Except that 3D Secure is opt-in by the merchant. All you need to do is find a web store that is more than 2 years old and you can use stolen/skimmed cards all day long.
My primary card declines all non 3D Secure internet purchases unless I click the scary sounding "Open card to all internet purchases for 60 minutes" button in the bank app.
That's brilliant! May I ask where you're from? Our national processor was one of the first to implement 3D Secure but none of the banks I know about offer that kind of protection (even on my company card).
Not for long, it will be mandatory in the EU from the end of the year under the PSD2 regulations (though the deadline has moved back into 2021 for some countries, including the UK which is adopting them despite Brexit).
Issuers will start to decline card transactions for any merchants that submit payments that haven't gone through 3DS.
Hell yeah! Now we just need to get banks to stop using SMS 2FA and embrace an open 2FA standard like TOTP and our money (!!) will finally be almost as secure as our Facebook accounts have been for 5 years...
Instead banks should use WebAuthn. WebAuthn's credentials are directly bound to the DNS name. So anything that involves fooling the human like a phishing site can't work. The only site your authenticator can give the real-bank.example credentials to is... real-bank.example.
SMS 2FA can also be phished, so TOTP would still be better and WebAuthn is such a complete paradigm shift that it would take many years for banks to implement it. TOTP is so stupidly simple they could roll it out in a month, audits and all.
Not to mention that in order to have a decent WebAuthn experience, you need a Yubikey with NFC, which go for 30-60$ if I remember correctly. Cost of authenticators is why everyone switched away from RSA SecurID.
WebAuthn for relying parties (what the bank is in this scenario) just isn't very hard. And you don't end up with any long term secrets at all, so that makes the security story easier. But I sadly do not expect banks to adopt it anyway.
I don't see what a Yubikey with NFC is getting you here. For a laptop/desktop user any of the Security Key products in an appropriate USB form factor (USB C for some newer laptops otherwise USB A) would be suitable.
The high end phones are or in the case of the iPhone very shortly will be WebAuthn platform authenticators, there's nothing extra to buy. Apple released a video of the pleasant UX journey they want to promote, obviously being Apple it doesn't actually say this would work on non-Apple devices but I use it already so I know it does.
My bank never used SMS as 2FA. They supported mobile signature for… I do not even remember how long, at least 11 years now. TOTP was supported even before that and is phased out in favour of https://www.smart-id.com/
Yes, 3D secure leads to a different liability layout. Stores that don't implement it face liability on chargeback, whereas stores that do use it are protected, and the banks themselves take liability.
At least that's my understanding of it, might not be that clearcut.
Oh wow, now I'm even more amazed that more stores don't support it. I guess chargebacks aren't common enough to be worth paying a dev to upgrade their systems...
Nah, if the really card holder make a complaint to the card issuer, there will be a full charge-back by the card issuer plus a investigation fee and the store will have to cover the loss.
It may be annoying if one is not used to take care about own transactions safety and is willing to shift this responsibility to some other entity - of course this convenience has a cost.
Well, I already moved to Paypal whereever I'm forced to do this dance. It is also completely unusable for me when travelling, because I like to keep the stuff to authorize unlimited transactions from my bank account at home.
Use using credit card numbers is IMHO a very conventient way of paying with the liability for fraud being setup exactly in the right customer-friendly way.
