Visa and Mastercard have announced that they are phasing out 3D Secure¹, a service used to protect online card payments. They will be replacing it with a new system in the future.

If you shop online you will invariably have had 3D secure embedded in your payment screen under one of its guises, perhaps as Verified by Visa or MasterCard SercureCode.

While news of this change may cause concern for consumers who feel that 3D Secure keeps them safe when shopping online, it is a good step by Visa and MasterCard. This post explains why.

It teaches people bad habits

Websites should use ssl encryption to keep communication of private data safe. Users can check that this is happening by ensuring that their url starts with https and that the identity of the website is a trusted one. Most web browsers highlight this in some way, for example google shows the connection in green.

Users should get into the habit of checking that they are on the website they expect and that it is securely encrypted before sharing sensitive data.

One problem with 3D secure is that the service is hosted by third party providers. This means that the user is NOT in fact communicating with who they think they are. To hide this confusing fact, the 3D Secure form often appears in a popup window or iframe (a website embedded within the merchant’s website) and does not display a url bar. This limits a user’s ability to easily verify the site’s identity and encourages them to just “trust” the popup or iframe.

It is vulnerable to phishing

The problem with the practices I mentioned in the previous section are that they are almost indistinguishable from practices used by malicious websites to collect private data. For example, if a user is shopping and browsing over a number of tabs, a malicious website could open a new window that looks like the 3D Secure service to fool the user into entering their details.

On the flip-side, savvy users who meticulously check their traffic may see their browser communicate with an unknown third-party and assume that a legitimate 3D Secure screen is a phishing attack.

User experience is poor

I could write pages about how poor the user experience is. Everything from the overall dated look and feel, the jarring integration with merchant websites, to pages not rendering correctly or at all.

The mobile experience is worse again with the site bordering on unusable on many mobile browsers. As there is no mobile application solution, developers have been forced to embed completely alien looking webviews to render the 3DSecure service in their apps. Users may be thrust from a nice slick application to a payment page designed for a desktop – one that on mobile requires lots of whitespace scrolling and tiny forms with tiny text fields.

But I will stop my usability rant there. It is customer reaction to the service that speaks loudest. A significant number of customers abandon their shopping carts at the 3D Secure phase and this equates to significant revenue loss for merchants. In one example, North Side Media reported around a 60% reduction in client sales during a 3D Secure trial.²

It is designed to protect the merchant not the customer

Few people realise that 3D Secure is designed to protect the merchant not them. Generally, when a customer calls their bank about a fraudulent card transaction, their bank will pull the funds from the merchant and refund them. A merchant using 3D Secure is however protected from this potential loss of revenue.

It almost seems reasonable. The merchant has done everything they can to protect their customer by using a secure service. If there’s fraud, it’s not their fault. It must have come from somewhere else. Perhaps the customer shared their password with someone. Or maybe they have malware on their computer.

So who pays? The burden returns to the bank. Some banks have wording deeming the customer responsible for all 3D Secure transactions, even in cases where fraud has occurred and there is no evidence to suggest negligence on their part.³

Conclusion

The reality of 3D Secure is that it is a poor service which exposes customers to serious security issues while simultaneously pushing the burden of fraudulent activity onto them. This is not a nice way to treat customers.

Additionally, usability is so problematic that while it may protect merchants from fraud, it also costs them a significant amount in lost revenue. All things considered it is a good move by Visa and Mastercard to abandon the service. In my next post, I discuss what I hope their next service will look like.

References

[1] S. Curtis, “Mastercard and Visa to kill off password authentication,” The Telegraph, Nov 13, 2014. [Online]. Available: http://www.telegraph.co.uk/technology/news/11228300/Mastercard-and-Visa-to-kill-off-password-authentication.html. Accessed Nov. 13, 2014.

[2] A. Bouch, “3-D Secure: A critical review of 3-D Secure and its effectiveness in preventing card not present fraud,” MSc thesis, University of London. 2011. Available: http://www.58bits.com/thesis/3-D_Secure.pdf.

[3] S. J. Murdoch & R. Anderson, “Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication”, Financial Cryptography and Data Security, vol. 10, pp. 25-28, Jan. 2010.