This is a very interesting paper; it confirms most of the basic misgivings I’ve had about the 3D Secure model of online card approval. (Basically: it’s not that it’s inherently not very secure, although it is, it’s that it encourages people to be overly trusting of weird middleman attempts to get financial information. I mean… a frame pops up, which shows no obvious signs of whether or not it’s secure, coming from a domain which has no obvious connection to the card provider, registered in another country…)