My credit card statement warned me today that
3D Secure is launching at the end of March. This free, automatic online security service will make spending online safer than ever!
The promotional insert contained more reassuring messages:
as secure as possible
verify your identity by answering four questions[name, CVV2, date of birth and mother's maiden name]
we will also display your personal greeting giving you added comfort that it is Bank of Ireland who are asking you to enter your 3D Secure Password
Of course, from Murdoch and Anderson's paper we know that 3D Secure is worse than ineffective. So I have questions for Bank of Ireland:
- Do the terms and conditions move the burden of losses by fraud onto the cardholder?
- Is the Access Control Server outsourced? If so, to whom? What are their practical incentives to maintain high security standards?
- What is the official policy on selecting a CA for the ACS SSL certificate? If there isn't one, how can cardholders protect themselves against compelled certificate creation attacks?
- What will happen if a fraudster with my card details uses the
forgot passwordprocedure in an attempt to negate the benefit of 3D Secure? Will I still be stuck with the cost of the fraud?
- Can I be authenticated by something better than a password, for example a DDA card reader?
- Can I get an automatic notification every time there is an authentication attempt on my card number?
I couldn't find any information about this on www.bankofireland.com, so I'll phone them tomorrow and post the result. I'm sure it will be comforting.