The security hole in Verified by Visa
Rik Ferguson is a senior security researcher at Trend Micro in the UK, and a well-known face on the security conference circuit around the globe. As well as sharing an interest in rock music, tattoos and security, Rik and I also have something of a dislike for stupid password reset procedures.
Regular readers will recall how I exposed the ease with which you could access insurance comparison site quotes by using the password reset function, and now Rik has discovered a similar loophole, but one with far more wide-reaching consequences.
Writing at the CounterMeasures security blog, Rik explains how the 3DS security protocol, better known as Verified by Visa or MasterCard Secure Code, can be circumvented by anyone with access to the physical credit card in question.
Let’s imagine a thief has stolen a credit card, then tries to buy something with it and runs into the Verified by Visa password wall. If this thief clicks on the “I’ve forgotten my password” link, they’ll be asked to enter the card’s number (which they have) and then some corroborating data that can all be found printed or embossed on the card itself. The only piece of information that’s required but isn’t on the card itself can easily be found by a quick search of social networks, or even a bit of Googling – yep, it’s our old friend the date of birth.
As Rik says: “We can’t and shouldn’t consider our date of birth to be a secret.” and because no email confirmation is required before a new password can be entered, it’s all too easy to see how such a system could be exploited.