PC World (and other's) are reporting that (according to Cambridge researchers) both Verified by Visa and MasterCard Secure Code don't provide adequate security.  They also argue that for "buying" into the system, merchants are less liable for fraudulent transactions and that some banks, such as RBS are shifting the liability to consumers.  Nice.   Speaking of nice...The Register had this to say:













A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.



The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a passwordor portions of a password to complete an on-line purchase.



As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.



That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.



One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another. 



The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.



Continue Reading at PC World



Here's More: (gotta love the title)



Verified by Visa bitchslapped by Cambridge researchers

Secondary credit card security systems for online transactions such as Verified by Visa are all about shifting blame rather then curtailing fraud, Cambridge University security researchers argue.



The 3D Secure system - branded as either Verified by Visa or MasterCard SecureCode - has become a ubiquitous extra line of security for many online transactions, with over 200 million cardholders registered. The number of merchants who insist that users submit an additional password and re-submit a CVV code in order to authorise a transaction makes it hard to shop online without using the technology.







Posted by John B. Frank Wednesday, January 27, 2010

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers