Cambridge Researchers Knock 'Verified by Visa'
Tom Espiner writes on ZDNet UK:
The 'Verified by Visa' credit-card check has come under criticism from Cambridge University researchers, who said it is training online shoppers to adopt risky security habits.More here.
The feature, which is used to authenticate online financial transactions, confuses users by not displaying security cues, security engineering researchers Ross Anderson and Steven Murdoch said in a paper [.pdf] published on Tuesday.
"The technical design of Verified by Visa trains people in appallingly bad security habits," Anderson told ZDNet UK. "It gives the wrong signals."
The protocol underlying Verified by Visa, as well competitor MasterCard's SecureCode service, is 3-D Secure (3DS). The protocol is implemented as an iframe pop-up box, said Anderson. The pop-up does not display any commonly used markers, such as a colour-coded browser bar or 'https' in the URL, that demonstrate the box has been secured using the Transport Layer Security (TLS) protocol.
Because of this, online buyers have no visual verification that the box is a valid part of the credit-card transaction. If they enter their password when asked without knowing for certain it is protected, that is a bad security habit, the paper's authors argue.