Skip to main content
SpringerLink
Log in

Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11598))

Included in the following conference series:

Abstract

3 Domain Secure 2.0 (3DS 2.0) is the most prominent user authentication protocol for credit card based online payment. 3DS 2.0 relies on risk assessment to decide whether to challenge the payment initiator for second factor authentication information (e.g., through a passcode). The 3DS 2.0 standard itself does not specify how to implement transaction risk assessment. The research questions addressed in this paper therefore are: how is transaction risk assessment implemented for current credit cards and are there practical exploits against the 3DS 2.0 risk assessment approach? We conduct a detailed reverse engineering study of 3DS 2.0 for payment using a browser, the first study of this kind. Through experiments with different cards, from different countries and for varying amounts, we deduct the data and decision making process that card issuers use in transaction risk assessment. We will see that card issuers differ considerable in terms of their risk appetite. We also demonstrate a practical impersonation attack against 3DS 2.0 that avoids being challenged for second factor authentication information, requiring no more data than obtained with the reverse engineering approach presented in this paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ahmad, Z., Francis, L., Ahmed, T., Lobodzinski, C., Audsin, D., Jiang, P.: Enhancing the security of mobile applications by using TEE and (U)SIM. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, pp. 575–582, December 2013. https://doi.org/10.1109/UIC-ATC.2013.76

  2. Alexa: Alexa - Top Sites by Category: Business/E-Commerce (2018). https://goo.gl/V52tcs

  3. Ali, M.A., Arief, B., Emms, M., van Moorsel, A.: Does the online card payment landscape unwittingly facilitate fraud? IEEE Secur. Priv. 15(2), 78–86 (2017)

    Article  Google Scholar 

  4. AOWASP: Cross-site scripting (XSS) OWASP (2018). https://goo.gl/x54ner

  5. Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 360–371. IEEE (2009)

    Google Scholar 

  6. van den Breekel, J., Ortiz-Yepes, D.A., Poll, E., de Ruiter, J.: EMV in a nutshell. Technical report, Radboud Universiteit Nijmegen (2016)

    Google Scholar 

  7. CardinalCommerce: Use of consumer authentication in ecommerce, annual survey 2017: The fraud practice (2017). https://goo.gl/z2mByt

  8. Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 716–726. ACM, New York (2014). https://doi.org/10.1145/2660267.2660312. http://doi.acm.org/10.1145/2660267.2660312

  9. Emms, M., Arief, B., Little, N., van Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_26

    Chapter  Google Scholar 

  10. EMVCo: 3D Secure 2.0 (2017). https://goo.gl/d1ksLf

  11. E.solutions: Live HTTP Header (2018). https://www.esolutions.se/

  12. Etaher, N., Weir, G.R., Alazab, M.: From ZeuS to ZitMo: trends in banking malware. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 1386–1391. IEEE (2015)

    Google Scholar 

  13. EU Council: Directive (EU) 2015/2366 (2015). https://goo.gl/psyvps

  14. GoogleAndroid: Android pay (2014). https://www.android.com/pay/

  15. Nayyar, H.: Clash of the Titans: ZeuS v SpyEye. SANS Institute InfoSec Reading Room (2010). https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393

  16. Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_14

    Chapter  Google Scholar 

  17. HTTP Watch: HttpWatch 11: HTTP Sniffer for Chrome, IE, iPhone and iPad (2018). https://www.httpwatch.com/

  18. Intelligent Systems Lab: JS NICE: Statistical renaming, Type inference and Deobfuscation (2018). http://jsnice.org/

  19. Kim, D., Kwon, B.J., Dumitraş, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1435–1448. ACM, New York (2017). https://doi.org/10.1145/3133956.3133958. http://doi.acm.org/10.1145/3133956.3133958

  20. King, R.: Verified by Visa: bad for security, worse for business - Richard’s Kingdom (2009). https://goo.gl/NgUUvn

  21. MalShare: Malware Repository for Researchers (2018). https://malshare.com/

  22. Mastercard: Merchant SecureCode implementation guide (2014). https://goo.gl/DyQ7Jb

  23. Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_27

    Chapter  Google Scholar 

  24. Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 21–32. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_2

