On January 26, 2010, two researchers at Cambridge University, Steven J. Murdoch and Ross Anderson, released a working paper with the provocative title, "Verifed by Visa and MasterCard SecureCode: or, How Not to Design Authentication". It directly attacks 3D Secure as a poorly designed authentication scheme, and calls for regulatory intervention to protect consumers. To what extent does the report raise fair criticisms, and how should the industry and/or regulators respond?
RSA Security, the primary vendor of 3D Secure technology, responded to the paper in two blog posts, which can be found here and here. Their main point seems to be that the Cambridge researchers are confusing the implementation of 3D Secure by some UK banks with the 3D Secure architecture, which is capable of supporting a wide variety of authentication methods, not just those criticized in the paper.
However, this flexibility is exactly what the researchers are criticizing on p.4, where they write, "The 3DS specification only covers the communication between the merchant, issuer, acquirer, and payment scheme, not how customer verification is performed. This is left to the issuer, and some have made extremely unwise choices." As I see it, the real question here is: to what extent is a vendor obligated to restrict the choices its customers make with regard to the use of its technology, and if the vendor has no such obligation, should the government step in and establish such restrictions?
RSA is here constrained by the fact that it does not own the 3D Secure specification; if it chose to restrict its clients to strong authentication methods (for example, one-time passwords), it could be undercut by rivals offering compliant implementations without such restrictions. Furthermore, specifying particular authentication methods is problematic because it interferes with the bank's right to make business decisions about how it manages risk. One point that was not made clear in the paper is that UK regulations and bank policies limit consumer liability for all electronic transactions, and similar protections are available to US consumers (specifically, that liability is limited to ₤50 or $50 if the consumer exercises reasonable care in protecting their information and reports any fraudulent transactions within 60 days). Therefore, if a UK bank decides to implement a minimal authentication procedure, and is willing to accept the higher fraud losses that will come with it, that is arguably the bank's prerogative.
However, I am sympathetic to the Cambridge researchers' argument that allowing banks to implement weak authentication procedures harms the public interest by creating confusion as to what level of security is actually being provided, and teaching consumers bad practices (such as entering PINs or personal information into non-authenticated web pages) that will ultimately increase fraud losses on the broader scale. Since market forces seem to be driving the industry to a sub-optimal implementation of 3D Secure, perhaps regulators do need to step in and establish some minimum standards. Any economic loss would be offset by the reduction in fraud and associated costs, as well as the savings from reducing the number of alternative procedures that consumers have to learn.
Sign up for CIO Asia eNewsletters.