Researchers at Cambridge University have spoken out against the Verified by Visa and SecureCode online payment verification systems, saying that they are both intrinsically dangerous for consumers looking to shop on the internet.
The researchers have specifically attacked the 3-D Secure protocol that both MasterCard and Visa use in registering and confirming the identities of its customers when they shop online.
Researchers Steven Murdoch and Ross Anderson have just published a paper which examines the inadequacies and flaws of the 3-D Secure protocol in depth and concludes that its popularity has become widespread because for businesses it is cost effective, whilst in reality it is far less secure than its rivals.
The biggest criticism levelled at the protocol is that it operates in a counter-intuitive and confusing manner. Average consumers are taught never to enter details into a site or page of which they do not know the origin, but 3-D Secure creates a pop-up or iframe that has no address bar and so could easily be taken to be a phishing site.
So not only does 3-D secure compromise the efforts of those campaigners working to raise awareness of the dangers of phishing sites, but it leaves itself open for criminals to easily copy its design and then harvest the credit card details of trusting users online.
The final blow comes in the form of the registration process, which is usually performed when the customer is attempting to check out an item from a third party website. Personal details are included in this process, as not only are bank details and card numbers required, but items such as date of birth also come into play.
In addition to providing inadequate security, the researchers also claim that in some instances the use of the 3-D secure protocol has been used by businesses to apportion the responsibility of online identity theft away from them and onto the unsuspecting customer in question.
Mr Murdoch and Mr Anderson propose that the only solution is to look at the long term and require that businesses involved with the 3-D Secure protocol move their systems over to a better system for online credit card authentication.
