Dear 3D Secure SMS security


I have recently booked an airplane ticket on AirFrance.fr.

Normal online booking procedure, nothing exciting as usual, but then, in the end of the process I am forced to check my identity using a code that I would receive on a mobile phone, in order to complete the transaction.

This happens because my bank has subscribed to a special securiry 3D Secure program to add some more fancy security to online transactions with AirFrance.

And I think this forced SMS system is deeply wrong. Here is why.

First, the concept.

I am booking online. Not by phone, not in an agency, ONLINE. From a computer. That means that I want to use the Internet to complete my transaction. Not a phone. Otherwise I would call AirFrance booking department.

From a web engineer point of view, during the transaction workflow, it makes the client look for his phone and use it, distracting him from what is doing. Purchasing. This is clearly disrupting the user experience through the regular payment.

My first thought was to give up, but due to external personal reasons, I didn’t have the choice. I had to use AirFrance.

Second, the fake security.

The client is beeing disrupted from the payment process, there must be a reason. Security?

If a credit card has been stolen, it’s likely a phone has also been also stolen. Handbag, jacket, wallet+phone… The classics.

If a credit card number has been copied or hacked from another online store, well, an email box nor an online bank interface are accessible, so why only the mobile phone ?

When it was released, this 3D Secure system has been criticized by security researchers, but still generally implemented. Companies listen more the marketing department than the security researchers.

Third, the lack of alternative.

With my bank’s program, I have no other choice than using  3D Secure checking by SMS. But there are many alternative solutions :

  • One time password sent by email
  • Internal validation system in my online bank interface

That would have been way more secure, convenient and faster. So why can’t I choose something else ?

Fourth, the business and the cost behind it.

Finally and in my opinion the obvious real reason for sending automated SMS or use extra phone calls is that it generates money for somebody.
There is a real business model behind that.
Some company, equipment and computer are working for that, and the good news is that it’s all automated. Generating money, automatically. Great.

But who is paying? Me, somewhere in my bank’s fees.

Who is earning money with that ?  Not me obviously.

Fifth, the implicit agreement

My bank I have never asked or agreed – oh, yeah, the small letter somewhere again, but do I really have the choice? – for that when I signed my contract.

Sixth, time lost

Yeah, I have other stuff to do than wasting my time checking SMS.
But suppose now I don’t have a phone and no friend around. What do I do ? I simply cannot book and I have wasted a considerable amount of time on this website.

Conclusion & Thought

Here we are in the middle of a business where you don’t have the choice but to pay to be annoyed.

I really would like to meet someone whose bank account was saved by this system.

If you don’t have a phone by choice or because you are traveling abroad or whatever, don’t waste your time on AirFrance.fr to book planes. You cannot book. You have to have a phone. And give the number to your bank.

In the future I’m planning to get rid of this bank contract and I have already decided to never book again on AirFrance, I see more disadvantages in this procedure than good things.

Last one : Are there really people paying online with a stolen credit card and their registered ID card and passport number on the flight ticket?

Fab

Engineer - Web Juggler - Confit de canard
Fab

Latest posts by Fab (see all)

Leave a comment

Your email address will not be published. Required fields are marked *