3D Secure - not asking for passwords anymore?

Dymo King

Free Member
Jul 17, 2008
498
49
I've noticed that the last 5 or 6 times I've used my personal credit card online - at a variety of different websites using mostly different payment providers - that the 3D authentification hasn't asked me for my password.

It's not like it's not active on the websites - I can see the 3d auth window, but it just has a processing bar and carries straight on to the receipt page without stopping. No password. No buttons to press. Just straight through without stopping.

Has anyone else noticed this? Have they changed the system so it's storing some kind of token/key on the PC?
 

Dymo King

Free Member
Jul 17, 2008
498
49
but it didn't appear to be down, it's not like it just skipped it - it came up with the framed box, correctly identified my bank, said it was being processed by my bank and came up with the processing bar. Nor did it seem like a time out - it actually went through quite quickly...
 
Upvote 0

Dymo King

Free Member
Jul 17, 2008
498
49
I just tried this on my own site and it showed as being 3d authenticated even though it skipped straight through. So I guess that's good news all round if it happens to lots of other people as well - less payment failures because customers forgot their password, easier checkouts for the customer, and we're covered against fraud.
 
Upvote 0

colinpickup

Free Member
Oct 25, 2011
3
0
When 3D Secure gives an Authenticated (MPI Code 237) response, that basically means that the card-holder's bank is willing to accept the liability shift to itself. The criteria that the banks set to do this really lie with the bank and, although most banks require a password, some only require the xth, yth and zth letters of your password (a good idea, IMHO, as this means a man-in-the-middle attack wouldn't get your full password) while still accepting the full liability shift.

If orders start coming through as Authenticated when no password was given, I'm guessing that the banks have decided to allow some other criteria to factor into this... My guess is that the banks have rolled-out an IP whitelist system such that, after N successful orders/password confirmations for your card from a particular IP address, that your IP address is validated for your card and it won't ask for your password.

Yes there is a higher potential for charge-backs to the bank... People on a shared/dynamic IP could claim that the hacker gained access to their network, but the bank may be willing to take that risk particularly if the delivery is to an established address and the card details all match.

This is conjecture, but an IP-whitelist system might also be easier/faster to process than the password-based authentication, taking some strain from the password servers and meaning less potential for big outages. As a 3D Secure stage is a big-drop-off point for any checkout, I expect that banks are also trying to reduce this and, in doing so, encourage vendor confidence in the 3D Secure system. I've had clients request that the payment only be sent to 3D Secure if it absolutely has to, such-as for Maestro payments, as otherwise they find that what they save on fraudulent transactions doesn't make up for the increased drop-off (thus decreased sales) of a 3D Secure checkout.

I could be wrong, but I imagine banks will have thought this one through, with lawyers, projections, graphs, and so on. Y'know, business stuff. Also, you can bet they have a switch that allows them to go back to the old system should things not work-out as expected.
 
Upvote 0

colinpickup

Free Member
Oct 25, 2011
3
0
I don't believe for one minute the banks are going to put any liability on them selves if they don't need to so the idea of an ip white list sounds like nonsense.

If that were the case, then why does 3D secure exist in the first place? Why not just keep the liability with the merchant?

If the banks aren't able to keep 3D Secure auth servers up 24/7, you have to imagine the technology is expensive to run securely. The question is whether or not any increase in fraud would cost them more or less than the cost of maintenance, plus losses due to down-time.
 
Upvote 0

colinpickup

Free Member
Oct 25, 2011
3
0
Yeah, if 3D Secure is passed then that basically means the bank is accepting the liability shift. Them doing this without a password does seems to be happening now, however, meaning either they're OKing any old transaction or they've determined some other criteria they can work on.

The IP whitelist was only the first idea that popped into my head, there are a lot of techniques a bank might consider. It could store a cookie on a user's computer, set a value limit, and check if the CVS is an all match (assuming the bank is sent that data, I imagine it would be), and whether the user has bought from that shop before. If the IP, cookie, and all other data match for a small transaction, I'd imagine the bank would consider accepting the liability shift without a password.

Just a theory, but Mr deadgoodundies: Would you have the technical know-how to check the computer you made the transaction on to see if there was a cookie left on the system from a bank's authorisation web site? I imagine the value itself would make no sense, an encrypted value or some-such, but if one could be found then it might support that idea.
 
Last edited:
Upvote 0

ukwebhosting

Free Member
  • Business Listing
    Jun 9, 2011
    249
    67
    UK
    Hi

    I read somehwere a while back that they are looking at ways to make it less intrusive and more intelligent.

    One example I can briefly recall was something to do with if it recognises you make the transaction often (may have been combined with IP) then it will go through without asking for pin.

    Had a search for the info but not able to find.

    Thanks

    Paul
     
    Upvote 0

    Latest Articles

    Join UK Business Forums for free business advice