, bluetooth, whatever) and a two line B&W text LCD display (like on cryptocards or cheap electronic watches). Every time you want to buy something, you connect the card with the merchant. (This works in person and over the internet.) The merchants sends the card an official merchant name ("Delta Airlines"), which is registered with the credit card company, and a price ("$234"). These appear on the first and second lines of the card readout. If you approve the charge, you hit a single button on your credit card. Your credit card then sends an authorization code to the merchant which is good only <i>one</i> time, on <i>that</i> date, for <i>that</i> price, and with <i>that</i> merchants (using some sort of RSA hash).<p>If a wireless connection is used, there is little risk of criminals trying to secretly communicate with your card sitting in your wallet; you simply won't approve the transaction (unless they have physical control of your card, at which point you're no more vulnerable than you are now).<p>Further, you'd know exactly how the name of the merchant would appear on your bank statement.<p>The only downside I can think of is that the card would by slightly thicker (like a crypto card), slightly less durable, and need a battery (which would last for the life of the card). But we already replace the physical card every few years, so is this a problem? Is the technology particularly expensive?
There's an open secret in the Information Security industry (at least here in the UK), which is that the Payment Card Industry don't care about your security. What they care about is shifting as much of the liability onto the consumer, the merchant, <i>anyone</i> other than themselves as is possible.<p>We have a system in place here called Chip and Pin (<a href="http://en.wikipedia.org/wiki/Chip_and_PIN" rel="nofollow">http://en.wikipedia.org/wiki/Chip_and_PIN</a>) which was supposed to protect people by requiring them to type in a personal PIN code. The only problem was that there were plenty of ways to commit fraud without knowing the PIN, and until new regulations came into force the banks would reject claims of fraudulent transactions and require the victim to prove that such transactions weren't fraudulent.<p>If you want to see how bad the card industry and banks can 'do security', just look here: <a href="http://www.cl.cam.ac.uk/research/security/banking/" rel="nofollow">http://www.cl.cam.ac.uk/research/security/banking/</a>
VbV is badly broken, but the suggestions here miss one of the most important points. The use of an iframe means that users can't tell where VbV is coming from and can't be sure either that it is secured or that it's really coming from the bank.<p>This is just begging for copycat phising and MITM attacks.
3DS being broken was known long before 3DS was finalized. It's not new. However, it's successful because of the security it brings to merchants. Merchants implement it because they get covered. It's the perception of security that works.<p>Until 3DS implements some out-of-band authentication, you won't have something secure. Implementing OoB auth isn't difficult, either. The technology has been around for a LONG time, with proven results.
Very similar to the analysis by Steven Murdoch and Ross Anderson published in January: see <a href="http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf" rel="nofollow">http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf</a>
So, how common is the 3D Secure code on websites? I thought it was a local/European annoyance, since I haven't run into it outside EU webshops?<p>For instance, I've never had to put in my 3D Secure code on Amazon, BackBlaze, Syncplicity or ZumoDrive. The problem is that at least here in Finland, the only company (representing all the local banks) offering credit card processing practically requires 3D Secure unless you implement everything yourself (e.g. can't use their CC vault) - and no, unfortunately the US subscription API services don't work here, unless you somehow manage to get a merchant account in a UK bank.
I've always managed to not enable Verified by Visa on any of my credit cards, but another huge problem with it is that doing so is nearly impossible. Once you get redirected to that popup, it's very hard to <i>not</i> signup without canceling your transaction with the original merchant. Or getting dumped back to your shopping cart, trying to check out again only to get dumped straight back into Verified by Visa's signup process.<p>There doesn't ever seem to be a permanent opt-out, so anytime I want to buy something from a merchant that uses it, I have to hunt for the magic button to get around it again.
Every now and then when I purchase something from a Verified by Visa-"friendly" site (Newegg comes to mind), I often find that I'm able to complete the purchase without entering my password.<p>It's disturbing to say the least.
Strange. I've never seen a VbV open a new frame or pop-up - it's always a series of redirects for me. May be it depends on what bank and/payment gateway is been used.
Nothing in the article is actually a technical flaw - it's mostly UX. That's not to say the system is good, but I think the title is misleading. If you look at the paper "Chip and PIN is Broken" by Murdoch et al (<a href="http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5504801" rel="nofollow">http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5504...</a>) they actually point out a MITM attack which is a technical vulnerability.
Wow. This is entirely different here in India. First of all, it has been made mandatory (it's slightly inconvenient). This is not implemented as a popup. It redirects to the Issuing Bank's website for verification. Signup should be done in the bank's site as well (e.g.: <a href="https://www.3dsecure.icicibank.com/ACSWeb/EnrollWeb/ICICIBank/main/index.jsp" rel="nofollow">https://www.3dsecure.icicibank.com/ACSWeb/EnrollWeb/ICICIBan...</a>).
Verified by Visa is a horrible horrible implementation, I spent an hour in the bank last month trying to sort out why my company card wouldn't let us buy train tickets ) VbV had my date of birth wrong for some reason) oh yeah if yuo have any problems with VbV you have to call an 0845 number, which although only 5p a minute on my plan... it soon adds up
I have credit cards at a bunch of banks here in Russia and what they do is they send you a one-time password in a text message every time you make a purchase online. It's the same VbV/SecureCode window and everything but you don't get to create your own password.
I found this interesting because it provides helpful advice on how to handles 3DS as it currently is. It's a flawed system but it's not going away any time soon. In the meantime finding ways to make it suck less is all a merchant can do.
I wrote about this about a year ago. <a href="http://paddymullen.com/2009/05/21/yaron-shohat/" rel="nofollow">http://paddymullen.com/2009/05/21/yaron-shohat/</a>
Best part? If you ignore it and never set it up, it still lets payments through (at least with Mastercard). I really, really wish they had an opt-out button...
For 3DS enabled site in France (don't know if it's the same elsewhere) it sends you a code by SMS that you have to enter in the popup. I think this is a much better way. But I have to agree, the process is really not well thought out and as bad as it can be UX wide.