[hrrsn]

3D Secure basically redirects you to a webpage run by a third party (usually your bank) to enter additional details, like a seperate password.

I find it much more annoying. My New Zealand (.co.nz) bank redirects me to a .co.uk domain with their logo (!!), where it doesn't even prompt me for any additional details, just forwards back to the original merchant.

[xyzzy123]

It is likely that they are processing a risk score for your transaction, based on browser fingerprint, referer, ip, time of day and so on. That is, the "bounce" may not be entirely useless.

If the risk score exceeds a certain threshold then they can then require additional security. While this may seem very weak, in practice a lot of fraud has pretty obvious signatures.

[hrrsn]

Fair enough. Just having a .nz bank direct me to a .uk domain is a huge red flag for anyone that bothers looking at this sort of thing

[lsc]

huh. yeah, there's a 'verified by visa' thing that America has that is similar... I think it does some statistical something something. It sure looks a lot weaker than a public key transaction where the key never leaves the card. The 'verified by visa' site itself looks pretty fishy.

In theory, a chip and pin solution where the user owns the reader is more secure than a transaction in the store where the vendor owns the reader. but, I guess that's too expensive and inconvenient or something.

[cowsandmilk]

"Verified by Visa" is 3-D Secure.

https://en.wikipedia.org/wiki/3-D_Secure

[the_mitsuhiko]

When 3dsecure just redirects it means the bank decided to trust the transaction based in something. For instance for me it skips it for some known vendors and transactions.