Abstract
Banks worldwide are starting to authenticate online card transactions using the `3-D Secure' protocol, which is branded as Verified by Visa and MasterCard Secure Code. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards (EMV comes from the initial letters of Euro-pay, MasterCard, VISA) for cardholder-present payments. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. The 3-Domain Secure protocol specification defines an architecture and protocol for verifying cardholder account ownership during a purchase transaction in the remote environment. After initiating the final purchase action, the cardholder is placed into a dialog with his issuing financial institution. The Issuer authenticates the cardholder and sends a confirmation of identity back to the merchant; the merchant completes the transaction.
Users
Please
log in to take part in the discussion (add own reviews or comments).