Bank hides fraud in name of 3D secure pin and make customer liable for the fraud.3D secure pin have many security issues that affect consumer with phishing and shifting of liability from merchant to customer in case of fraudulent payments.
Now a day’s lots of fraud transaction are happening daily, starting from small city to metro cities. All where common people are victim of these fraud transactions. Somewhere you will read, that the victim was at home, his debit card was in wallet, but suddenly the message came that this much amount has been debited from his account. Somewhere you will read that the victim was at office in someplace suppose at Mumbai and he will get an message that he has done the shopping of this much amount at one shopping mall at Delhi.
Once you become victim of fraud transaction, you get surprise and you immediately intimate your concern bank. They take your complaint and then they generate one SR No. on your behalf. And then they tell you that our backend team will do verification regarding that (as per Visa and Mastercard guideline) and we will intimate you on 3 week days or 7 week days like this. When you do not get a reply from your bank,then again you start following your bank,
And finally the turning point comes when your concern bank people says” We can’t help you because the transaction has done through the 3D Secure Pin and 3D Secure pin is only known to Customer, so this is not an unauthorized transaction, but the transaction is fully authorized by customer. And Customer is liable for this transaction not the bank."
Now the question arises what is 3D secure pin, is that really so secure? Then how the rate of fraud transactions increasing exponentially, why so much of fraud cases complaint in the bank complaint board, why so much complaint in consumer forum, why so much cases in ombudsman,why there is cyber cell to deal with fraud transaction? And why always bank safeguards merchant and makes customer liable for fraud transaction? So let’s discuss what 3d Secure is and how it operates and the security issues in 3D secure and shifting of liability from bank and merchant to customer in details in the following paragraphs.
What is 3-D Secure ?
3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems (now CA Technologies) and first deployed by Visa with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa.
Services based on the protocol have also been adopted by MasterCard as MasterCard Secure Code, and by JCB International as J/Secure. American Express added 3-D Secure on November 8, 2010, as American Express Safekey.
Note: Analysis of the protocol by academia has shown it to have many security issues that affect the consumer, including greater surface area for phishing and a shift of liability from merchant to customer in the case of fraudulent payments.
What is 3D Secure Protocol ?
The basic concept of the protocol is to tie the financial authorization process with an online authentication. This additional security authentication is based on a three-domain model (hence the 3-D in the name itself). The three domains are shown in below picture
Key participants in 3D Secure Operation:
1.ACS (Access Control Server):
In the 3-D secure protocol, ACS (Access Control Server) is on the issuer side (banks).Currently, most banks outsource ACS to a third party. Commonly, the buyer's web browser shows the domain name of the ACS provider, rather than the bank's domain name; however, this is not required by the protocol. Dependent on the ACS provider, it is possible to specify a bank-owned domain name for use by the ACS.
2. MPI (merchant plug-in) providers:
Each 3-D secure version 1 transaction involves two Internet request/response pairs: VEReq/VERes and PAReq/PARes. Visa and MasterCard don't license merchants for sending requests to their servers. They isolate their servers by licensing software providers which are called MPI (merchant plug-in) providers.
3. Merchant:
4. Debit and Credit Card Holder:
How 3D Secure Operates?
3DS would pop up a password entry form to a bank customer who attempted an online card payment.
Customer would enter a password and, if it was correct, would be returned to the merchant website to complete the transaction.
Difficulties arose with pop-up blockers and now the recommended mode of operation uses inline-frames (`iframe'). The merchant passes the card number to Visa or MasterCard, and gets back a URL to embed in an iframe to display to the customer.
If the customer executes the protocol successfully, the merchant gets an authorization code to submit to his bank.
Security Issues of 3D secure pin for customer:
1. Confusing the User :
The system involves a pop-up window or inline frame appearing during the online transaction process, requiring the cardholder to enter a password which, if the transaction is legitimate, their card-issuing bank will be able to authenticate. The problem for the cardholder is determining if the pop-up window or frame is really from their card issuer, when it could be from a fraudulent website attempting to harvest the cardholder's details. Such pop-up windows or script-based frames lack any access to any security certificate, eliminating any way to confirm the credentials of the implementation of 3-DS.
The Verified-by-Visa system has drawn some criticism, since it is hard for users to differentiate between the legitimate Verified-by-Visa pop-up window or inline frame, and a fraudulent phishing site. This is because the pop-up window is served from a domain which is:
· Not the site where the user is shopping.
· Not the card issuing bank
· Not visa.com or mastercard.com
The research paper from computer lab of University of Cambridge has put light on the iframe and Pop up. The research paper says that 3DS form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3DS easier, but undermines other anti-phishing initiatives by contradicting previous advice (as do emails from banks containing clickable URLs). In fact, when one of the authors first encountered 3DS, he established that the iframe came from securesuite co.uk and called his bank, who informed him that this was a phishing site.
2.Activation During Shopping:
Some card issuers also use Activation during Shopping (ADS), in which cardholders has to create a password when he shop for the first time using this 3D card. This will typically take them to a form in which they are expected to confirm their identity by answering security questions which should be known to their card issuer.Again, this is done within the iframe where they cannot easily verify the site they are providing this information to a cracked site or illegitimate merchant.This further undermines customers' security usability and trust experience and it is being exploited by criminals, as phishing websites impersonating the ADS form to ask for banking details (which you can see in below fig. It has been published by University of Cambridge research paper on Verified by Visa and MasterCard SecureCode or How not to Design Authentication https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
"Implementation of 3-D Secure sign-up will often not allow a user to proceed with a purchase until they have agreed to sign up to 3-D Secure and its terms and conditions, not offering any alternative way of navigating away from the page than closing it, thus suspending the transaction. Mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. In the end, many analysts have concluded that the Activation during Shopping (ADS) protocols invite more risk than they remove and furthermore transfer this increased risk to the consumer. "
3.Shifting of Liability of Fraud from merchant to Customer:
3-D Secure ends up providing little security to the cardholder, and can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. Legal conditions applied to the 3-D secure service are sometimes worded in a way that makes it difficult for the cardholder to escape liability from fraudulent "cardholder not present" transactions.
(Note: Card-not-present transactions take place over the Internet, phone, or post, where the merchant and point- of-sale are not in the same physical location as the card and its holder. Fraudulent transactions of this type now account for a large proportion of bank fraud losses.)
The research from the Cambridge University says that, It is essentially a single-sign on system, operated by Visa and MasterCard, and it differs in two main ways from existing schemes such as OpenID or InfoCard. First, its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up.
Note: A proposal to make 3D Secure mandatory in Australia was blocked by the Australian Competition and Consumer Commission (ACCC) after numerous objections and flaw-related submissions were received.
Conclusion:
After getting proper knowledge of 3D secure, it’s now clear that how much customer is secure through 3D secure and why bank is hiding merchant and putting liability on customer. So now the concern point is, to secure the data of customers and to avoid fraudulent transactions,banks should take high authentication and validation on 3D Secure with proper cyber investigation. And should take some necessary additional security layer to protect the huge interests of the customers. Instead of putting the liability on customers and hiding themselves, they should implement high end research method to detect and protect CNP (card not present) fraud transaction which is rising exponentially with the implementation of 3D Secure.
Read it and Share it, So that maximum people can be aware by it.