1. 6

  2. 3

    To provide some context, I just found this on HN.

    This describes vulnerabilities in a system called 3D Secure, also known as MasterCard SecureCode, and Verified By Visa.

    It was really popular like 10 years ago in the US, too — the banks would let or require you to set credentials for online purchases for your credit card number, usually on first use with an online vendor like Newegg. Of course, it was implemented by a third party on each bank’s behalf, so, for better or worse, it was a separate set of credentials than your online banking. And, of course, being implemented by a third party, there was no sign of whether the domain name of such third party was really authorised by your bank to accept your PII — great way to teach folks to provide PII to random vendors you’ve never ever heard of (but, look, the page has your bank’s logo, of course it’s legit!), not to mention that it was all implemented in frames (possibly on purpose to conceal the domain name of the shady vendor your bank chose), and with a plentiful of pop-up windows with a hidden URL bar at that, too (of course! So 2000s!).

    Basically, a really great and secure standard compared to just the static credit card number you share with each vendor, but, of course, totally ruined by the actual implementations, in the US, at least.

    To my knowledge, no single US retailer or bank uses it anymore (IIRC, Newegg and ZipZoomfly did used to possibly require it back in the day). A couple of years ago, I asked Capital One why my online transaction in Russia wasn’t coming through — didn’t even reach the usual 3D Secure stage, and they claimed that they haven’t supported it for ages! (Of course, the infra is still all there, but now it just shows up to the user as a mere splash screen when shopping on foreign websites; still very popular in Russia with all the payment gateways.)

    Basically, the tech is really useful for reasonable authentication, but suffered the same fate as the Chip in the States back in 2000s (ironically, Target was one of the first vendors to use it in early 2000s). Now if your purchase is declined or you’re a new customer with a big discount warehouse like Provantage, you just have to call them offline and verify your identity manually; how smart!