Do consumers all have little usb smartcard things so they can use the smartcard to make online purchases? or does this mostly just make 'card present' transactions that much safer?
3D Secure basically redirects you to a webpage run by a third party (usually your bank) to enter additional details, like a seperate password.
I find it much more annoying. My New Zealand (.co.nz) bank redirects me to a .co.uk domain with their logo (!!), where it doesn't even prompt me for any additional details, just forwards back to the original merchant.
It is likely that they are processing a risk score for your transaction, based on browser fingerprint, referer, ip, time of day and so on. That is, the "bounce" may not be entirely useless.
If the risk score exceeds a certain threshold then they can then require additional security. While this may seem very weak, in practice a lot of fraud has pretty obvious signatures.
huh. yeah, there's a 'verified by visa' thing that America has that is similar... I think it does some statistical something something. It sure looks a lot weaker than a public key transaction where the key never leaves the card. The 'verified by visa' site itself looks pretty fishy.
In theory, a chip and pin solution where the user owns the reader is more secure than a transaction in the store where the vendor owns the reader. but, I guess that's too expensive and inconvenient or something.
When 3dsecure just redirects it means the bank decided to trust the transaction based in something. For instance for me it skips it for some known vendors and transactions.
My Austrian bank embeds a 2FA system on the iframe. I get an authentication code on my phone and enter that. It typically asks that when shipping to a new address or dirst use of a vendor that uses 3dsecure
While 3DSecure and Verified by Visa is a good idea in theory, the implementation is a mess. For example, my bank requires me to enter my banking username and password into the banking website, which is loaded via an iframe inside the merchants site. How is a regular user supposed to verify that the iframe loaded his banking website and not some phishing website?
My bank is marginally better than this and includes a string I set when I first configured 3D Secure in the iframe, but its still a mess and asking for phishing attacks.
Sounds like a problem with your bank. Mine prompts me for a token that is sent to my phone where it also shows me what transaction i confirm. In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.
> In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.
No, they can do a replay attack on this setup when not encrypted
I find it much more annoying. My New Zealand (.co.nz) bank redirects me to a .co.uk domain with their logo (!!), where it doesn't even prompt me for any additional details, just forwards back to the original merchant.