MasterCard InsecureCode and Unverified by Visa – A Disaster Waiting to Happen

Verified By Visa BadgeThere’s a plague of ill-conceived security initiatives currently infecting the internet.  At the spearhead of this plague we find the world’s two biggest card operators, Visa and MasterCard.  Within the last couple of years both have introduced new measures to verify the identity of people making online purchases.  These were supposed to help make transactions more secure and prevent fraud, in reality, they do the exact opposite.

The underlying idea is that you enter your payment details into a merchant’s website and then your bank, through either the Verified by Visa or MasterCard SecureCode program, will verify your identity.  This is done by way of a password associated with your card and usually presents itself through a frame on merchant’s website.

Sound like a good idea?  Well let’s run through the two major issues with this approach.

Customer Conditioning

We are repeatedly told by banks, card companies and security consultants that our personal information should be kept confidential.  I just want to preface my following points with this quote, taken directly from the Visa Website:

‘Phishing’ is the term used for the activities of criminals who create and use fraudulent e-mails and associated websites. These are designed to look like e-mails and websites of well-known legitimate businesses, financial institutions, and government agencies.

These e-mails and websites are created in order to deceive internet users into disclosing their bank and financial account information or other personal data such as mother’s maiden name, addresses, usernames and passwords. This information could then be used for criminal purposes, such as identity theft and fraud.

And what do you do?

If you receive an e-mail claiming to come from Visa, your bank, or any other organisation, requesting personal account information, do not provide the details.

Emphasis added by me.  There’s very similar advice on the MasterCard website.

What they are saying is, there are websites out there that pretend to belong to your bank asking for personal information.  If you come across one, you should not provide these details.

Verified By Visa ProcessSo now we’ve got some best practice security advice, let’s look at the Verified by Visa process.  The diagram to the right briefly outlines the steps involved in buying something from a subscribed merchant.  Once you’ve entered your card details, and submitted them to the merchant, a connection is made with your bank and you enter the Verified By Visa process.  At this point, one of two things can happen.  Either you will be prompted for your password, if you’ve already been signed up, or you are prompted to provide some personal information to verify your identity and then asked to create a password.  Regardless of which path you get taken down, it all happens within a frame on the merchant’s website.  I can’t stress this last part enough.  When you are entering these details, you are still on the merchant’s domain and their branding (and navigation etc.) is still present.  The form you enter your details in to is just a small frame within the page.

Verified By Visa DemonstrationThe image to the left, taken from a demo on the Visa website, should give you a feel for the process.  As you can see, the form really is completely integrated into the merchant’s site, with only your bank’s logo and the program’s logo available as a hint you are sending your info elsewhere.

The dangers here are obvious, and really underline how badly conceived these programs are.  On the one hand we are warned not to give out personal information, specifically the information asked for when enrolling on these programs, unless you can trust the receiving party.  On the other hand, we are asked by our own banks to provide this information through third party merchants.

In addition to flying in the face of, and rendering obsolete, the advice given by the card companies, these programs condition users to partake in phishing scams.  The established advice for avoiding phishing scams should apply to your entire internet experience, yet certain parts of the advice would prevent you from using these security programs.  For example:

[Phishers] … typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc

Remember not all scam sites will try to show the “https://” and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like “http://www.gotyouscammed.com/paypal/login.htm?” Be aware of where you are going.

On point 1, this is the exact information requested from you and on point 2, you are supplying information about your bank account but the domain name is still that of the merchant.

To make matters worse, the implication is that if you do no sign up to the respective security program, you will no be allowed to make further online purchases.  And on that note, from the Anti Phishing Working Group:

Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately

If it looks like a scam, smells like a scam and tastes like a scam, it’s probably just your bank and card issuer cohorting to confuse you and place you in danger.

The net result of this is that an unscrupulous scammer could set up a site and insert a fake Verified by Visa or MasterCard SecureCode form to gather personal information.  There is little defence against this attack as a consumer.  And that’s just a specific attack focusing on these security programs, what’s more likely is that a consumer will be more likely to enter personal and banking information into a phishing website because these legitimate, card provider and bank endorsed, schemes have psychologically conditioned consumers to think it is a normal, safe practice.  It’s not, and is the exact practice the banks should be trying to prevent and discourage.

