3-D Secure is a protocol that provides security for online credit card payments by redirecting the cardholder’s browser to the web site of the bank that has issued the credit card, where the cardholder is authenticated by methods such as username-and-password or a one-time password. 3-D Secure is rarely used in the US because the cardholder authentication creates friction that may cause transaction abandonment, but it is used more frequently in other countries. The credit card networks have been working on a new version of the protocol, called 3-S Secure 2, where the issuing bank assesses fraud risk based on information received from the merchant through a back channel and waives authentication for low-risk transactions.
In a paper presented at HCII 2019 we showed that 3-D Secure 2 has serious privacy and usability issues and we proposed an alternative protocol that provides strong security without friction for all transactions by cryptographically authenticating the cardholder. We have now looked in more detail at a particular configuration of 3-D Secure 2 where the cardholder uses a native app instead of a browser to access the merchant’s site, and we have found security flaws, described in detail in a technical report, that may allow a malicious merchant to impersonate the cardholder.
The flaws are due to the fact that the merchant app mediates a challenge-response interaction where the cardholder authenticates to the issuing bank by providing authenticating information such as answers to security questions or a one-time password. The merchant is required to use an EMVCo-approved SDK to implement the interaction, but a malicious merchant can circumvent this requirement, or exfiltrate the authentication information from a web view used by the SDK. These are not minor flaws that could be fixed with minor changes to the specification. They are fundamental flaws that could only be fixed by using a different approach to cardholder authentication in the case where the cardholder uses a native app to access the merchant’s site.