3D Secure / Verified By Visa
Ian Batten <igb@...
2013-04-17 10:18:15 GMT
Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010  and
high-level descriptions for application writers ?
Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the
issuer. Later, for me at least (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard
equivalent logo, said it was authenticating, and then immediately succeeded. I assumed, without
checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card
hadn't been stolen. Not ideal, but better than nothing, and avoids having to type the password.
This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been
declined . It was a non-trivial amount of money to a website I have never used before, but which Sue uses
regularly for small transactions. This transaction was probably two orders of magnitude greater than
any previous one. Our credit cards are separate accounts. I was using her web browser while logged in to her
account. My card went straight through, without asking for a 3DS password.
To which I say, huh? What state is there in a random user account on an OSX machine which allows it to assert
that it's me? What are 3DS checking?
 Itself an interesting point. We suspect that as we use my card for making large online purchases, I've
built up a history of doing "that sort of thing", while Sue hasn't. Alternatively, if you do a lot of
transactions of size x with a merchant, a transaction of size 100x might scream "insider fraud with stored
credentials", while a first-time transaction of the same size doesn't raise the same concern.