Cambridge researchers knock Verified by Visa

The 'Verified by Visa' credit-card check has come under criticism from Cambridge University researchers, who said it is training online shoppers to adopt risky security habits.

The feature, which is used to authenticate online financial transactions, confuses users by not displaying security cues, security engineering researchers Ross Anderson and Steven Murdoch said in a paper published on Tuesday.

"The technical design of Verified by Visa trains people in appallingly bad security habits," Anderson told ZDNet UK. "It gives the wrong signals."

The protocol underlying Verified by Visa, as well competitor MasterCard's SecureCode service, is 3-D Secure (3DS). The protocol is implemented as an iframe pop-up box, said Anderson. The pop-up does not display any commonly used markers, such as a colour-coded browser bar or 'https' in the URL, that demonstrate the box has been secured using the Transport Layer Security (TLS) protocol.

Because of this, online buyers have no visual verification that the box is a valid part of the credit-card transaction. If they enter their password when asked without knowing for certain it is protected, that is a bad security habit, the paper's authors argue.

The password-activation process for 3DS is also a weak spot, according to the researchers. Shoppers are asked to set up a password the first time they try to use a 3DS-enabled card for an online transaction. The process used for this is known as activation during shopping, or ADS. However, the ADS form presented to the buyer may use only weak authenticators, such as date of birth, in the process, said the researchers. Dates of birth are readily available online.

By training people to enter personal details into a form they may not fully trust, the 3DS system lays the groundwork for criminals to ask for more sensitive information, such as banking details, in a fake form, the researchers argue. A spoofed version of the form has been used in phishing attacks, they added.

Visa Europe on Wednesday rejected the researchers' criticisms. "Visa does not wholly agree with the premise and conclusions set out in the new paper by Cambridge researchers, which describes theoretical scenarios in which they believe Verified by Visa could be compromised," the credit-card company said. "Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions."

In isolation, the security feature cannot solve the problem of online fraud, Visa noted. However, as part of a verification system with several layers of security, Verified by Visa limits opportunities for fraudulent transactions, it said.

In addition, card-not-present fraud has fallen, according to figures from Financial Fraud Action UK. Visa attributed this fall to the implementation of online security procedures such as Verified by Visa.