How safe is your credit card ?
Recently one of my friends lost 92k on a online credit card fraud. Google search found few other people lost their money the same way.So is the credit cards safe for online transactions in India?
Short answer is NO.
Why?
1. In India 3D secure (Verified by Visa or Master card secure code ) is mandatory for online credit card transactions above 5000.
2. In US this is not mandatory for any transaction.
Looks like India is more secure county for online transactions! This is what the banks want you to believe The truth is the opposite.
Security of any system is the of security of the weakest link. The weakest link here is 3D secure(3DS). Surprised! Try forgot password link on your verified by visa page. This requires your card number , date of birth ( The most secret information about you !) and CVV number. This is from HDFC netsafe websites. This can be different for other banks.
How long it takes some one to find our your DOB given the full name ? Google and Facebook made this so easy.
Now the secure CVV number. It is a 3 digit number. total combinations are 999. Assuming it is random . People make it more secure by eliminating combinations like 111, 222 etc. That will again reduce the total number of combinations to try out. This is the wrong public concept of security. The way of thinking is explaining a customer that 111 is more secure than 592 is difficult so we better avoid these numbers. The easier way out. The real irony is CVV number is required for a transaction. So any compromised website will already have your CVV number. This reduce it to just DOB.
Have you ever received an email/SMS when you reset your verified by visa/MasterCard secure code password. I haven't got any for my HDFC card till now.
So it is obvious that this is not designed for security then what is the use of it?
This is called liability shifting normally all the liability of fraudulent internet transaction is on the bank not on the merchant if the bank is authenticated you. The advantage of this is more merchants will be willing to accept the credit card online. With 3DS the liability is shifted to the credit card holder. It uses a password known only to you so any transaction is your liability if it goes through the 3DS.
If you buy gold jewellery or electronic goods by swiping the card you will get a call asking did you do this transaction. Because in that case the onus is on the merchants to authenticate you and later you come back and prove the signature is not your signature they will have to revert the transaction.
Most fraudulent transaction uses card to book flight tickets and this will leave less traces. Have you ever got any call after you book tickets online ? No need, bank is no longer liable for this fraud.
Fine. This don't talk why bank cannot make these 3DS implementations secure enough.
Any secure authentication protocol will add inconvenience user. User will forget passwords frequently since they are not using this password daily. If the reset password is made secure then it need to use multi factor authentications and reset process will take time. This means loss of business for the merchant. When you try to buy some items on the net and during the credit card authentication it require you to reset password securely then chances are there that you will forgo the transaction.
So your security is compromised for the merchants by your bank. Steven J. Murdoch and Ross Anderson from University of Cambridge U, has written a paper on the security issues around 3DS protocol.
It will be difficult to comprehend that internet transactions are safe without a password. With the current implementation of 3DS this what we can conclude. At least bank will make a phone call and check with you before authorizing it if it is high valued transaction.
What are the repercussions?
My friend lost Rs 92 K on a fraud on 29th Oct 2012. As of today HDFC is still not willing to investigate the fraud saying that the verified by visa password is compromised and it the customer's responsibility. If this is the attitude this is definitely going to attract banking trojans. We don't even know if this is work of a Trojan HDFC bank should investigate it and find out any password reset has happened or if the password is retrieved by a Trojan in that case a security alert is must.If there is already a Trojan out there in the wild this can happen to lot more unsuspecting people.
Ross Anderson is Professor of Security Engineering at the Computer Laboratory, University of Cambridge UK. He is working on banking security and has proved that the security of these protocols and implementations are not secure enough to conclude that for online credit card fraud to happen the password needs to compromised by the user.
What the banks can do to prevent this?
1. Make sure that there is no liability shifting so that the banks treat online transactions like normal transactions. It means banks should investigate the fraud for online transaction with verified by visa protected realizing that the security is not enough for hackers. This is what the bank is refusing to do now. Public pressure needs to be built on this.
2. Banks should make sure these protocols and implementations are secure with transaction signing and other protection mechanisms.
3. Any password reset should at least use a second factor like registered email address or mobile phone.
4. Banks providing a way to limit the online transaction amount. This is will not work against targeted attacks where email and SMS can be flooded to avoid detection.
As bank customers what are the options left for us?
1. Limit our liability by reducing the credit card limit.
2. Use net banking for online transactions. This is more secure for the time being.This also require safeguards to limit exposure like using a separate account.
