Verified by Visa - Pushmi-pullyu*

In an article in the Register with the eye-catching title of "Verified by Visa bitchslapped by Cambridge researchers", John Leyden comments on the argument by Cambridge researchers Ross Anderson and Steve Murdoch that the 3D Secure system, better known as Verified by Visa or Mastercard Securecode is better suited to shifting liability for fraud from the merchant to the bank to the cardholder, than it is to curtailing fraud.

Well, I think it will take more than any single technology to put a stop to fraud, but there are indeed problems:

    * I'm not well enough acquainted with 3D Secure and alternatives such as OpenID and InfoCard to compare their effectiveness, but I can confirm that Verified by Visa is a frequent phishing target, and I can see that customer confusion over "inconsistent authentication methods" could be a contributing factor to the success of such scams.
    * I'm even more concerned, though, by the claim that Verified by Visa passwords can be reset by anyone who has access to card details and the cardholders date of birth. As John Leyden remarks, date of birth is often a matter of public record, even for those of us who don't make all our data available on LinkedIn or Facebook. If this is claim is accurate, it's a even more disquieting than the risky use of verification data I discussed here as well as in past blogs.

But going back to the first point about shifting liability, this surely shouldn't come as to much of a surprise. When the details of such black arts as skimming and carding were known only to the criminals and to a few specialists in and out of the banking sector, financial services providers were all too ready to fall back on "you must have given someone your PIN". There were even cases where victims found themselves facing fraud charges. The evolution of defensive measures like CVV and Chip & Pin technology has benefited customers, no doubt. But when you're dealing with any service provider, you need to be aware of the way in which they look at security.

There are a limited number of ways of dealing with risk.

    * If you're lucky, you can eliminate it. Unfortunately, that isn't often possible in information security, even though companies selling the panacea du jour will sometimes tell you it is.
    * Usually you can mitigate it, using both technological (like anti-malware, IPS and so on) and social engineering (in a non-pejorative sense of the term, as in user education and effective policy enforcement, for example).
    * You can accept it: there are instances where the risk or the consequences of the security breach aren't considered high enough to merit the cost of elimination or mitigation.
    * Or you can transfer it so that it becomes someone else's problem. Insurance is a classic example of risk transfer, but throwing the cost back to the customer makes perfect sense for many businesses in many contexts. It's a little naive to expect bankers to be more generous in this respect than healthcare providers and governments. You may remember the definition of bankers often attributed to Mark Twain: "A banker is a fellow who lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain."

The Cambridge paper is here, and well worth reading.

* http://en.wikipedia.org/wiki/Pushmi-pullyu#The_Pushmi-pullyu

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence