3-D Secure is an XML-based protocol designed to be an additional layer of security for credit card and debit card transactions online. It was originally developed by Arcot Systems (now CA Technologies) and was first used by Visa with the aim of enhancing the security of Internet payments and offered to customers under the name Verified by Visa . Services based on the protocol have also been adopted by MasterCard as MasterCard SecureCode , and by JCB International as J/Secure . American Express added 3-DÃ, Secure on November 8, 2010, as American Express SafeKey , in certain markets and continues to launch additional markets. Protocol analysis by academics has shown it has many security issues affecting consumers, including a larger surface area for phishing and shifting responsibilities in cases of fake payments.
3-DÃ, Secure adds authentication steps to online payments.
Video 3-D Secure
Description and basic aspects
The basic concept of this protocol is to bind the process of financial authorization with online authentication. This additional security authentication is based on a three-domain model (hence 3-D in the name itself). The three domains are:
- Acquirer Domain (the bank and merchant where the money was paid).
- Publisher Domain (the bank that issued the card used).
- Domain Interoperability (infrastructure provided by card schemes, credit, debit, prepaid or other types of financial cards, to support 3-D protocol, Secure). This includes Internet, MPI, ACS (Access Control Server) and other software providers
The protocol uses an XML message sent over an SSL connection with client authentication (this ensures the authenticity of both colleagues, servers and clients, using digital certificates).
Transactions using Verified-by-Visa or SecureCode will initiate a transfer to the card issuing bank website to authorize the transaction. Each publisher can use any authentication method (protocol does not include this), but typically, password-based methods are used, so effectively buying on the Internet means using a password attached to the card. The Verified-by-Visa protocol recommends bank verification pages to be loaded in inline frame sessions. In this way, the bank system can be responsible for most security breaches. Today, by simply sending a white-registered text message from a registered bank sender, it's easy to send a one-time password as part of an SMS text message to a user's phone and email for authentication, at least during signup and to forget a password.
The main difference between the application of Visa and MasterCard lies in the method for generating UCAF (Universal Cardholder Authentication Field): MasterCard uses AAV (Value of Accountholder Authentication) and Visa using CAVV (Cardholder Authentication Verification Values).
Maps 3-D Secure
Implementations
The current specification is in version 1.0.2. The previous version 0.7 (only used by Visa USA) and 1.0.1 has become redundant and no longer supported. MasterCard and JCB have adopted version 1.0.2 of the protocol only.
In order for a member bank of Visa or MasterCard to use this service, the bank must operate the appropriate software that supports the latest protocol specifications. Once the appropriate software is installed, the member bank will perform product integration testing with the payment system server before the system launches.
ACS provider
In the 3-D protocol, Secure, ACS (Access Control Server) is on the publisher side (bank). Currently, most banks outsource ACS to third parties. Typically, the buyer's web browser shows the domain name of the ACS provider, not the bank's domain name; However, this is not required by the protocol. Depending on the ACS provider, it is possible to determine the domain name of the bank to be used by the ACS.
MPI Provider
Each 3-D, Secure version 1 transaction involves two Internet request/response pairs: VEReq/VERES and PAReq/PARES. Visa and MasterCard do not license merchants to send requests to their servers. They isolate their servers by licensing software providers called MPI providers (merchant plug-ins).
Merchants
The benefit for merchants is a reduction in "unauthorized transaction" chargeback. One disadvantage for merchants is they have to buy MPI to connect to Visa or MasterCard Directory Server. It's expensive (setup fee, monthly fee and cost per transaction); at the same time, this is an additional revenue for MPI providers. Supports 3-D Secure is complicated and, sometimes, creates transaction failures. Perhaps the biggest disadvantage for merchants is that many users see additional authentication steps as a nuisance or interruption, resulting in a substantial increase in transaction abandonment and loss of revenue.
Buyers and credit card holders
The purpose behind the system is that cardholders will have a lower risk than others who can use their payment cards fraudulently on the Internet.
In the current implementation of 3-DÃ, Secure, the issuing bank or its ACS provider solicits the buyer for passwords known only to the provider of the bank/ACS and the buyer. Since the merchant does not know this password and is not responsible for retrieving it, it can be used by the issuing bank as proof that the buyer is their cardholder. This is intended to help reduce risk in two ways:
- Copying card details, either by writing a number on the card itself or through a modified terminal or ATM, does not generate the ability to purchase over the Internet due to additional passwords, which are not stored on or written on the card.
- Since merchants do not capture passwords, there is a reduced risk of security incidents at online merchants; while an incident can still lead to hackers getting more card details, there's no way for them to get the password associated.
3-DÃ, Secure is not strictly required requires the use of password authentication. It is said possible to use it in conjunction with smart card readers, security tokens and the like. This type of device may provide a better user experience for customers because they unblock the buyer from having to use a secure password. Some publishers now use such devices as part of the Chip Authentication Program or the Dynamic Password Code Authentication scheme.
One significant disadvantage is that cardholders tend to see their browsers connect to unknown domain names as a result of MPI vendor implementation and use of ACS implementations that are being outsourced by issuing banks, which may make it easier to carry out phishing attacks on cardholders.
American Express SafeKey
American Express SafeKey is directly in the following markets: Algeria, Australia, Austria, Bahrain, Bangladesh, China, Cyprus, Egypt, Finland, France, Germany, Greece, Hong Kong, India, Iraq, Italy, Japan , Jordan, Kenya, Kuwait, Lebanon, Lesotho, Libya, Malaysia, Mauritania, Mongolia, Morocco, Nambia, Netherlands, New Zealand, Oman, Peru, Philippines, Qatar, Russia, San Marino, Singapore, Somalia, South Africa, Sri Lanka, Sweden, Switzerland, Tanzania, Tunisia, Turkey, UAE, Uganda, United Kingdom, Vatican City, Vietnam, Yemen.
General 3-D Safe Criticism
Verification of site identity
This system involves the pop-up or inline frames that appear during the online transaction process, which requires the cardholder to enter a password which, if the transaction is valid, their card-issuing bank will be able to authenticate. The problem for cardholders is to determine whether pop-up windows or frames are actually from their card issuers, when it could be from fraudulent websites trying to harvest cardholder details. Such pop-up windows or script-based frames do not have access to any security certificates, omitting any way to confirm the credentials of a 3-DS implementation.
The Verified-by-Visa system has invited some criticism, as it's difficult for users to differentiate between legitimate Verified-by-Visa pop-ups or inline templates, and phishing sites. This is because pop-up windows are served from domains that:
- Not the site where users are shopping.
- Not a card-issuing bank
- Not visa.com or mastercard.com
In some cases, the Verified-by-Visa system has been misunderstood by the user for a phishing scam and has been the target of some phishing scams. New recommendations for using inline frames (IFrame) rather than pop-ups have reduced user confusion, at the cost of making it more difficult, if not impossible, for users to verify that the page is genuine in the first place. As of 2011, most web browsers do not provide a way to check security certificates for iframe content. However, some concerns in the validity of the site for Verified-by-Visa are mitigated, as the application of the current registration process requires entering a Private Message that is displayed in a valid Verified-by-Visa popup.
Some card issuers also use Activation Over Shopping (ADS), where cardholders who are not registered with this scheme are offered the opportunity to register (or be forced to register) during the purchase process. This will usually take them to a form where they are expected to confirm their identity by answering the security question that their card issuer should know. Again, this is done in an iframe where they can not easily verify the site where they provide this information - cracked sites or unauthorized merchants can in this way collect all the details they show as customers.
3-D Implementation Secure sign-ups will often not allow users to proceed with a purchase until they agree to register to 3-D Secure and its terms and conditions, offering no alternative way to navigate away from the page from closing it, suspending the transaction.
Cardholders who do not want to risk registering their cards during a purchase, with the trading site controlling the browser to some extent, in some cases can go to their bank's home page on the web in a separate browser window and register from there. When they return to the commercial site and start over, they will see that their card is listed. Attendance on the Personal Assurance Message (PAM) password page they chose when registering is confirmation that the page is from the bank. This still leaves some possible man-in-the-middle attacks if the cardholder can not verify the SSL Server Certificate for the password page. Some trading sites will pour a full browser page for authentication rather than using a frame (not necessarily iFrame), which is a less secure object. In this case, the key icon in the browser must indicate the identity of either a bank or a verification site operator. Cardholders can confirm that these are in the same domain they visited when registering their card, if not the domain of their bank.
The mobile browser presents a special problem for 3-DÃ, Secure, due to lack of certain features like frames and pop-ups. Even if the merchant has a mobile website, unless the publisher is also mobile-aware, the authentication page may fail to make it right, or even altogether. In the end, many analysts have concluded that the Activation During Shopping (ADS) protocol invites more risks than they remove and further transfer these increased risks to consumers.
In some cases, 3-D Secure ends up giving a bit of security to the cardholder, and can act as a tool to transfer responsibility for fraud transactions from the bank or reseller to the cardholder. The legal conditions applied to the 3-D, Secure service are sometimes pronounced in ways that make it difficult for cardholders to avoid the liability of fraudulent "card takers" transactions.
Limited mobility
When a 3-D Secure confirmation code is required, if the confirmation code is sent via SMS on the phone (assuming he/she owns it) the customer may not be able to receive it depending on the country where he/she is currently located (not every network phone receives SMS). The system is also uncomfortable for customers who tend to change the phone number from time to time - such as traveling (and some banks request visits to their offices to change the phone number in the account). Some Wifi providers that charge for use with credit cards actually do not allow accessing 3-DÃ, Secure sites before payment is completed, so users can not purchase Internet access.
