Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol

  • Mohammed Aamir Ali
  • Aad van MoorselEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)


3 Domain Secure 2.0 (3DS 2.0) is the most prominent user authentication protocol for credit card based online payment. 3DS 2.0 relies on risk assessment to decide whether to challenge the payment initiator for second factor authentication information (e.g., through a passcode). The 3DS 2.0 standard itself does not specify how to implement transaction risk assessment. The research questions addressed in this paper therefore are: how is transaction risk assessment implemented for current credit cards and are there practical exploits against the 3DS 2.0 risk assessment approach? We conduct a detailed reverse engineering study of 3DS 2.0 for payment using a browser, the first study of this kind. Through experiments with different cards, from different countries and for varying amounts, we deduct the data and decision making process that card issuers use in transaction risk assessment. We will see that card issuers differ considerable in terms of their risk appetite. We also demonstrate a practical impersonation attack against 3DS 2.0 that avoids being challenged for second factor authentication information, requiring no more data than obtained with the reverse engineering approach presented in this paper.


Payment systems Credit card security Reverse engineering User authentication Impersonation attack EMV Protocol 

Supplementary material


  1. 1.
    Ahmad, Z., Francis, L., Ahmed, T., Lobodzinski, C., Audsin, D., Jiang, P.: Enhancing the security of mobile applications by using TEE and (U)SIM. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, pp. 575–582, December 2013.
  2. 2.
    Alexa: Alexa - Top Sites by Category: Business/E-Commerce (2018).
  3. 3.
    Ali, M.A., Arief, B., Emms, M., van Moorsel, A.: Does the online card payment landscape unwittingly facilitate fraud? IEEE Secur. Priv. 15(2), 78–86 (2017)CrossRefGoogle Scholar
  4. 4.
    AOWASP: Cross-site scripting (XSS) OWASP (2018).
  5. 5.
    Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 360–371. IEEE (2009)Google Scholar
  6. 6.
    van den Breekel, J., Ortiz-Yepes, D.A., Poll, E., de Ruiter, J.: EMV in a nutshell. Technical report, Radboud Universiteit Nijmegen (2016)Google Scholar
  7. 7.
    CardinalCommerce: Use of consumer authentication in ecommerce, annual survey 2017: The fraud practice (2017).
  8. 8.
    Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 716–726. ACM, New York (2014).
  9. 9.
    Emms, M., Arief, B., Little, N., van Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). Scholar
  10. 10.
    EMVCo: 3D Secure 2.0 (2017).
  11. 11. Live HTTP Header (2018).
  12. 12.
    Etaher, N., Weir, G.R., Alazab, M.: From ZeuS to ZitMo: trends in banking malware. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 1386–1391. IEEE (2015)Google Scholar
  13. 13.
    EU Council: Directive (EU) 2015/2366 (2015).
  14. 14.
    GoogleAndroid: Android pay (2014).
  15. 15.
    Nayyar, H.: Clash of the Titans: ZeuS v SpyEye. SANS Institute InfoSec Reading Room (2010).
  16. 16.
    Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009). Scholar
  17. 17.
    HTTP Watch: HttpWatch 11: HTTP Sniffer for Chrome, IE, iPhone and iPad (2018).
  18. 18.
    Intelligent Systems Lab: JS NICE: Statistical renaming, Type inference and Deobfuscation (2018).
  19. 19.
    Kim, D., Kwon, B.J., Dumitraş, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1435–1448. ACM, New York (2017).
  20. 20.
    King, R.: Verified by Visa: bad for security, worse for business - Richard’s Kingdom (2009).
  21. 21.
    MalShare: Malware Repository for Researchers (2018).
  22. 22.
    Mastercard: Merchant SecureCode implementation guide (2014).
  23. 23.
    Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010). Scholar
  24. 24.
    Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 21–32. Springer, Heidelberg (2014). Scholar
  25. 25.
    Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446. IEEE (2010).
  26. 26.
    PayPal: PayPal Pro - 3D secure developer guide (2018).
  27. 27.
    PCIDSS: Payment card industry (PCI) data security standard requirements and security assessment procedures (2016).
  28. 28.
    PCISCC: Payment card industry (PCI) hardware security module (HSM) security requirements (2009).
  29. 29.
    RedTeam Pentesting: Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System. Technical report, RedTeam Pentesting (2009).
  30. 30.
    RedTeam Pentesting: New banking security system iTAN not as secure as claimed. Technical report, RedTeam Pentesting (2009).
  31. 31.
    Sood, A.K., Zeadally, S., Enbody, R.J.: An empirical study of HTTP-based financial botnets. IEEE Trans. Dependable Secure Comput. 13(2), 236–251 (2016)CrossRefGoogle Scholar
  32. 32.
    Telerik: Fiddler web debugging tool (2018).
  33. 33.
    Ter Louw, M., Venkatakrishnan, V.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 331–346. IEEE (2009)Google Scholar
  34. 34.
    Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1421–1434. ACM, New York (2017).
  35. 35.
    Visa Inc: 3D Secure (2017).
  36. 36.
    Visa Inc: Visa Developer Centre (2018).
  37. 37.
    WickyBay: FRAUDFOX VM, WickyBay Store (2017).
  38. 38.

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.Newcastle UniversityNewcastle upon TyneUK

Personalised recommendations