A secure payment system designed to reduce online fraud has a number of secuirty flaws, say University of Cambridge researchers.
Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.
As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks.
But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.
That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS, which they detailed in a paper on the topic.
One of their main points is how 3DS is integrated into websites during a transaction. E-Commerce websites display 3DS in an iframe, which is a window that brings content from one website into another.
The e-commerce website connects directly to a bank, which solicits a person's password in the iframe.
If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not.
3DS also allows people to set their password immediately as they enroll in the system, a process called 'activation during shopping (ADS)'.
The ADS enrollment will ask for some other piece of information, such as a birth date, in order to confirm the setting of the password. That's a security issue since birth dates are easily obtainable, the researchers argue.
Since the password is also solicited during a transaction, people are less likely to carefully select one since they're more eager to complete the transaction, Murdoch and Anderson wrote.
3DS is vulnerable to phishing, where fraudsters use various methods such as spurious e-mails in order to elicit a person's password.
Customers are also unlikely to closely read the terms and conditions, which means customers could end up paying for bad transactions using their card.
Murdoch said he hasn't heard, however, of a customer being held liable for a fraudulent 3DS transaction.
Murdoch said there are other systems on the market that guarantee that the person who is doing a transaction is who they say they are by using their mobile phone.
Those systems can involve generating one-time passcodes on a person's mobile phone that are entered as part of an e-commerce purchase.
Another method is sending a SMS verification to a person's mobile phone along with a one-time passcode that can be entered during the e-commerce transaction.
However, "most banks have chosen to go for passwords than anything better", Murdoch said.
"Passwords are really cheap."
Merchants must pay to implement SecureCode or Verified by Visa, where the systems mentioned above would likely require the banks to spend money, Murdoch said.
Visa defended its system, saying criminals will always try to defeat security measures but that it had reduced fraud and made consumers more comfortable with online transactions.
"Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions," the company said.
"Taken in isolation, this will not solve the massively complex issue of fraud, and Visa has never claimed that it would do so."
MasterCard officials could not be immediately reached for comment.
See also: Over 1,200 scam websites taken offline