Update: My friend got his money back. But no information on what happened.
This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
Short answer is NO.
Why?
1. In India 3D secure (Verified by Visa or Master card secure code ) is mandatory for online credit card transactions above 5000.
2. In US this is not mandatory for any transaction.
Looks like India is more secure county for online transactions! This is what the banks want you to believe The truth is the opposite.
Security of any system is the of security of the weakest link. The weakest link here is 3D secure(3DS). Surprised! Try forgot password link on your verified by visa page. This requires your card number , date of birth ( The most secret information about you !) and CVV number. This is from HDFC netsafe websites. This can be different for other banks.
How long it takes some one to find our your DOB given the full name ? Google and Facebook made this so easy.
Now the secure CVV number. It is a 3 digit number. total combinations are 999. Assuming it is random . People make it more secure by eliminating combinations like 111, 222 etc. That will again reduce the total number of combinations to try out. This is the wrong public concept of security. The way of thinking is explaining a customer that 111 is more secure than 592 is difficult so we better avoid these numbers. The easier way out. The real irony is CVV number is required for a transaction. So any compromised website will already have your CVV number. This reduce it to just DOB.
Have you ever received an email/SMS when you reset your verified by visa/MasterCard secure code password. I haven't got any for my HDFC card till now.
So it is obvious that this is not designed for security then what is the use of it?
This is called liability shifting normally all the liability of fraudulent internet transaction is on the bank not on the merchant if the bank is authenticated you. The advantage of this is more merchants will be willing to accept the credit card online. With 3DS the liability is shifted to the credit card holder. It uses a password known only to you so any transaction is your liability if it goes through the 3DS.
If you buy gold jewellery or electronic goods by swiping the card you will get a call asking did you do this transaction. Because in that case the onus is on the merchants to authenticate you and later you come back and prove the signature is not your signature they will have to revert the transaction.
Most fraudulent transaction uses card to book flight tickets and this will leave less traces. Have you ever got any call after you book tickets online ? No need, bank is no longer liable for this fraud.
Fine. This don't talk why bank cannot make these 3DS implementations secure enough.
Any secure authentication protocol will add inconvenience user. User will forget passwords frequently since they are not using this password daily. If the reset password is made secure then it need to use multi factor authentications and reset process will take time. This means loss of business for the merchant. When you try to buy some items on the net and during the credit card authentication it require you to reset password securely then chances are there that you will forgo the transaction.
So your security is compromised for the merchants by your bank. Steven J. Murdoch and Ross Anderson from University of Cambridge U, has written a paper on the security issues around 3DS protocol.
It will be difficult to comprehend that internet transactions are safe without a password. With the current implementation of 3DS this what we can conclude. At least bank will make a phone call and check with you before authorizing it if it is high valued transaction.
What are the repercussions?
My friend lost Rs 92 K on a fraud on 29th Oct 2012. As of today HDFC is still not willing to investigate the fraud saying that the verified by visa password is compromised and it the customer's responsibility. If this is the attitude this is definitely going to attract banking trojans. We don't even know if this is work of a Trojan HDFC bank should investigate it and find out any password reset has happened or if the password is retrieved by a Trojan in that case a security alert is must.If there is already a Trojan out there in the wild this can happen to lot more unsuspecting people.
Ross Anderson is Professor of Security Engineering at the Computer Laboratory, University of Cambridge UK. He is working on banking security and has proved that the security of these protocols and implementations are not secure enough to conclude that for online credit card fraud to happen the password needs to compromised by the user.
What the banks can do to prevent this?
1. Make sure that there is no liability shifting so that the banks treat online transactions like normal transactions. It means banks should investigate the fraud for online transaction with verified by visa protected realizing that the security is not enough for hackers. This is what the bank is refusing to do now. Public pressure needs to be built on this.
2. Banks should make sure these protocols and implementations are secure with transaction signing and other protection mechanisms.
3. Any password reset should at least use a second factor like registered email address or mobile phone.
4. Banks providing a way to limit the online transaction amount. This is will not work against targeted attacks where email and SMS can be flooded to avoid detection.
As bank customers what are the options left for us?
1. Limit our liability by reducing the credit card limit.
2. Use net banking for online transactions. This is more secure for the time being.This also require safeguards to limit exposure like using a separate account.
Update: My friend got his money back. But no information on what happened.
Disclaimer
posted by Chathan @ 8:00 AM
3 comments
