Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

3-D Secure — How Not to Do It.

A typical Verified by Visa form

If you’ve done any shopping on the Internet in recent years, chances are that you’ve happened across the joy that is 3‑D Secure (aka Verified by Visa or MasterCard SecureCode). This is a system that can be adopted by your bank, supposedly to provide you with additional reassurance that your card details cannot be used fraudulently by a third party to make purchases on Internet sites.

You’ll know if your bank has “enrolled” your card for this scheme because when you make your purchase you’ll very likely be presented with a screen like the one on the right.

Unfortunately, 3‑D Secure is still, in 2011, ten years after it was first launched, a total disaster. Why? Well:

  • Some banks don’t tell their customers about it, but have still signed all their cardholders up to the scheme.

  • Some banks’ implementations ask cardholders for things they frankly shouldn’t (for instance, in the United States, the customer’s Social Security Number). This frightens cardholders, because they have been told never to enter these details into a website because of the risk of identity theft.

  • Typically there is no way to proceed with the purchase without using the 3‑D Secure form; all you can do is use it or cancel. This is often the case even when the user is being prompted to sign up for 3‑D Secure, and as a result some customers abandon their purchase.

  • Banks generally outsource their side of 3‑D Secure, which means that the end user is seeing a page from a third-party. Of course, current recommendations from Visa and MasterCard say to use an HTML iframe anyway, so maybe they don’t see that, but if they do have the inclination to check it out, they may very well panic anyway.

  • Customers simply don’t expect to suddenly see a page displaying their bank’s logo while trying to pay for something. This is, of course, made substantially worse by their bank not mentioning to them that this will happen.

  • Some banks’ 3‑D Secure forms are not as concise as the example above and even in some cases require that the cardholder re-enter(!) all of the information they have already given to the site trying to sell them something. Yes, I did say re-enter.

But, more pertinently, passwords are a terrible way to verify customers’ identities. Even assuming the cardholder doesn’t choose the same password they use everywhere else, they’re likely to forget their password (which is very frustrating), and in any event it is susceptible to phishing or keylogger-based attempts to capture the necessary information.

The sad part is that 3‑D Secure itself is actually able to provide any authentication technique your bank cares to use. There is nothing stopping your bank from choosing something a little more human-friendly – for example, showing you pictures of faces and asking you to choose the correct one – or even providing a card reader and allowing your bank card to directly communicate its physical presence to the bank.