You may have seen in various places that “3-D Secure” (aka “Verified by Visa” or “Mastercard Securecode”) is not as secure as it says. The original paper is here (PDF).
Unfortunately, having implemented the 3-D Secure system via a third-party somewhere in Europe, I have to agree with the authors. I will insist here on one aspect – the inline frame – but the authors are giving more aspects and some solutions worth considering in their paper.
The first issue is that most merchants or banks embed the 3-D Secure page in an inline frame: the 3-D Secure page appears as if it was served by the merchant website although it comes from another website. This is similar to the hypothetical case where that image in your newspaper comes from another newspaper. You wouldn’t notice the difference (unless/until the image is completely different from your newspaper content). And, back to our topic, if a fake 3-D Secure page is given inside the inline frame, it’s difficult to notice it, the most common way of noticing it (a different URL in the address bar) is indeed hidden by the inline frame. During the development and testing, I put in place an internal, fake but similar-looking payment page and we sometimes have to think twice before knowing if we were on the fake page or in the test environment. Webpages at a merchant or a bank website are of course supposed to be kept far from crackers and villains 😉 But a man-in-the-middle attack (replacing on the fly the real payment page by a fake one allowing to collect card details) is rather easy to implement (considering actual villains know-how) and wouldn’t be noticed until they collected a certain number of card details …
To illustrate the above, please insert your card details below.
Apart from the fact this form was done in 30 seconds and doesn’t really look like a real a real payment form (and does nothing), how can you tell the difference? So, be careful when using 3D secure (with Firefox you can always right-click to see the security information about the form you are about to fill in). And always try to check the URL if it’s possible.