Phishing with 3-D Secure

A couple of years ago, I was obliged to find out about the user experience of Verified by Visa and the Mastercard SecureCode systems for inclusion on our site. it was plain to me from the outset that the designers of 3-D Secure (the protocal on which these are based)  had not a clue about what real people are like, or how true security works. Cory Doctorow put it best when he described the credit card companies as “phishing their own customers.”

So it comes as no surprise that I read today of 3-D Secure being spoofed during a transaction with Zopa, the online social lending site. In their customer newsletter, I read the following:

Thanks to one of our members who reported that during the process of paying funds into his lender account, he was presented with a ‘verified by Visa’ screen that requested his ATM pin code.
Suffice it to say that Zopa does not use this kind of verification so you should never submit any passwords or codes should you be prompted to do so via such a screen when using the Zopa site.

Zopa then go on to say that they have established the attack took place locally, and does not mean Zopa’s own systems were compromised in any way.

Common sense would suggest that over time, the Internet will become a more secure place in time. With the introduction of anti-security measures such as VBV and SecureCode, the opposite seems to be happening. The sooner these idiotic systems are scrapped the better. Security is not about systems, it’s about people. Designing security for the web requires more than just some flow charts.

For our part, we will not implement 3-D Secure for our customers until we are made to do so on pain of losing our credit card processing facilities.