Abstract
3 Domain Secure 2.0 (3DS 2.0) is the most prominent user authentication protocol for credit card based online payment. 3DS 2.0 relies on risk assessment to decide whether to challenge the payment initiator for second factor authentication information (e.g., through a passcode). The 3DS 2.0 standard itself does not specify how to implement transaction risk assessment. The research questions addressed in this paper therefore are: how is transaction risk assessment implemented for current credit cards and are there practical exploits against the 3DS 2.0 risk assessment approach? We conduct a detailed reverse engineering study of 3DS 2.0 for payment using a browser, the first study of this kind. Through experiments with different cards, from different countries and for varying amounts, we deduct the data and decision making process that card issuers use in transaction risk assessment. We will see that card issuers differ considerable in terms of their risk appetite. We also demonstrate a practical impersonation attack against 3DS 2.0 that avoids being challenged for second factor authentication information, requiring no more data than obtained with the reverse engineering approach presented in this paper.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Ahmad, Z., Francis, L., Ahmed, T., Lobodzinski, C., Audsin, D., Jiang, P.: Enhancing the security of mobile applications by using TEE and (U)SIM. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, pp. 575–582, December 2013. https://doi.org/10.1109/UIC-ATC.2013.76
Alexa: Alexa - Top Sites by Category: Business/E-Commerce (2018). https://goo.gl/V52tcs
Ali, M.A., Arief, B., Emms, M., van Moorsel, A.: Does the online card payment landscape unwittingly facilitate fraud? IEEE Secur. Priv. 15(2), 78–86 (2017)
AOWASP: Cross-site scripting (XSS) OWASP (2018). https://goo.gl/x54ner
Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 360–371. IEEE (2009)
van den Breekel, J., Ortiz-Yepes, D.A., Poll, E., de Ruiter, J.: EMV in a nutshell. Technical report, Radboud Universiteit Nijmegen (2016)
CardinalCommerce: Use of consumer authentication in ecommerce, annual survey 2017: The fraud practice (2017). https://goo.gl/z2mByt
Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 716–726. ACM, New York (2014). https://doi.org/10.1145/2660267.2660312. http://doi.acm.org/10.1145/2660267.2660312
Emms, M., Arief, B., Little, N., van Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_26
EMVCo: 3D Secure 2.0 (2017). https://goo.gl/d1ksLf
E.solutions: Live HTTP Header (2018). https://www.esolutions.se/
Etaher, N., Weir, G.R., Alazab, M.: From ZeuS to ZitMo: trends in banking malware. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 1386–1391. IEEE (2015)
EU Council: Directive (EU) 2015/2366 (2015). https://goo.gl/psyvps
GoogleAndroid: Android pay (2014). https://www.android.com/pay/
Nayyar, H.: Clash of the Titans: ZeuS v SpyEye. SANS Institute InfoSec Reading Room (2010). https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393
Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_14
HTTP Watch: HttpWatch 11: HTTP Sniffer for Chrome, IE, iPhone and iPad (2018). https://www.httpwatch.com/
Intelligent Systems Lab: JS NICE: Statistical renaming, Type inference and Deobfuscation (2018). http://jsnice.org/
Kim, D., Kwon, B.J., Dumitraş, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1435–1448. ACM, New York (2017). https://doi.org/10.1145/3133956.3133958. http://doi.acm.org/10.1145/3133956.3133958
King, R.: Verified by Visa: bad for security, worse for business - Richard’s Kingdom (2009). https://goo.gl/NgUUvn
MalShare: Malware Repository for Researchers (2018). https://malshare.com/
Mastercard: Merchant SecureCode implementation guide (2014). https://goo.gl/DyQ7Jb
Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_27
Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 21–32. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_2
Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446. IEEE (2010). https://doi.org/10.1109/SP.2010.33
PayPal: PayPal Pro - 3D secure developer guide (2018). https://goo.gl/7mPWWt
PCIDSS: Payment card industry (PCI) data security standard requirements and security assessment procedures (2016). https://goo.gl/PNSEq3
PCISCC: Payment card industry (PCI) hardware security module (HSM) security requirements (2009). https://goo.gl/JQKH3T
RedTeam Pentesting: Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/publications/2009-11-23-MitM-chipTAN-comfort_RedTeam-Pentesting_EN.pdf
RedTeam Pentesting: New banking security system iTAN not as secure as claimed. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/en/advisories/rt-sa-2005-014/-new-banking-security-system-itan-not-as-secure-as-claimed
Sood, A.K., Zeadally, S., Enbody, R.J.: An empirical study of HTTP-based financial botnets. IEEE Trans. Dependable Secure Comput. 13(2), 236–251 (2016)
Telerik: Fiddler web debugging tool (2018). https://goo.gl/BURSaH
Ter Louw, M., Venkatakrishnan, V.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 331–346. IEEE (2009)
Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1421–1434. ACM, New York (2017). https://doi.org/10.1145/3133956.3134067. https://doi.acm.org/10.1145/3133956.3134067
Visa Inc: 3D Secure (2017). https://goo.gl/TZSTEc
Visa Inc: Visa Developer Centre (2018). https://goo.gl/8dDqWv
WickyBay: FRAUDFOX VM, WickyBay Store (2017). https://goo.gl/aAZY1K
Zeltser, L.: (2018). https://zeltser.com/malware-sample-sources/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Data Used for Transaction Risk Assessment
A Data Used for Transaction Risk Assessment
Table 2 shows an exhaustive list of device attributes from card C1 to C5 that are passed from WB to the ACS. The loading and execution of dfp.js by the ACS as a part of the checkout process is similar for all our test cards that we used. The ‘Method’ column indicates the functions implemented in the dfp.js that extract information from WB (for readability, in some cases we have simplified the method name). The details that are fetched in each function are shown in ‘Attribute description’ column of the table. The ‘Source’ column marks the origin of each attribute (JavaScript or HTTP). Finally, the rightmost column shows an example output value of each function.
Figures 5 and 6 show the encoded devide fingerprint and the full cookie content, respectively.
Rights and permissions
Copyright information
© 2019 International Financial Cryptography Association
About this paper
Cite this paper
Ali, M.A., van Moorsel, A. (2019). Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol. In: Goldberg, I., Moore, T. (eds) Financial Cryptography and Data Security. FC 2019. Lecture Notes in Computer Science(), vol 11598. Springer, Cham. https://doi.org/10.1007/978-3-030-32101-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-32101-7_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32100-0
Online ISBN: 978-3-030-32101-7
eBook Packages: Computer ScienceComputer Science (R0)