Researchers Label 3-D Secure as Insecure

Kara Reeder reports that University of Cambridge researchers have released a blistering attack on the 3-D Secure protocol used by Visa and MasterCard to authenticate online customers, calling it "a textbook example of how not to design an authentication protocol."


The report, titled "Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication," says:

Because the 3-D Secure form is an iframe or pop-up without an address bar, there is no easy way for a customer to verify who is asking for their password. This not only makes attacks against 3-D Secure easier, but undermines other anti-phishing initiatives by contradicting previous advice.

The researchers say that system likely will be undermined by man-in-the-middle attacks and the continuing growth in sophisticated malware.


For more information on authenticating users, check out this piece on our Network Security Edge site.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making


SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data