Hidden Threats

MasterCard SecureCode badgeAbove I’ve touched on some of the behavioural and psychological reasons for these programs being counter productive but there are other, more technical risks.  One of the key concepts behind these programs is that you verify your identity with your account issuing organisation and not the merchant.  This reduces the risk to you, as a consumer, of identity theft because your information never goes to the merchant.  Instead the merchant sends a request to your bank for a transaction and your bank makes sure it’s you, the account holder, triggering the transaction.  When it confirms (or otherwise) your identity, it simply issues confirmation to the merchant that you are who you claim to be.  It’s fairly basic challenge – response type stuff.

The problem is that all this happens within the merchant’s site.  So even legitimate merchants can install code that captures the information you provide to your bank and use it for their own means.  This is slightly different to the fake form problem I touched on above as the transaction is entirely legitimate.  Think of it as someone watching over your shoulder as you withdraw money from an ATM.  You may not even know it’s happening as your transaction will complete without any visible problems.  Perhaps a better analagy is handing your credit card to a waiter at a restaurant only for them to disappear  behind a counter only to re-emerge with a terminal and your card.  Nine times out of ten they’ve simply gone to collect the billing terminal, but there’s always that one who’s cloned your card and is now looking over your shoulder to get your pin number to go with it.

Again, without a fairly significant amount of technical savvy you’re just not going to be aware of all this going on behind the scenes.

It’s For Your Own Good, Really!

The really interesting aspect of both these programs is that they are actually aimed at reducing risk and liability for the card issuer and merchant.  In a standard Card Not Present transaction, the burden of security falls on the merchant.  And where a scammer uses stolen information to make a purchase, in the majority of cases, the card issuer will repay the victim and then attempt to reclaim some or all of the costs from the merchant through “charge backs”.  These schemes aim to reduce the number of fraudulant transactions and, this is a key point, place the burden of proof on the consumer.  The following is taken from the Verified by Visa merchant site:

Eliminate chargebacks
Verified by Visa helps protect you from fraudulent claims from cardholders – that they didn’t take part in, or authorise, a payment. Once you are up and running with Verified by Visa, you are no longer liable for chargebacks of this nature.

To the consumer, this means it is less likely that the card issuer will refund the costs incurred from fraudulant activity involving the comsumer’s account.  if you have signed up to one of these programs, the only way someone could make a purchase from a merchant signed up to the scheme is if you have given your password to someone else.  Right?  Therefore, it’s your fault, and not the fault of the card issuer or the merchant.

One might say that the fight against fraud is mutually beneficial, and I’d agree.  What isn’t mutually beneficial is the transfer of liability on to the consumer.

Alternatives?

Clearly the current system has some fatal flaws.  It seems very much as if a technical solution was found to a largely social and behavioural problem.  There’s no doubt that technology can be an enabler in these circumstances, and that any solution has to be technically sound, but a purely technical solution will not work.

In my opinion, the solution needs to adhere to the following rules:

  1. Encourage security best practice, such as non-divulgence of personal information to untrusted parties and re-enforce compliant actions.
  2. Be technically resilient to attacks.
  3. Clearly identify itself and establish trust (it should only attempt to establish trust if it is truly trust worthy i.e. meets the other requirements and is impossible the fake).
  4. Be compatible with, not in contradiction to, anti-phishing advice.
  5. Follow usability best practices.
  6. Correctly identify the initiator of the transaction and confirm them as an authorised user of the account.
  7. Clearly state the information being sought by the merchant and for what purpose.

I think that’s a decent start.  I’d be interested to see the requirements initially stated for these programs.

One this is clear, the current methods fall short of these requirements and represent a ticking time bomb, a disaster waiting to happen.

What are your thoughts on these programs?  Have you signed up?  Did you have a choice?