Payment Providers

James Laver james.laver at gmail.com
Fri Oct 2 13:06:06 BST 2009 

On 2 Oct 2009, at 12:07, David Precious wrote:

> It's a poor attempt towards three-factor authentication, but relying  
> upon
> entering a password - which will be picked up by the same keylogging/ 
> sniffing
> techniques they'd use to grab the rest of your details if you're  
> entering them
> on a compromised machine.  However, now, the bank has shifted  
> liability to the
> customer, claiming that since the transaction was authorised with  
> their
> "secret password", they have no right to repudiate the transaction.

Yes, those lovely three factors:
- Something you know
- Something you know
- Something you know

Clever, huh.

Firstly, they shift liability to the bank, which is why retailers like  
it. Unfortunately the bank shifts liability to the customer with the  
defence "but noone else knows your 3dsecure password, it was you,  
there was no fraud". HSBC revealed to me that they've had 'zero fraud'  
since the introduction of the scheme, which means they're pinning  
this, exactly like they've all been pinning chip and pin fraud on the  
bank customer, because of the same defence (and they got away with  
that one in court, somehow).

Because of this, banks are loathe to let you opt out. I've been unable  
to do so with HSBC.

I've been writing a paper about attacks on the 3dinsecure system and  
it's all remarkably easy:
1. I steal your card (or memorise your details while you're paying  
with it), you haven't registered yet, I register for you, thus  
choosing the password I want
2. I steal your card (or memorise your details while you're paying  
with it) and go through a simple reset procedure, which generally only  
requires information I could extract from you during an hour at the  
pub without you realising
3. I set up a fake page that looks like a 3dsecure page on my site and  
cream off the details before submitting them myself so the payment  
goes through. Since it's all handled by third parties, you'd never  
know what's legitimate and what isn't.

And many, many more, wait for the paper to be released :) It doesn't  
take an evil genius to see gigantic holes in the system, it's shaped  
like a swiss cheese.

--James

More information about the london.pm mailing list