Geographic discrimination
Banks and merchants may use the 3-DÃ, Secure uneven system with card-issuing banks in multiple geographic locations, creating differentiation, for example, between US and non-US domestic issued cards. For example, as Visa and MasterCard treat the territory of the United States Puerto Rico as a non-US international, rather than a US domestic location, cardholders there can face greater incidents 3-Dà ¢ â,¬â "¢ Demand is safe than cardholders in fifty States. Complaints about the effect have been received by the US Department of Health's health care discrimination treatment site, "the same care".
3D Secure as strong authentication
The latest variant of 3D Secure, which combines a one-time password, is a powerful form of software-based authentication. However, older variants with static passwords do not meet the requirements of the European Central Bank (ECB) of January 2013.
3D Secure relies on publishers who are actively involved and ensures that any cards issued become listed by cardholders, making it a solution that focuses on issuers.
The ECB has mandated in the 'Security for Internet Payments' requirement of January 2013 that all transactions obtained in Single Euro Payment Area (SEPA) must be authenticated using strong customer authentication before February 1, 2015. This mandate is by the ECB, and is supported by the Commission's Payments Service Referral European Mk2 (PSD2), is intended to provide a level and technology of neutral playgrounds within SEPA to drive eCommerce, mCommerce and supporting technologies, including a competitive form of strong customer authentication.
Since 3D Secure relies on initial publisher engagement and card enrollment, the acquirer can not rely on 3D Secure to meet side-earned authentication requirements, until such time as 3D Secure has registration which means close to 100% of all issued cards.
This in turn makes 3D Secure a weak solution for obtaining robust customer authentication requirements, especially since Secure 3D is not available on 25 small card schemes recognized by the ECB. 3D Secure should also be applied to any card scheme that will be applied, generally on a case-by-case basis, unless a specialist integration firm is used.
Thus, the acquirer may be faced with either receiving unregistered and vulnerable cards against fraud, or, to refuse the card until a strong authentication means is available. Because the acquirer and payment gateway are responsible for fraud on their network starting February 1, 2015, unless they have strong customer authentication, it is unclear what impact the ECB requirements on SEPA eCommerce.
Getting a different side authentication from issuing side authentication, in cards registered after being acquired as part of a transaction, rather than having to be registered as follows. Obtaining side authentication can register the card progressively on demand, achieving 100% effective enrollment rate. Card enrollment and authentication can be done at the same time.
Examples of obtaining side authentication include PayPal's patented 'verification' method, in which one or more dummy transactions are redirected to a credit card, and the cardholder must confirm the value of this transaction. The patented iSignthis method uses the transaction value at the point of sale, so the amount of sales agreed between eMerchant and the cardholder is divided into two (or more) amounts, with the first amount being the randomly generated value, and the second value being the sum of the balance between the amount sales and random value.
Both of these methods depend on the cardholder accessing the account associated with the credit card, and confirm the value of a random transaction to prove they are the owner of the account. However PayPal's method does not specifically deal with transactions between eMerchant and cardholders, so unless it is added with other processes that deal directly with transactions, the method is not a strong form of customer authentication as it is not an alternative to Safe 3D.
Block ACCC 3D Proposal safe
The proposal to make 3D Mandatory Safe in Australia is blocked by the Competition and the Australian Consumer Commission (ACCC) after many objections and related filings of defects are accepted.
3D Secure 2.0
Since January 2015, EMVCo, a company collectively owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa, is responsible for developing the EMS 3DS 2.0 Specification.
In October 2016, EMVCo published the specification for 3D Secure 2.0. The difference between the new version and the original 3D Secure 2.0 includes:
- Upgraded messages with additional information for better authentication decisions
- Non-payment user authentication,
- Non-standard extensions to meet specific rules and requirements, including exclusive outdoor-band authentication solutions, used by card issuers
- Better performance for end-to-end message processing
- Improved datasets for risk-based authentication
- Unauthorized payment prevention, even if cardholder card numbers are stolen or cloned
See also
- eCommerce
- Secure electronic transactions (SET)
- Plug-in add-on (MPI)
- Strong authentication
References
"Why 3-D Safe Is Intended For Ignition" (PDF) . ca.com. Ã,
External links
- Website Safeer Website Owner Website in the United States
- American Express Spanish Website Ember Cardmember SafeKey Information
- American Express India Website Issuer Cardmember SafeKey
- American Express Issuer Cardmember Safekey Information Website
- American Express United Kingdom Members Site Issuer Cardmember SafeKey
- The American Express Cardholder Website of Singapore
- The German American Express Cardholder Information Site
- Italian American Express Publishers Information Website
- The Dutch American Express Publishers Information Website
- Verified by Visa
- Enable Verified by Visa
- Verified by the Visa Partner Network
- MasterCard SecureCode home page
- CERIAS discusses the lack of Verified by Visa
- usa.visa.com
- about.americanexpress.com
Source of the article : Wikipedia
0 Comments