[danpalmer]

Yeah, Chip and PIN (EMV) in the UK is much better for security, we have a lot lower rates of card fraud here than in the US. In fact most of the world has now switched to EMV, the US is the only major country that I can think of which is still on swipe payments.

The problem goes further than the cards themselves though, I think the big problem with them is that you have to give companies all of the details needed to make a charge when you buy things online, and those details are stored. Other comments here are right, the main way to deal with this is single use card numbers that can be revoked individually.

I think a good way would be to implement something similar to what OAuth does. When you want to make a payment to Amazon for example, you tell your bank who you are and after authenticating you, they would provide a token to Amazon who can store that to use for purchases. If at some point in the future Amazon were 'hacked', the bank could revoke charging authorization for all tokens given to Amazon, immediately protecting all of their customers.

[makomk]

Chip and PIN should be better, except they fucked up the crypto such that anyone who stole your card could use it without knowing your PIN but still make it look like a PIN transaction - so you'd be liable for the fraudulent transaction since obviously you didn't take sufficient care to keep your PIN secret.

[cnorthwood]

Isn't that kind of what Verified By Visa/MasterCard SecureCode tries to do (but implemented amazingly badly)

[rwmj]

Although there are some problems with the implementation, I've come to like it for a couple of reasons:

(1) It authenticates features of your browser (like user-agent, IP address) to score the transaction. These are somewhat hard for an attacker to duplicate.

(2) With some UK banks, it is combined with a hardware one-time password generator to form a reasonably robust two-factor authentication.

Now there are certainly problems, such as it appearing in a frame, and not appearing as a subdomain of your bank, and those should be fixed.

[vitd]

The main problem with Verified By Visa (and whatever MasterCard calls it) is that in using it, you agree to be liable for it as if it were a card-present transaction, which is ludicrous for online purchases. Whenever I'm stopped to sign my card up for "Verified By Visa," I immediately switch to a different card because of the reduced protection I would have to agree to with "Verified" transactions. It's simply a way to shift responsibility onto the purchaser with no additional protection.

[jamesbritt]

I used to run into the VBV screen when ordering from NewwEgg. It's been a while so I don't know if things are the same. I refused to consent to the terms for the reasons you gave. Instead, I just closed the browser. The funny part is that my purchase would still go through.

[dualogy]

MasterCard SecureCode / "3D Secure" or whatever they call it, has been active on my card for many years and I never had any problems whatsoever. Always worked like a charm.. And the upside, nowadays I don't worry anymore about anyone storing my CC number on their unsecured servers.

[jakub_g]

I think 3D Secure only prevents doing transactions without double auth in "3D Secure enabled" online shops. In the shops that don't have that implemented, the transactions can go through (though probably those shops pay higher provisions).

[Theodores]

Correct. The payment gateway usually has a setting to enable/disable 3D secure as a feature.

You also get a failed transaction report, some people can have 4-5 goes before giving up on their purchase. Sometimes to countries somewhere abroad the customer gets a form to fill in to apply for having this extra check on their account (because there is no 3D secure in the country where they have their card registered or it is not customary to use it).

It would be nice to use 3D secure as an extra feature, and, as a retailer, set it on a case by case basis, e.g. to an order that is for somewhere overseas or over a certain value.

In the UK a fraudulent order is a fraudulent order, as a retailer you are on your own dealing with it. Putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.

Address verification is a 'soft fail' if you want it to be. It will compare the address by numbers, so someone entering 'Flat 2' in the primary address line will fail the system if the address is actually 'Flat 2, 34 Church Street' as '34' is expected for the match.

There is no system guaranteed to work, except Paypal, that you pay for in fees.

These matters aside, the system of swipe only in the US just gives most people in the UK scary feelings.

[dualogy]

> In the UK [..] putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.

Having lived in the UK for 3 years, I'm not sure anyone's "house size" over there is a good indicator for, well, pretty much anything ;D

[Havoc]

> implemented amazingly badly

The implementation I can live with. That fact that its opt-in is entirely fatal though. Criminals just need to find a website without it. So the only person inconvenienced by it is me.

[danpalmer]

Verified by Visa and Mastercard 3D Secure were an attempt to implement something similar to this, but were a disaster. I recommend the paper "Veried by Visa and MasterCard SecureCode: or, How Not to Design Authentication" by Steven Murdoch and Ross Anderson, who have been involved in quite a lot of the security research surrounding EMV.

http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

EMV has it's problems. I've worked with a few researchers who have targeted the security of it in several ways and found some quite serious issues, so I'm quite aware of the security implications. However in terms of practical criminal use, having the challenge and response mechanism with the card is a significant improvement over the static data of a magstripe.

That said, an interesting piece of British law is the fact that a signature forgery is never the responsibility of the victim. This means that if someone fraudulently signs for a payment, you are not responsible for the charges at all, whereas if someone watches you enter your PIN, or you tell it to someone and they subsequently use it to make payments, this is your responsibility. The grey area for a while was that the companies behind EMV said it was 'uncrackable' (never a good idea) and refused to take responsibility of charges that some users claimed had been made without their PINs being revealed by them. Anderson, and the Cambridge security researchers demonstrated a proof of concept a few years ago that showed how it could be used without knowing disclosure of the PIN, and since then card companies and banks have been a little more receptive to taking on the responsibility.