Verified by Visa: How not to design authentication

A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.

The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.

As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.


I’ve been aware of the security issues with Verified by Visa for a while now, but it’s becoming increasingly difficult to avoid using the scheme. Right now I’m having to decide if it’s worth compromising my security for a cool pair of trainers. Previously, I’ve been able to use PayPal, or some other alternative, but Adidas offer VbV or nothing.

If you shop online often, read up on this a little. here’s a link to the actual paper, which is quite short and readable.

Veri ed by Visa and MasterCard SecureCode: or, How Not to Design Authentication [PDF 164KB]