The 3D Secure Protocol: Implementation Flaws and Possible Resolutions
National Data Privacy Day is celebrated annually on January 28th in the United States, Canada, and a few European countries, with a focus on educating computer users about the protection of personally identifiable information on the World Wide Web. As we move towards a world where a significant portion of one’s daily life involves interaction with the World Wide Web, the National Data Privacy Day aims to bring about an increased awareness among users about protection of their online rights, methods to control personally identifiable information online, and regulations currently in place to that effect. The focus revolves around end-user education, even in scenarios where the technology used to ensure end-user privacy may not be adequate due to implementation flaws. An example of such an unfortunate scenario was recently demonstrated by researchers at the University of Cambridge, United Kingdom (UK). The researchers published a paper that describes implementation flaws in the 3D Secure (3DS) protocol, used for authentication verification when Visa or MasterCard based credit card transactions are performed (Verified by Visa/MasterCard SecureCode). The paper suggests that the approach to securing credit card transactions is liability driven, rather than security driven, ultimately resulting in a protocol implementation that is not end-user friendly.
Interestingly, the scope of the 3DS protocol deals with transaction security only between the merchant, the bank, and an intermediate layer controlled by Visa/MasterCard. Banks are allowed the freedom to choose whatever mechanism they deem fit to verify the authenticity of the end-user performing the credit card transaction. Most banks use this fact to their advantage; liability of failed transactions are transferred to the end-user even though security mechanisms employed for such verification themselves may not always be foolproof. Placing the onus to ensure transaction security on the end-user would invariably result in fraudulent activity, given the average user’s lack of security awareness. Schemes along the lines of, but superior to, 3DS with more robust security mechanisms (OpenID and InfoCard) are available. However, 3DS has prevailed as a result of being financially viable to banks. This viability may be because it allows banks to shift liability for fraudulent transactions to the end-user.
3DS requires that an end-user performs a one-time registration with the bank, before performing a Visa/MasterCard transaction. Typically, a combination of the password chosen during 3DS registration and additional verification mechanisms such as a memorable passphrase or ATM pin are presented as verification requirements to the end-user when performing subsequent online transactions. This one-time registration can also be performed the first time a customer conducts a 3DS-enabled online transaction – referred to as ADS (Activation during Shopping). As the paper rightly illustrates, a customer’s primary task when performing the online transaction is to complete the purchase, not register for 3DS or read the terms and conditions of 3DS registration. Therefore, an end-user might choose a weak password and also unwillingly or unknowingly accept terms and conditions regarding liability transfer, even though the security mechanisms employed by the bank may be inherently flawed. The fact that most banks force the end-user to accept the terms and conditions in order to perform a Visa/MasterCard based online transaction leaves the end-user with no choice, further weakening the purpose of registration.
There are numerous security loopholes brought forth by this paper, all of which point towards including the end-user within the scope and a need to have uniform standards across banks worldwide for end-user verification/authentication. These standards could perhaps be provided in a revision of the 3DS protocol. Stronger verification mechanisms, that do not simply require an end-user to remember yet another password, or enter a PIN would also be needed. The challenge lies in finding the right balance between making a user conscious of security, while not making security a major roadblock during online transactions. Case in point, the overall responsibility for performing online transactions safely and securely should be with the end-user, but the responsibility to ensure that strong, foolproof authentication mechanisms are in place to facilitate such security should rest with banks, which would then allow them sufficient rights to transfer liability to the end-user.
A possible approach could involve the compulsory use of One Time Pad (OTP) tokens when performing a Visa/MasterCard transaction, supplemented by transaction confirmations via SMS or other out-of-band communication. The OTP token would restrict the damage in case of a phishing or key logging attack to that particular transaction, while the out-of-band communication would serve as confirmation of the processing of the transaction, serving as an alert in case of fraud. The cost factor involved in the deployment and maintenance of such systems might prove to be one of the drawbacks for its establishment. The ultimate solution might lie in moving towards a system where an additional layer of user authentication is performed that utilizes “what is valid ephemerally”, such as the numbers on an OTP token, rather than “what is valid permanently”, such as a password or ATM pin. The end-user would be responsible for the maintenance and availability of the OTP token, or for the continued maintenance of a valid phone number with the bank, while banks in turn would be responsible for the provision of sufficiently secure means for the user to perform authentication. While not ensuring complete security, mechanisms on such lines would go a long way to ensure greater end- user trust with the online payment systems presented by the bank.
There appears to be a need for the involvement of regulatory bodies on behalf of the consumer to bring about this paradigm shift. As the paper points out, the Electronic Signature Directive of the European Union, which suggests absolving banks of liability in the presence of secure verification devices, is a step in the right direction. Whether the involvement of regulatory bodies brings about fruitful benefits to the average end-user remains to be seen.