This blog post has been coauthored with Karen Lewison
You may have heard that the EU is struggling to implement the Strong Customer Authentication (SCA) requirements of Payment Services Directive 2 (PSD2). The directive was issued four years ago, Regulatory Technical Standards (RTS) followed two years later, and the SCA requirements went into effect on September 14. But on October 16 the European Banking Authority (EBA) had to postpone enforcement until December 31, 2020, due to pushback from the National Competent Authorities (NCAs) of the EU member countries. In an opinion announcing the postponement, the EBA cited as a reason for the pushback the fact that 3-D Secure 2 (3DS2) is not ready.
The problems that the EBA is having with the SCA requirements have more to do with the bureaucratic formulation of the requirements in PSD2, than with the technical difficulty of providing strong security. We will discuss this in another post, but first we want to ask here whether cardholder authentication will ever come to the US.
Cardholder authentication is used in Europe, but rarely in the US
Strong cardholder authentication has been used in Europe for many years, without waiting for PSD2. It is implemented using the original version of 3-D Secure (3DS1) introduced by Visa in 1999 and adopted by other card networks, rather than the new version that EMVCo is struggling to specify. 3DS1 is used to different extents in different European countries but it is rarely used in the US.
The reason for this disparity is clear. Authentication is burdensome. Consumers in the US have practically no liability for unauthorized use of a credit card, so they have no motivation to authenticate. Given a choice between making a purchase from a merchant who requires authentication and a merchant who does not, they will choose the merchant who does not; and when asked to authenticate, they may abandon the transaction instead. European consumers, on the other hand, have historically had substantial, sometimes unlimited liability for unauthorized purchases. Liability was capped to 120 euros by the first Payment Services Directive in 2007, then to 50 euros by PSD2 when it went into effect on September 14, which is still non-negligible. For the sake of security, European consumers may prefer a merchant who requires authentication, in spite of the burden of providing it.
The absence of cardholder authentication in the US makes online shopping convenient for consumers, but it also makes online credit card fraud easy for criminals. The introduction of chip cards reduced the fraud rate for in-store transactions by making it practically infeasible to clone cards; but fraudsters shifted their efforts to the web and the fraud rate for online transactions increased.
Reducing the online fraud rate will require cardholder authentication. But in the US, cardholder authentication can only succeed if it does not create friction that may cause transaction abandonment and customer loss. One of the goals of the new version of 3-D Secure is to reduce friction. But 3DS2 is unlikely to ever be implemented.
3-D Secure 2 may never be ready
The credit card networks have been touting 3-D Secure 2 as the means of implementing PSD2 in Europe and providing frictionless cardholder authentication in the US. But the 3DS2 specification has been under development for many years and it is far from ready, as shown by the postponement of SCA enforcement. A look at the specification shows not only that it is not ready, but also that it may never be ready.
We looked at the specification when we wrote a paper on frictionless cardholder authentication that we presented at HCI International 2019 and was published in the Late Breaking Papers proceedings of the conference (Springer LNCS 11786). The authors’ version of the paper is available on this site. We found the following shortcomings, discussed in more detail in the paper:
- The cardholder is only authenticated for some transactions, friction is not reduced for those transactions, and latency is added to all transactions.
- The merchant is required to send cardholder information to the issuing bank through a back channel, potentially violating the cardholder’s privacy.
- Biometric authentication has extremely poor usability, requiring the cardholder to read and understand instructions, and to manually find and open a bank app.
- 3DS2 requires a costly infrastructure, including three additional servers besides those used to implement the merchant and bank sites.
Later we had a second look at the specification, focusing on a particular configuration of 3DS2 where the cardholder uses a merchant app to shop at the merchant’s site. This time we found fundamental security flaws that enable attacks by a malicious merchant (or by malicious personnel working for the merchant); variations on some of those attacks can also be carried out by a malicious developer of merchant apps, or by a hacker with remote write access to the code of the merchant app before it has been signed.
The following attacks are discussed in more detail in a technical report:
- A malicious merchant can capture answers to security questions and use them to impersonate the cardholder.
- A malicious merchant can capture one-time passwords and use them to impersonate the cardholder.
- A malicious merchant can add itself to a whitelist of merchants trusted by the cardholder.
The flaws that enable these attacks are not minor flaws that can be fixed by minor changes; fixing them would require a different approach to cardholder authentication in the merchant-app configuration.
The same technical report also identifies and discusses in detail several fundamental security misconceptions about mobile technology that seem to underlie the security flaws.
The fundamental nature of the security flaws and misconceptions suggests that EMVCo may never be able to put the 3DS2 specification on a sound security footing. Even if it could, the end result would have privacy, usability and cost drawbacks that might preclude adoption by banks and merchants.
But frictionless cardholder authentication is possible by other means
The flaws and shortcomings of 3DS2 do not mean that it is not possible to provide frictionless cardholder authentication for all transactions with good usability, minimal cost, and no privacy violations. We describe a cardholder authentication solution that does that in the HCII paper.
In a nutshell, the merchant’s site redirects the cardholder browser to a URL in the issuing bank’s DNS domain, but the redirected request is intercepted by a service worker registered with the browser by issuing bank, and handled within the browser without network access. The service worker asks the cardholder to confirm the transaction and signs the transaction with a private key associated with a certificate that binds the associated public key to a cryptographic hash of the credit card data. The certificate contains a hash of the data rather than the data itself to avoid storing the data in the cardholder’s computing device that carries the credential. The user experience (UX) for the cardholder is the same as in an ordinary credit card payment on a web site, except that the confirmation page is a bank page constructed by the service worker. More details can be found in the paper.
The solution supports the use of a bank app and/or a merchant app. If there is a bank app in the cardholder’s device, the service worker further redirects the browser to the app, which does the work of confirming and signing the transaction and may authenticate the cardholder biometrically. If the cardholder is using a merchant app rather than a browser, the merchant app asks the default browser to open a JavaScript URL that sends the request that is intercepted by the service worker.
Consortia of issuing banks could bring cardholder authentication to the US
The solution that we proposed in the HCII paper provides cardholder authentication without any friction that could impede adoption in the US. But can it be deployed given that the credit card networks seem committed to 3-D Secure 2? We think so, for the following reasons:
- The credit card networks were committed to the Secure Electronic Transactions (SET) protocol in the nineties, but they abandoned it after the specification process bogged down. The specification of 3DS2 is now bogged down.
- The credit card networks need not be concerned with cardholder authentication, a process that does not involve the acquiring bank and is separate and independent from the authorization and settlement processes managed by the networks, as made clear by the 3DS2 specification itself.
- There would be no need for the entire credit card industry to buy into a single authentication scheme. The proposed solution could be implemented by a consortium of issuing banks, or by several competing consortia. The use of such consortia would be transparent to the cardholder. A merchant could choose to support the use of zero, one, or more than one consortia, and would know whether to use a particular consortium for a particular transaction by looking up the IIN portion of the credit card number in a non-confidential but integrity-protected database provided by the consortium. The database would map the IIN to the URL to be intercepted by the service worker and to the public key to be used for verifying the bank’s signature on the credit card certificate.
As law enforcement has trouble keeping up with foreign crime syndicates and an ecosystem of fraud, frictionless cardholder authentication may be the only effective way of reducing the multibillion dollar tax that credit card fraud levies on society in the United States.