PayStory: Closer and Intimate With 3D Secure
Probably most of you know what is 3D Secure, the step of authentication when we purchase something using our Credit or Debit card with VISA or Mastercard logo (In Indonesia we don’t have a debit card with JCB or Amex logo, although some rumour said there will be one). Usually, we will get a text message with an OTP code inside sent to our phone and we need to input that code into the 3D web page (I said usually because there is another method, will explain later).
For you who don’t know what is 3D Secure, 3D Secure is an additional security layer for online credit and debit card transactions. This Process helps prevent people from using a person details without his/her permission. And also make sure the transactions are safer for retailers who want to make sure their customers are protected (source Wikipedia).
3D Secure is an additional security layer for online credit and debit card transactions
In short, 3D Secure guarantee that the transaction is secure and genuine. Right? Hmm, is it?
Well, the idea behind 3D said like that, but the real implementation, you know, sometimes human can trick process especially if they have thoughts to do bad things to other people, they can be so tricky.
But first, let’s talk about how 3D Secure works in a process flow because so many people ask me about how 3D Secure works. So I guess I just write the process and tell them to open this article and indirectly it will increase this article’s view count, hahaha, what a tricky person I am.
The scope of discussion is about 3D Secure version 1 that commonly used in the current payment process. 3D Secure version 2 is a bit different, will talk about that next time. The process of 3D Secure version 1 on a credit or debit card looks like this
- PAN is Primary Account Number, is the card number
- MPI is Merchant Plug-In, It’s an application, can reside in Payment Gateway system or in 3rd Party
- ACS is Access Control Server, reside in issuer bank. It has a function to check of card’s enrolment and also showing the 3D Secure page
- VEReq is Verifying Enrolment Request, a message send by MPI to Directory Server to check card’s enrolment
- VERes is Verifying Enrolment Response, a message respond by Directory Server to MPI with a status of card’s enrolment along with ACS URL if the card is enrolled
- PAReq is Payer Authentication Request, a parameter that sends along when cardholder open ACS URL (3D Secure page)
- PARes is Payer Authentication Response, a message respond by ACS when cardholder submitted the 3D Secure authentication
- OTP is One Time Password or One Time PIN, a code that usually sends using a text message to our phone for the 3D Secure authentication
So, with all those processes, a transaction that using 3D Secure should be categorised as a genuine transaction. The online store will believe that the payment is valid and Bank also believe that the transaction coming from the genuine cardholder. But frankly my dear, life is not as easy as Mario Teguh’s words.
As I said previously, a bad person can find a way to trick the 3D secure process, not by system hacking, just get some data and probably a little social engineering.
First, not all 3D Secure process using text message sent to phone for the OTP. Some 3D Secure process only requires the last 4 digits of card number and cardholder’s birth date. This is an easy task for a pickpocket that already have your credit card and your ID.
Some 3D Secure process only requires the last 4 digits of card number and cardholder’s birth date
Second, even when the 3D Secure process using OTP sent to our phone, there is some way those bad people can take the OTP code. They can do like a “Mission Impossible” action, where they go to the phone operator, pretend that they are the real user of the phone number, with a fake ID of course. They will say that they lost the phone and need a new phone sim card. And when they get the phone sim card, they will have access to all OTP sent to the phone number.
Or just do a little social engineering, where they can call us, pretend that they are from our card’s bank. They will say something to convince us that they need to verify our data and they will ask about the OTP that already sent to our phone. That is why we always get information from our bank to NOT give any card’s data or any PIN/code to anyone, even from the bank itself, because the bank will never ask such questions.
So be careful with your card data, don’t easily show your card to anyone (like give it to a waiter), don’t give any card data or any code to anyone and make sure you keep it safe. But the most dangerous place to keep your wallet and your phone is in your home because you never know when your wife gonna take it……