Tag: bank

3DSecure not secure

You may have seen in various places that “3-D Secure” (aka “Verified by Visa” or “Mastercard Securecode”) is not as secure as it says. The original paper is here (PDF).

Unfortunately, having implemented the 3-D Secure system via a third-party somewhere in Europe, I have to agree with the authors. I will insist here on one aspect – the inline frame – but the authors are giving more aspects and some solutions worth considering in their paper.

The first issue is that most merchants or banks embed the 3-D Secure page in an inline frame: the 3-D Secure page appears as if it was served by the merchant website although it comes from another website. This is similar to the hypothetical case where that image in your newspaper comes from another newspaper. You wouldn’t notice the difference (unless/until the image is completely different from your newspaper content). And, back to our topic, if a fake 3-D Secure page is given inside the inline frame, it’s difficult to notice it, the most common way of noticing it (a different URL in the address bar) is indeed hidden by the inline frame. During the development and testing, I put in place an internal, fake but similar-looking payment page and we sometimes have to think twice before knowing if we were on the fake page or in the test environment. Webpages at a merchant or a bank website are of course supposed to be kept far from crackers and villains 😉 But a man-in-the-middle attack (replacing on the fly the real payment page by a fake one allowing to collect card details) is rather easy to implement (considering actual villains know-how) and wouldn’t be noticed until they collected a certain number of card details …

To illustrate the above, please insert your card details below.

Card number:
Expiry date:
Secure code:

Fake 3D Secure

Apart from the fact this form was done in 30 seconds and doesn’t really look like a real a real payment form (and does nothing), how can you tell the difference? So, be careful when using 3D secure (with Firefox you can always right-click to see the security information about the form you are about to fill in). And always try to check the URL if it’s possible.

Proton transactions history

Did you know that the last 3 transactions you made with a Proton card (the Belgian electronic purse) are stored in the chip? I simply used the card reader/challenge solver given by my bank to have access to the online banking system. Usually, you press on the “M1” button. If you press on the “Info” button, you’ll get the last 3 transactions you made with Proton, the reader EPCI number, battery level and embedded software version.

Example of a Proton transactions history (now you know everything about my finances ;-)

Although I know this information is not really important (you only know how much and when you spend money), it could be useful for a jealous wife/husband 😉 or simply to survey how often people use Proton. Are there anything else stored in that chip? (I did a short search on the internet but I didn’t find anything relevant)