Welcome to WebmasterWorld Guest from 18.204.48.199

Forum Moderators: buckworks

Message Too Old, No Replies

How secure is 3D secure?

Transaction is fully 3d authenticated yet is as fraudulent as they come

     
8:18 pm on Dec 13, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 28, 2005
posts:164
votes: 0


I'm using the 3d secure system (verified by visa / mastercard) with protx.

Just had a transaction that was given the full green light by the system "This transaction was fully 3D-Authenticated."

Yet if ever there was a more dodgy transaction then I'll eat my hat. They used different billing and delivery addresses then changed the billing address on the payment server, two large products for the same person, anonymous message - the same for each gift, anonymous yahoo email - need I say more - when using aol ISP, more than 1 attempt to pass the transaction, next day delivery etc etc.

So the question is - how secure is 3d secure? This is the all-singing, all-dancing no fraud's gonna get through this baby. Oh yeah?

Anyone else had completely fraudulent orders get through as passed?

And what would happen if I shipped. Would I definitely get the money as it's a full green?

9:19 pm on Dec 13, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 28, 2002
posts: 1763
votes: 0


if I shipped. Would I definitely get the money as it's a full green?

Isnt that a question for 3D secure (whatever that is) and not this group? What too if 3D secure goes out of business?

Where's the ship-to? I don't see that order as necessarily a huge red flag at Christmas unless going to Nigeria or the like. Depends on dollar amount. Would certainly check out email, phone, name and address in G.

11:33 pm on Dec 13, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 6, 2005
posts:670
votes: 0


I thought 3D Secure was about prompting the card holder for their PIN code. It has nothing to do with the dodginess of the cardholder.

Any cardholder can apply for a PIN code. Whether they attempt to commit fraud with it is another matter.

1:16 am on Dec 14, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 28, 2005
posts:164
votes: 0


I think you're not getting where I'm coming from.

For those that don't know, 3D secure is AKA Verified by VISA / Mastercard Securecard. Basically if the transaction is green then they will not do a chargeback if it turns out to be fraud.

The thing is the card might be genuine - but it ticks all the boxes of a fraud and has come up with a big red light (high risk) on the protx system (the 3rd man) - card used with various email addresses, at many addresses, big spend at this address etc etc.

So I've got The 3rd Man / protx saying no way, this is dodgy big-time.

And I've got VISA/Mastercard saying yeah, this is fine.

The card has probably been nicked in post or applied for using false identity or some other. What worries me is that the fraud has been able to dupe the brand new 3D secure system and what are the implications for this for online ecommerce if it becomes easily abused/broken/defrauded?

10:03 am on Dec 14, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 8, 2005
posts:68
votes: 0


Unfortunately 3D Secure is not the anti-fraud panacea it claims to be - it's really easy to get a new password with only basic information about the cardholder. It also doesn't protect you unconditionally against chargebacks, even if the correct password is entered.

If this order turns out to be fraudulent, then it's likely you will not be liable for it, but there are exceptions and you may find it ends up costing you anyway. Why take the chance?

Remember you are not obliged to sell anything to anyone - if you're unhappy with the order, don't process it. Your gut instinct is often right!

11:42 am on Dec 14, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:July 13, 2006
posts:500
votes: 0


Protx says that 3D secure verified transactions have a shift in liability which I understood to mean that they will not chargeback on these transactions.

Otherwise what is the point of using 3D secure (Verified by Visa)?

3:41 pm on Dec 14, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3603
votes: 54


3d does not promise no chargebacks this is a false assumption. It varies big time with so much red tape you will never figure it out.

maybe the mod will allow this link or at least do a redirect. This will tell you NOT TO PROCESS THE ORDER.

It is your responsibility to verify the information with the bank the card is drawn from, if you don't you will be issued a chargback if the order is a fraud and you as welll as me know it is. just ttooooo may flags there not to seee it.

Got one a minute ago 600.00 order he said need it shipped fast yea right....

The reason to be involved with it you do get a reduced processing fee and it does discourge the majority of fraud orders but as you see not all.

I bet there are those that have stolen the idenity of the card holder changed the information to use in systems such as this as it does tend to lower your guard and they have gotten orders processed and delivered on a higher percentage.

[edited by: minnapple at 11:34 pm (utc) on Dec. 14, 2007]

3:20 pm on Dec 15, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 6, 2005
posts:670
votes: 0


>> Otherwise what is the point of using 3D secure (Verified by Visa)?

There is no point. It's a scheme hatched by Visa to reduce their losses, but it's not customer-friendly.

We offered it for a year, before removing it from our site. We received many emails from confused customers, who clicked-away because they didn't have their card registered for VbV, and instead were presented a spammy message to sign-up now.

Once we removed it, our conversion rate rose, and our chareback rate remained the same. Of course, YMMV ..

3:40 pm on Dec 15, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 25, 2004
posts:2156
votes: 0


Hi,

As the ex-CTO of a virtual credit-card scheme I can tell you that I am utterly unconvinced by the VISA/MC schemes and refuse to use them at all as a customer. The first (and last) time I was prompted for my details (a) it was totally impossible for *me* to tell if the request was being faked or not due to the way it was presented in my browser ie think man-in-the-middle attack, and (b) it was broken anyway as it turned out the card company had recorded my DOB wrongly.

So, 3D secure does nothing much to increase security and is to my (professional and end-user) eye easy to spoof.

Trust your instincts, not just the security scheme.

IMHO.

Rgds

Damon

PS. Note that I'm an ex-CTO so maybe you should discount my views accordingly! B^>

11:09 am on Dec 16, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 8, 2005
posts:68
votes: 0


We also trialled 3D Secure a while ago and removed it because of the confusion it caused. The problem is that soon we won't have a choice in the UK - already it will be compulsory for Maestro transactions next year, and Visa and Mastercard are sure to follow. Considering how much promotion was given to Chip and Pin when that was introduced for offline transactions, 3D Secure is being left to the merchants to promote which is just going be chaotic. Suffice to say we will be leaving it until the very last minute before we add it.
1:20 pm on Dec 19, 2007 (gmt 0)

New User

10+ Year Member

joined:Nov 7, 2007
posts:2
votes: 0


Some more information on 3-D Secure. At least this is what I understood from 3-D Secure:
3-D Secure offers a high level of security since it allows customers to be identified unambiguously through technologies implemented by the issuing banks.
By offering 3-D Secure, a merchant benefits from a conditional payment guarantee described in the 3-D Secure contract with his acquirer. Under these conditions, a merchant's account is no longer debited for disputes over "non-identification of the cardholder" (this does not apply to disputes over other matters!).

STANDARD 3-D SECURE TRANSACTION PROCESSING
How does it work?
If authentication is successful, the merchant can benefit from the conditional payment guarantee provided by his acquirer.
If the card is not enrolled, the merchant receives some level of conditional payment guarantee provided by his acquirer.
In both cases, therefore, the merchant has, under certain conditions (defined by VISA, MasterCard and financial organisms, and as described in the 3-D Secure contract with his acquirer), a payment guarantee, even without receiving identifying information from the customer.

Those conditional payment guarantee rules are exclusively managed between the merchant and his acquirer.

But this does not exclude fraud. That's why some Payment Service Providers offer extra Fraud Module.

1:47 pm on Dec 19, 2007 (gmt 0)

Senior Member

joined:Mar 8, 2002
posts:2897
votes: 0


When Visa forced Protx to use 3D secure is the day I moved my merchant provider to PayPal Pro. As I recall, it was something FORCED onto Protx and therefore Forced onto us as merchants. The system frustrates the sale with little increase in legal protection for the merchant.