Phishing with 3-D Secure
A couple of years ago, I was obliged to find out about the user experience of Verified by Visa and the Mastercard SecureCode systems for inclusion on our site. it was plain to me from the outset that the designers of 3-D Secure (the protocal on which these are based) had not a clue about what real people are like, or how true security works. Cory Doctorow put it best when he described the credit card companies as “phishing their own customers.”
So it comes as no surprise that I read today of 3-D Secure being spoofed during a transaction with Zopa, the online social lending site. In their customer newsletter, I read the following:
Thanks to one of our members who reported that during the process of paying funds into his lender account, he was presented with a ‘verified by Visa’ screen that requested his ATM pin code.
Suffice it to say that Zopa does not use this kind of verification so you should never submit any passwords or codes should you be prompted to do so via such a screen when using the Zopa site.
Zopa then go on to say that they have established the attack took place locally, and does not mean Zopa’s own systems were compromised in any way.
Common sense would suggest that over time, the Internet will become a more secure place in time. With the introduction of anti-security measures such as VBV and SecureCode, the opposite seems to be happening. The sooner these idiotic systems are scrapped the better. Security is not about systems, it’s about people. Designing security for the web requires more than just some flow charts.
For our part, we will not implement 3-D Secure for our customers until we are made to do so on pain of losing our credit card processing facilities.
I loathe VBV. Most of last year they seemed to forget my password every single time I used a particular credit card. If you “can’t remember” your VBV password, you can create another one simply by answering a couple of questions that any decent phishing expedition (or the most rudimentary social engineering) will provide – such as account number and mother’s maiden name.
What’s even more irritating is that it wouldn’t allow you to use the same password, because it would say “That password is already in use” or something similar.
Not only that, but because it happens in a window within the site you’re paying at, there doesn’t appear to be anything at all to stop a phishing site putting up a facsimile of the VBV form and requesting the details that are supposed to prove you own the card.
Hardly “verified” at all, is it?
Ah – now that I follow the link to boingboing, I see that Cory already pointed out exactly what I just said. Oh well, at least I’ve had my confusion about VBV clarified – I was right to be confused as to how it makes the whole transaction process more secure.