Steven Murdoch and Ross Anderson systematically demolish 3D secure/Verified by Visa. Shame that the banks don't employ the smart people, just the security researchers and the malware authors.
Meanwhile, at work, we continue to love the banks. Such as a large UK bank who will authorise a Euro transaction on Maestro (which must have been with 3DS/VbV) yet only reject it at settlement time because you can only use (UK) Maestro in sterling. Another authorised a card, but then rejected it at settlement because it was Electron rather than Visa Debit, and that merchant wasn't allowed to accept Electron. I'd love to be big enough to have the clout to tell banks "if you authorise it, the only reason to subsequently refuse to settle it is because it was reported as missing/fraudulent in the meantime. Otherwise, you honour your authorisation", and bear the cost of (fixing) your own bugs.
And the coda on the second one - said large UK bank then admitted that its own binranges had an error. If the banks can't get that right, what hope has anyone else?
