Are they really safe? - Verified by Visa and MasterCard Secure Code.

I have previously blogged about them.
An anonymous reader has commented and raised concerns about these added layer of security for online credit and debit card transactions (collectively known as 3-D secure protocol ).
As you can read on its Wikipedia page, 3-D secure has a long list of criticisms most of them related to its ability to secure online transactions.

I will try to address all of the reader's concern below:

- RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive.
In my article also I did not say that RBI has specified VbyV or Secure Code must be used. RBI article only says that additional info ( apart from what is already present on the card ) is required for online transaction. Since most ( say 95 % ) of the card holders in India have either Visa or Master Card they will have to use either of these two services hence I explained their features from an end-user perspective. For American Express cards they ask for the billing address for verification.


- The anonymous reader has pointed out some security vulnerabilities in 3-D Secure giving some examples like inline frame and activation during shopping.
Although I can't vouch for all banks in India, but I deal with HDFC Bank which does not use inline frame during 3-D secure authorization and it also has PAM ( Personal Assurance Message ).
It does have Activation during shopping but that too:
- is on hdfcbank.com domain with a proper SSL certificate ( no inline frame )
- requires your ATM password for authentication ( I don't know if the number of attempts is unlimited ). This I feel is secure enough.

But, I also know of cases where card issuing companies don't use their own domain during 3-D secure authorization like:
- SBI Card ( uses arcot.com )
- ICICI Bank ( uses payseal.com )
So our anon reader does have a valid point here. These systems are not 100% safe because of some inherent weakness in the Internet protocols.


- Then he raises a concern that the password can be easily phished and used by fraudsters. The transactions can never be disputed by the cardholder.
On this I don't agree with him. If there was no 3-D secure anyone who had physical access to the card even for a minute ( think of the last time you gave it for payment in the restaurant ) could have misused it ( by noting down the card details ). But introduction of 3-D secure had made life more difficult for fraudsters.
If transactions could be disputed without 3-D secure, they can still be disputed with 3-D secure activated as well. 3-D secure is not going to change that.


- A concern about fraudsters misusing this feature to cheat banks
This is a matter between the fraudsters between the banks and the fraudsters and I'm really not too much concerned about it. One thing I would like to point out here is that the act of issuing a card is not a completely online thing ( atleast in India ). There are id and address checks. Credit report is also verified. So if the bank has a diligent process in place before it issues a card, the chances of such cheating are lessened. However if the bank has lax procedures it obviously has to suffer ( that's in its Karma! )


- Be wary of mandated systems. A good security system never needs to be mandated.
If it is not mandated, the banks won't implement any safety feature. Only very few who actually care about customer concerns would be willing to do it on their own, since setting up an IT infrastructure for such a feature costs money and the management of banks is busy improving their profit margins cutting costs wherever they can.