This post has been updated to include the patent number.
Pomcor has been granted US patent 10,825,025 on the method of cardholder authentication that I have discussed before on this blog. The Cardholder Authentication page has links to earlier materials. Actually, the patent was granted on November 3, 2020, but I was busy working on TLS traffic visibility at the time.
3-D Secure 2 purports to reduce the friction created by 3-D Secure 1 as it redirects the cardholder browser to the card issuer’s site for authentication. But it does so by omitting cardholder authentication altogether for transactions deemed low risk, and may increase friction for other transactions.
Eliminating friction with a Service Worker
We eliminate friction instead, for all transactions, by using a Service Worker registered with the browser by the issuer to intercept the redirected request and authenticate the user by proof of possession of a private key, which is used to sign a description of the transaction and thus provide a defense against transaction repudiation to the merchant.
The private key is associated with a credit card certificate that contains the corresponding public key and a cryptographic hash of the data printed on the credit card. The card data is not included in the certificate to avoid exposing it to an attacker who uses malware or physical capture of the cardholder’s device to obtain the certificate. When the merchant’s site or native app receives the certificate along with signature, it verifies the hash against the printed card data entered by the cardholder.
We originally used the idea of intercepting an authentication request with a Service Worker in connection with Rich Credentials, then presented it in general terms at ICMC 2017.
Are Service Workers still usable?
People have been telling us recently that Service Workers can no longer be used because WebKit deletes Service Worker registrations, along with first-party data stored in the browser, after seven days of non-use. This is an unfortunate complication, but it does not mean that Service Workers and first-party data can no longer be used. It just means that the web app that registers the Service Worker, in this case the issuer’s web app, must be added to the home screen, as explained in this WebKit blog post.
This blog post has been coauthored with Karen Lewison
The 2nd Payment Services Directive
of the European Union went into effect on September 14, but one of its most
prominent provisions, the Strong Customer Authentication (SCA)
requirement, was postponed until December 31, 2020 by an
dated 16 October 2019 of the European Banking Authority (EBA). The
EBA cited pushback from the National Competent Authorities (NCAs) of
the EU member countries as the reason for the postponement, and the
fact that version 2 of the 3-D Secure protocol
Secure 2) is not ready as a reason for the pushback.
PSD2 is supposed to be technology neutral, but the EBA has
unequivocally endorsed 3-D Secure as the way to implement the SCA
requirement for online credit card transactions, as stated in
dated 21 June 2019:
Continue reading “PSD2 Is In Trouble: Will It Survive?”
This blog post has been coauthored with Karen Lewison
You may have heard that the EU is struggling to implement the Strong
Customer Authentication (SCA) requirements of Payment Services
The directive was issued four years ago, Regulatory Technical
followed two years later, and the SCA requirements went into effect on
September 14. But on October 16 the European Banking Authority (EBA) had
to postpone enforcement until December 31, 2020, due to pushback from
the National Competent Authorities (NCAs) of the EU member countries.
announcing the postponement, the EBA cited as a reason for the
pushback the fact that 3-D Secure 2
is not ready.
The problems that the EBA is having with the SCA requirements have
more to do with the bureaucratic formulation of the requirements in
PSD2, than with the technical difficulty of providing strong security.
We will discuss this in another post, but first we want to ask here
whether cardholder authentication will ever come to the US.
Continue reading “Will Cardholder Authentication Ever Come to the US?”
3-D Secure is a protocol that provides security for online credit card
payments by redirecting the cardholder’s browser to the web site of
the bank that has issued the credit card, where the cardholder is
authenticated by methods such as username-and-password or a one-time
password. 3-D Secure is rarely used in the US because the cardholder
authentication creates friction that may cause transaction
abandonment, but it is used more frequently in other countries. The
credit card networks have been working on a new version of the
protocol, called 3-S Secure 2, where the issuing bank assesses fraud
risk based on information received from the merchant through a back
channel and waives authentication for low-risk transactions.
presented at HCII 2019 we showed that 3-D Secure 2 has serious privacy
and usability issues and we proposed an alternative protocol that
provides strong security without friction for all transactions by
cryptographically authenticating the cardholder. We have now looked
in more detail at a particular configuration of 3-D Secure 2 where the
cardholder uses a native app instead of a browser to access the
merchant’s site, and we have found security flaws, described in detail
report, that may allow a malicious merchant to impersonate the
Continue reading “3-D Secure 2 May Allow the Merchant to Impersonate the Cardholder”