    Chapter  Google Scholar 

  25. Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446. IEEE (2010). https://doi.org/10.1109/SP.2010.33

  26. PayPal: PayPal Pro - 3D secure developer guide (2018). https://goo.gl/7mPWWt

  27. PCIDSS: Payment card industry (PCI) data security standard requirements and security assessment procedures (2016). https://goo.gl/PNSEq3

  28. PCISCC: Payment card industry (PCI) hardware security module (HSM) security requirements (2009). https://goo.gl/JQKH3T

  29. RedTeam Pentesting: Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/publications/2009-11-23-MitM-chipTAN-comfort_RedTeam-Pentesting_EN.pdf

  30. RedTeam Pentesting: New banking security system iTAN not as secure as claimed. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/en/advisories/rt-sa-2005-014/-new-banking-security-system-itan-not-as-secure-as-claimed

  31. Sood, A.K., Zeadally, S., Enbody, R.J.: An empirical study of HTTP-based financial botnets. IEEE Trans. Dependable Secure Comput. 13(2), 236–251 (2016)

    Article  Google Scholar 

  32. Telerik: Fiddler web debugging tool (2018). https://goo.gl/BURSaH

  33. Ter Louw, M., Venkatakrishnan, V.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 331–346. IEEE (2009)

    Google Scholar 

  34. Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1421–1434. ACM, New York (2017). https://doi.org/10.1145/3133956.3134067. https://doi.acm.org/10.1145/3133956.3134067

  35. Visa Inc: 3D Secure (2017). https://goo.gl/TZSTEc

  36. Visa Inc: Visa Developer Centre (2018). https://goo.gl/8dDqWv

  37. WickyBay: FRAUDFOX VM, WickyBay Store (2017). https://goo.gl/aAZY1K

  38. Zeltser, L.: (2018). https://zeltser.com/malware-sample-sources/

Download references

Author information

Authors and Affiliations

  1. Newcastle University, Newcastle upon Tyne, UK

    Mohammed Aamir Ali & Aad van Moorsel

Authors
  1. Mohammed Aamir Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aad van Moorsel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aad van Moorsel .

Editor information

Editors and Affiliations

  1. Cheriton School of Computer Science, University of Waterloo, Waterloo, ON, Canada

    Ian Goldberg

  2. Tandy School of Computer Science, University of Tulsa, Tulsa, USA

    Tyler Moore

A Data Used for Transaction Risk Assessment

A Data Used for Transaction Risk Assessment

Table 2 shows an exhaustive list of device attributes from card C1 to C5 that are passed from WB to the ACS. The loading and execution of dfp.js by the ACS as a part of the checkout process is similar for all our test cards that we used. The ‘Method’ column indicates the functions implemented in the dfp.js that extract information from WB (for readability, in some cases we have simplified the method name). The details that are fetched in each function are shown in ‘Attribute description’ column of the table. The ‘Source’ column marks the origin of each attribute (JavaScript or HTTP). Finally, the rightmost column shows an example output value of each function.

Figures 5 and 6 show the encoded devide fingerprint and the full cookie content, respectively.

Fig. 5.
figure 5

Device fingerprint information encoded and sent to ACS.

Full size image
Fig. 6.
figure 6

Device fingerprint information encoded and sent to ACS.

Full size image
Table 2. Data used for transaction risk assessment extracted by javascript file dfp.js.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Financial Cryptography Association

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ali, M.A., van Moorsel, A. (2019). Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol. In: Goldberg, I., Moore, T. (eds) Financial Cryptography and Data Security. FC 2019. Lecture Notes in Computer Science(), vol 11598. Springer, Cham. https://doi.org/10.1007/978-3-030-32101-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-32101-7_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-32100-0

  • Online ISBN: 978-3-030-32101-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation