Credit card verification system not secure, says researcher

Researchers from the University of Cambridge are questioning a security system that credit card companies say gives additional security to credit card transactions. Called 3-D Secure (3DS), the system is implemented--and paid for--by online vendors. In a nutshell, the system requires the use of a password for verification on top of the standard credit card information.

For their troubles, merchants will find it easier to shift liability away from themselves in the event of fraudulent usage. Unfortunately, the general way of implementing 3DS involves the use of iframes in HTML, which effectively prevents users from ascertaining the validity of the site. This is detrimental as it exposes users to possibility of man-in-the-middle attacks. In addition, the use of static passwords is also prone to phishing methods by scammers.

Don't expect the situation to change anytime soon, though. As noted by one of the researchers, Steven J. Murdoch, "Most banks have chosen to go for passwords than anything better...Passwords are really cheap."

For more on this story:
- check out this article at Ars Technica
- check out this article at PCWorld 

Related Articles:
Symantec: Call center worker in India may have sold credit card data
Biggest hacking case ever sends security warning
Heartland settles with American Express