"3-D Secure has so far escaped academic scrutiny, yet it might be a textbook example of how not to design an authentication protocol," wrote Cambridge University's Steven J. Murdoch and Ross Anderson. "It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It's bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent."
The pair, however, found that 3DS did get one part right: the money and where it comes from. Although "other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts."
The report is an impressive indictment of the processes surrounding the popular security tactic. (We quote extensively from the report in this article but have also link to the report's full text.)
Murdoch and Anderson argue that the methodology 3DS uses actually undermines routine security procedures.
"In the initial form, 3DS would pop up a password entry form to a bank customer who attempted an online card payment. [The customer] would enter a password and, if it was correct, would be returned to the merchant Web site to complete the transaction," the report said. "Difficulties arose with pop-up blockers, and now the recommended mode of operation uses inline-frames ('iframe'). The merchant passes the card number to Visa or MasterCard and gets back a URL to embed in an iframe to display to the customer. If the customer executes the protocol successfully, the merchant gets an authorization code to submit to his bank. Security economics teaches that you're unlikely to get a secure system if Alice guards it while Bob pays the cost of failure."
The problem with this process is that it contradicts conventional anti-phishing advice, which makes such attacks more likely to succeed. "The standard advice given to customers to prevent phishing attacks is that they should only enter their bank password in TLS secured sites and where they have verified the domain name matches what they expect. Because the 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password," the report said. "This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice (as do E-mails from banks containing clickable URLs). In fact, when one of the authors first encountered 3DS, he established that the iframe came from securesuite.co.uk and called his bank, who informed him that this was a phishing site. Actually, this domain name belongs to Cyota (owned by RSA), the company to which many U.K. banks have outsourced the 3DS authentication process."The report also takes issue with how 3DS handles passwords, which is already getting quite difficult.
"Before 3DS can be used to authenticate transactions, cardholders must register a password with their bank. A reasonably secure method would be to send a password to the customer's registered address. But to save money, the typical bank merely solicits a password online the first time the customer shops online with a 3DS-enabled card, known as activation during shopping (ADS)," the Cambridge University paper said. "To confirm that the customer is the authorized cardholder, the ADS form may ask for some weak authenticators (e.g., date of birth), although not all banks do even this. From the customer's perspective, an online shopping Web site is asking for personal details. This further undermines customers' security usability and trust experience, and it is being exploited by criminals, as phishing Web sites impersonating the ADS form to ask for banking details. Also, because setting a password is a secondary task, [customers] are more likely to choose a poor password, or one they use elsewhere. While Visa requires that customers can opt out at least the first three times, banks may try to force 3DS activation after this stage by preventing the purchase. One of the authors attempted to opt out of using 3DS with a Maestro product. The issuer, the NatWest Bank (now majority-owned by the U.K. Government), did not allow even one card use without activating 3DS for the account."
The password problems get even worse.
"The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. This [step] is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder's ATM PIN," the report said. "It's bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent. Another issuer-specified choice is how to reset the password when a customer forgets it. Here, again, corners are cut. Some banks respond to one or two failed password attempts by prompting an online password reset using essentially the same mechanisms as ADS. In a number of cases, the bank requires only the cardholder's date of birth, which is easily available from public records. With one (U.K. Government-owned) bank, two wrong password attempts simply lead to an invitation to set a new password."
This issue is a classic battle between expediency and security. To be fair, there is a legitimate security advantage to expediency--if and only if it sharply increases consumer participation, and if and only if that increased participation improves security. Yes, there's a PCI parallel argument here--namely, that even with all of its issues, PCI has still sharply improved retail security.
That said, the Cambridge University report's well-reasoned case against the 3DS approach is more than enough to give security executives pause. But at this stage of marketshare acceptance, is it too late? As a practical matter, this siren is indeed probably much too late.