‘Verified by Visa’ Presents Major Security Flaw

Trend Micro researchers discovered that the technology behind the Verified by Visa trademark is much more unsecure than anyone would believe and not a coding error is to blame, instead it’s a design flaw that could be taken advantage of by cyber and non-cyber criminals.

The 3 Domain Secure (3DS) security protocol introduced by Visa in 2001 was developed to prevent credit card fraud and while its purpose is highly noble, in practice it’s not so efficient.

The way the protocol works is pretty simple. When we make an online transaction that’s protected by Visa, we are redirected to a verification page that requires confirmation of some details and a password. Since the merchant doesn’t come in contact with our details at any point in the process, theoretically, the transaction should be secure.

In theory it sounds good, but the problem emerges due to the password reset feature that’s offered by Visa.

When the customer accesses the reset password function, he is presented with a form that requires some details of the cardholder to prevent fraud, but the problem is that all the data can be found on the physical credit card.

Signature panel code, expiry date, cardholder name and birth date is requested from the customer in order to complete the reset process. All the details except for the birth date are printed on the card, but also, these are the details first obtained by any cybercriminal in operations that target credit cards.

Researchers propose that this verification method should be at least updated to encapsulate a secret question, a one-time password reset URL should be sent to the user’s email, and the entire procedure should result in a notification

Worryingly, the 3DS security protocol is not only used by Visa. Websites that display MasterCard Secure Code, J/Secure (JCB International) and SafeKey (American Express) basically implement the same technology.

Also, this reminds me of what a hacker from Operation Robin Hood said yesterday about knowing foreigners who can bypass the Verified by Visa certification for a mere $5 (3.5 EUR).