3D Secure coming to Bank of Ireland credit cards

My credit card statement warned me today that

3D Secure is launching at the end of March. This free, automatic online security service will make spending online safer than ever!

The promotional insert contained more reassuring messages:

  • as secure as possible
  • verify your identity by answering four questions [name, CVV2, date of birth and mother's maiden name]
  • we will also display your personal greeting giving you added comfort that it is Bank of Ireland who are asking you to enter your 3D Secure Password

Of course, from Murdoch and Anderson's paper we know that 3D Secure is worse than ineffective. So I have questions for Bank of Ireland:

  1. Do the terms and conditions move the burden of losses by fraud onto the cardholder?
  2. Is the Access Control Server outsourced? If so, to whom? What are their practical incentives to maintain high security standards?
  3. What is the official policy on selecting a CA for the ACS SSL certificate? If there isn't one, how can cardholders protect themselves against compelled certificate creation attacks?
  4. What will happen if a fraudster with my card details uses the forgot password procedure in an attempt to negate the benefit of 3D Secure? Will I still be stuck with the cost of the fraud?
  5. Can I be authenticated by something better than a password, for example a DDA card reader?
  6. Can I get an automatic notification every time there is an authentication attempt on my card number?

I couldn't find any information about this on www.bankofireland.com, so I'll phone them tomorrow and post the result. I'm sure it will be comforting.

Failure recovery

I've been categorizing distributed system designs into four groups, according to how they recover from the loss of a single critical ele...