Advertisement

Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol

  • Mohammed Aamir Ali
  • Aad van MoorselEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)

Abstract

3 Domain Secure 2.0 (3DS 2.0) is the most prominent user authentication protocol for credit card based online payment. 3DS 2.0 relies on risk assessment to decide whether to challenge the payment initiator for second factor authentication information (e.g., through a passcode). The 3DS 2.0 standard itself does not specify how to implement transaction risk assessment. The research questions addressed in this paper therefore are: how is transaction risk assessment implemented for current credit cards and are there practical exploits against the 3DS 2.0 risk assessment approach? We conduct a detailed reverse engineering study of 3DS 2.0 for payment using a browser, the first study of this kind. Through experiments with different cards, from different countries and for varying amounts, we deduct the data and decision making process that card issuers use in transaction risk assessment. We will see that card issuers differ considerable in terms of their risk appetite. We also demonstrate a practical impersonation attack against 3DS 2.0 that avoids being challenged for second factor authentication information, requiring no more data than obtained with the reverse engineering approach presented in this paper.

Keywords

Payment systems Credit card security Reverse engineering User authentication Impersonation attack EMV Protocol 

Supplementary material

References

  1. 1.
    Ahmad, Z., Francis, L., Ahmed, T., Lobodzinski, C., Audsin, D., Jiang, P.: Enhancing the security of mobile applications by using TEE and (U)SIM. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, pp. 575–582, December 2013.  https://doi.org/10.1109/UIC-ATC.2013.76
  2. 2.
    Alexa: Alexa - Top Sites by Category: Business/E-Commerce (2018). https://goo.gl/V52tcs
  3. 3.
    Ali, M.A., Arief, B., Emms, M., van Moorsel, A.: Does the online card payment landscape unwittingly facilitate fraud? IEEE Secur. Priv. 15(2), 78–86 (2017)CrossRefGoogle Scholar
  4. 4.
    AOWASP: Cross-site scripting (XSS) OWASP (2018). https://goo.gl/x54ner
  5. 5.
    Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 360–371. IEEE (2009)Google Scholar
  6. 6.
    van den Breekel, J., Ortiz-Yepes, D.A., Poll, E., de Ruiter, J.: EMV in a nutshell. Technical report, Radboud Universiteit Nijmegen (2016)Google Scholar
  7. 7.
    CardinalCommerce: Use of consumer authentication in ecommerce, annual survey 2017: The fraud practice (2017). https://goo.gl/z2mByt
  8. 8.
    Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 716–726. ACM, New York (2014).  https://doi.org/10.1145/2660267.2660312. http://doi.acm.org/10.1145/2660267.2660312
  9. 9.
    Emms, M., Arief, B., Little, N., van Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39884-1_26CrossRefGoogle Scholar
  10. 10.
    EMVCo: 3D Secure 2.0 (2017). https://goo.gl/d1ksLf
  11. 11.
    E.solutions: Live HTTP Header (2018). https://www.esolutions.se/
  12. 12.
    Etaher, N., Weir, G.R., Alazab, M.: From ZeuS to ZitMo: trends in banking malware. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 1386–1391. IEEE (2015)Google Scholar
  13. 13.
    EU Council: Directive (EU) 2015/2366 (2015). https://goo.gl/psyvps
  14. 14.
    GoogleAndroid: Android pay (2014). https://www.android.com/pay/
  15. 15.
    Nayyar, H.: Clash of the Titans: ZeuS v SpyEye. SANS Institute InfoSec Reading Room (2010). https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393
  16. 16.
    Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03549-4_14CrossRefGoogle Scholar
  17. 17.
    HTTP Watch: HttpWatch 11: HTTP Sniffer for Chrome, IE, iPhone and iPad (2018). https://www.httpwatch.com/
  18. 18.
    Intelligent Systems Lab: JS NICE: Statistical renaming, Type inference and Deobfuscation (2018). http://jsnice.org/
  19. 19.
    Kim, D., Kwon, B.J., Dumitraş, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1435–1448. ACM, New York (2017).  https://doi.org/10.1145/3133956.3133958. http://doi.acm.org/10.1145/3133956.3133958
  20. 20.
    King, R.: Verified by Visa: bad for security, worse for business - Richard’s Kingdom (2009). https://goo.gl/NgUUvn
  21. 21.
    MalShare: Malware Repository for Researchers (2018). https://malshare.com/
  22. 22.
    Mastercard: Merchant SecureCode implementation guide (2014). https://goo.gl/DyQ7Jb
  23. 23.
    Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14577-3_27CrossRefGoogle Scholar
  24. 24.
    Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 21–32. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45472-5_2CrossRefGoogle Scholar
  25. 25.
    Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446. IEEE (2010).  https://doi.org/10.1109/SP.2010.33
  26. 26.
    PayPal: PayPal Pro - 3D secure developer guide (2018). https://goo.gl/7mPWWt
  27. 27.
    PCIDSS: Payment card industry (PCI) data security standard requirements and security assessment procedures (2016). https://goo.gl/PNSEq3
  28. 28.
    PCISCC: Payment card industry (PCI) hardware security module (HSM) security requirements (2009). https://goo.gl/JQKH3T
  29. 29.
    RedTeam Pentesting: Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/publications/2009-11-23-MitM-chipTAN-comfort_RedTeam-Pentesting_EN.pdf
  30. 30.
    RedTeam Pentesting: New banking security system iTAN not as secure as claimed. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/en/advisories/rt-sa-2005-014/-new-banking-security-system-itan-not-as-secure-as-claimed
  31. 31.
    Sood, A.K., Zeadally, S., Enbody, R.J.: An empirical study of HTTP-based financial botnets. IEEE Trans. Dependable Secure Comput. 13(2), 236–251 (2016)CrossRefGoogle Scholar
  32. 32.
    Telerik: Fiddler web debugging tool (2018). https://goo.gl/BURSaH
  33. 33.
    Ter Louw, M., Venkatakrishnan, V.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 331–346. IEEE (2009)Google Scholar
  34. 34.
    Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1421–1434. ACM, New York (2017).  https://doi.org/10.1145/3133956.3134067. https://doi.acm.org/10.1145/3133956.3134067
  35. 35.
    Visa Inc: 3D Secure (2017). https://goo.gl/TZSTEc
  36. 36.
    Visa Inc: Visa Developer Centre (2018). https://goo.gl/8dDqWv
  37. 37.
    WickyBay: FRAUDFOX VM, WickyBay Store (2017). https://goo.gl/aAZY1K
  38. 38.

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.Newcastle UniversityNewcastle upon TyneUK

Personalised recommendations