Sunday 6 February 2011

Dealing with 3D Secure

If you've shopped online recently you should already be familiar with 3D Secure, even if you don't know what it is. It's the recent initiative by credit card companies to enhance the security of online transactions.

How does it work?

Well, without getting too technical, you are required to register a password with the issuing bank (usually by providing some personal information such as a date of birth) which you enter each time a transaction is made. Most online retailers insert an additional step into the checkout process which opens an iFrame containing a form hosted on the bank's servers - for example:

What's your problem with 3D Secure?

Whilst I advocate any attempt to make online security better, it's still not ideal:
  • It's generally implemented as an iframe
    Most merchants don't like you to leave their site, and prefer their branding to remain intact, so they open them in an iframe. This is fine in principal, but since iframes open other web sites, and you don't directly see the URL - how do you know for sure that the page is coming from the bank's server?
  • Password reset mechanism
    This has been widely acknowledged as a flaw. Sometimes, along with the card details, a date of birth is all that is required to proceed.
  • It's yet another password to remember
    This isn't a flaw, but I'm willing to put good money on the fact most people choose something very simple for their password, or use the same password as they do for every other site on the web!
  • It complicates the checkout process
    Most merchants are reluctant to use this feature in their checkout, as they send their buyers off site at the most critical phase of their purchase. Buyers first have to remember their password, and then count out the characters on their fingers trying to remember what the third, fourth, and seventh characters are.
How can the process be made simpler?

Whilst we can't change the bank's process, we can change our own behaviour, and address the last two points.

Using Deadbolt Password Generator we can create strong passwords from easily memorable phrases, and also take advantage of a nice feature which splits the characters up so you don't have to count on your fingers any more!

So there you have it - a secure memorable password with a simpler entry system.

Stay safe.