Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication
Banks worldwide are starting to authenticate online card transactions using the '3-D Secure' protocol, which is branded as verified by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and else where. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics.