2D Secure (2DS) in the Context of Cybersecurity: Vulnerability Analysis and Evolution of Protection

[Jollier]

1. Technical information about 2D Secure​

2D Secure is an early Internet payment authentication system, the predecessor of 3D Secure.
How it works:

• Checking only static data (card number, expiration date, CVV)
• Lack of multi-factor authentication (MFA)
• Vulnerability to:
  • Phishing
  • MITM attacks
  • Brute force

2. Historical vulnerabilities of 2DS (cases)​

1. Phishing Fake Payment Forms
   • Fraudsters copied store designs to collect data (2010–2015)
2. MITM attacks
   • Interception of data in unencrypted sessions (lack of TLS 1.2+)
3. Carding via bots
   • Automated CVV brute force attacks (limit: ~500 attempts/hour)

3. Why is 2DS outdated?​

• Lack of dynamic authentication (SMS, push notifications)
• PCI DSS 3.2+ non-compliant (requires MFA for remote payments)
• Replacement for 3D Secure 2.0 (2016–2024):
  

  Parameter	2DS	3DS2
  Authentication	Only CVV	Biometrics, OTP, FIDO2
  Encryption	SSL/TLS (optional)	TLS 1.3 is mandatory
  Adaptability	No	Real-time risk assessment

4. Modern analogues of protection​

1. 3D Secure 2.0/2.3
   • EMVCo standard for PSD2 (Europe) and RBI (India)
   • Integration examples: Stripe, Adyen
2. Card tokenization
   • Replacing data with one-time tokens (Apple Pay, Google Pay)
3. Behavioural analysis
   • Systems like Kount, Forter (data entry speed assessment, IP reputation)

5. How to study payment security legally?​

1. Documentation:
   • EMVCo 3DS Specs
   • PCI DSS Requirements
2. Sandboxes for testing:
   • Visa Developer
   • Mastercard Simulator
3. Certifications:
   • Certified Payment Security Professional (CPSP)
   • OSCP for payment system pentesting

6. Example of an attack on 2DS (for educational CTF)​

Scenario:

• Attacker intercepts HTTP request with card data via unsecured Wi-Fi
• Uses bot to check CVV on 100+ sites with 2DS

Protection:

• Implementing HSTS (HTTP Strict Transport Security)
• Limits on CVV entry attempts (max 3 errors → blocking)

Important: Studying legacy systems is only relevant for:

• Historical analysis of threats
• Development of protection systems
• Training of specialists in fintech security

For experiments, use test environments (not real data!).

 

[Professor]

2D Secure (2DS) in the context of cybersecurity​

What is 2D Secure?​

2D Secure (sometimes referred to as "two-dimensional security") is a basic level of online payment security that does not include additional authentication mechanisms such as one-time passwords (OTP) or biometrics. Unlike the more advanced 3D Secure protocol, 2D Secure is limited to checking the card's basic data (card number, expiration date, CVV code) without additional verification of the cardholder's identity.

2D Secure Risks​

In the context of cybersecurity, 2D Secure is considered less secure than 3D Secure. The main risks include:

1. No additional authentication:
   • In 2D Secure, transactions are processed based on card details only, making them vulnerable to fraud if card details are stolen (e.g. through phishing or data leakage).
2. Vulnerability to fraud:
   • If an attacker gains access to the card details, they can easily use them for online purchases, as the system does not require verification of the cardholder's identity.
3. Lack of protection against phishing:
   • Since 2D Secure does not use additional verification mechanisms such as one-time passwords or biometrics, users are more susceptible to data tampering attacks.

Comparison: 2D Secure vs. 3D Secure​

The 3D Secure protocol (e.g. Verified by Visa, Mastercard SecureCode) was developed to address the shortcomings of 2D Secure. The main differences are:

Feature	2D Secure	3D Secure
Security level	Low	High
Authentication	Basic (card details only)	Advanced (password, OTP, biometrics)
Liability Shift	No	Yes (to the issuer, if authentication is followed)
Risk of fraud	High	Low
User experience	Convenient but less secure	More complex but safer

Cybersecurity Implications of 2D Secure​

1. Vulnerability to carding attacks:
   • Fraudsters often target 2D Secure systems because they are easier to exploit. For example, stolen card data obtained through phishing, skimming or data leaks can be used without further verification.
2. Risks for traders:
   • Merchants using 2D Secure face higher risks of chargebacks and financial losses due to fraud, and they also risk damaging their reputation if customers perceive their platform as unsafe.
3. Risks for consumers:
   • Cardholders are more vulnerable to unauthorized transactions when making purchases on platforms that use 2D Secure. This can lead to financial losses and the need to dispute fraudulent charges.

Why is 2D Secure still used?​

Despite its shortcomings, 2D Secure remains popular in some regions and with certain merchants due to the following reasons:

1. Ease of integration:
   • 2D Secure is easier to implement into payment systems as it does not require complex authentication mechanisms.
2. User convenience:
   • The lack of additional steps makes the checkout process faster, which reduces the likelihood of purchase abandonment.
3. Low cost:
   • For merchants, 2D Secure is cheaper because it does not require additional technologies or licenses.

How to protect yourself when using 2D Secure?​

If you use payment systems based on 2D Secure, it is important to take additional measures to protect yourself from fraud:

1. Use virtual cards:
   • Virtual cards with a limited balance and expiration date reduce the risk of losing funds in the event of a data breach.
2. Transaction Monitoring:
   • Set up notifications for every transaction to quickly detect suspicious activity.
3. Avoid unsafe sites:
   • Make sure the site you enter your card details on uses HTTPS and has a good reputation.
4. Update your cards regularly:
   • Request a card reissue every 1-2 years to minimize the risk of using outdated data.
5. Switch to 3D Secure:
   • If possible, use cards and payment systems that support 3D Secure for additional protection.

Conclusion​

2D Secure is an outdated protocol that provides a minimum level of protection for online payments. In today's world of cyber threats, its use is associated with high risks of fraud. To improve security, it is recommended to switch to more secure protocols, such as 3D Secure, and apply additional security measures, including transaction monitoring and the use of virtual cards.