V3.co.uk reports that University of Cambridge researchers have released a blistering attack on the 3-D Secure protocol used by Visa and MasterCard to authenticate online customers, calling it "a textbook example of how not to design an authentication protocol."
The report, titled "Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication," says:
Because the 3-D Secure form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3-D Secure easier, but undermines other anti-phishing initiatives by contradicting previous advice.
The researchers say that system likely will be undermined by man-in-the-middle attacks and the continuing growth in sophisticated malware.
For more information on authenticating users, check out this piece on our Network Security Edge site.