If you use a credit card online you’ve probably come across Verified by Visa (or the Mastercard equivalent, SecureCode.) The systems add an extra password step to online transactions that the companies claim improves security. Unfortunately the user experience is nothing short of tragic and the implementation is counterproductive in the fight against phishing scams.

Last night I watched a friend burn through three Visa credit cards trying to book Eurostar tickets for a short break to France. Each time, the Eurostar website forwarded him and his card details to a page at 3dsecure.com, where he was asked to enter a password he’d previously registered. The site gave him two tries before blocking his card. This happened three times with three different cards. No tickets got bought.

Next, another of our group tried to buy concert tickets, again with a Visa card. Not being sure of her password she hit the “forgotten password” link and filled out the forms to reset it. She then submitted her transaction but was told that there was an authentication problem and she needed to call her bank. Again, no tickets got bought.

Verified by Visa took away about £250 worth of business from various merchants last night. However that’s not the scary part. The way card holders are required to enroll with the system beggars belief.

The first time you shop online at a merchant that supports Verified with your Visa card you are redirected to either a pop-up or an iframe that asks you to register for the system. It collects your name, credit card details, some “secret questions” and a password. It does all this from a domain that is neither the merchants’, your banks nor Visa’s (in fact there seem to be many variations on the domain name of the iframe or pop-up). The system then authorises the transaction and redirects you back to the merchant’s site. For subsequent transactions only the password is required.

How is this different in process or appearance from an email or website, claiming to be from or part of your bank, that takes you off to a third-party domain, asks for your credit card details, and then emails them to a drop-box from where a professional criminal cleans out your account?

Visa have invested heavily in securing their credit system against phishing attacks so I cannot understand why they modelled the Verified by Visa enrollment process on one. They used to be able to say to card-holders, “don’t ever give your passwords or card details to third parties” but now they have to qualify the message with “unless it’s got a Visa logo on it and it sounds something like 3Dsecure.com (or .co.uk, or was it 3-Dsecure.com. Whatever.)” That qualification makes it harder for them to get the anti-phishing message across; makes it more difficult for non-technical users to keep their accounts secure; and, with the increasing practice of embedding the offending password dialogue in an iframe, makes it more difficult to distinguish between legitimate and fraudulent requests for your details and passwords. When was the last time you hit View -> Source and checked for iframes?

What baffles me most is that snail mail works perfectly well as a secure channel for sending out authentication credentials. Why can’t Visa make the banks post out passwords to cardholders (with some literature detailing what the system does and the domain names involved) rather than dreaming up this suspicious-looking online registration system and presenting it to users without warning or explanation? Then they could mandate that the passwords be of high quality and customers could be confident that the system was legitimate. After all, that’s what they do with the PIN numbers for those very same cards, so it’s not like it would be any more effort.

After a suggestion by an online friend I’m tempted to start a list naming and shaming merchants who employ Verified by Visa. I know they’re being leaned on by the credit card companies to adopt the technology, however it would be a more effective method of pushing back than boycotting banks, which people are unlikely to want to do in large numbers. Of course with so few credit card companies to choose from, a boycott of Visa wouldn’t attract sufficient interest to make an impact, even if that’s what I really feel like doing.

Have you got a story of Verified-by-Visa-induced woe to add to the collection? Or perhaps your experience has been positive? Do you have a suggestion for the name-and-shame list? Add them in the comments!

UPDATE 2008/05/14 23:15:

Shortly after this post was published, I received an email from Cardiff Council:

Dear Mr King

I refer to your request submitted on 15th April. I regret that there has been considerable disruption to our FOI service as a result of an accident to our FOI Officer on the weekend of 19 April, as a result of which he is likely to be off work for several months.

(continues)

I assume this message was auto-generated by some kind of script, arriving as it did 37 minutes after the legal deadline for a response, and signed as it was by the “information manager”. I’ve just pinged back a reply to ask when they now expect to be able to send me the information I requested, given the (clearly unfortunate) circumstances.

On a personal note: there have been too many people around here suffering serious injuries lately. Look after yourselves, everyone – I don’t want to hear about any more.

Meanwhile in the real world, following up the story of Poole Borough Council using the Regulation of Investigatory Powers Act to spy on a pre-school child and her family, the BBC reported this week on a survey of local council RIPA use by the Press Association news agency. They have found the law being used by some councils to investigate such important priorities as littering, dog fouling and misuse of a disabled parking badge. (Sightings of unlicensed accordion players with primate business partners remain unconfirmed, but I’m confident that should any be spotted, the Clouseau Councils won’t hesitate to RIPA them into submission).

Sir Simon Milton, Local Government Association chairman, told the BBC,

“It’s wrong to suggest that these are specifically anti-terror powers.”

Then why did the Government sell the laws as being specifically required to combat “serious crime, including terrorism” in the media, in Parliament, and even on the Home Office website?

“There are strict rules to protect people from unnecessary intrusion, and whenever a council applies to use these powers they must prove that it is both necessary and proportionate to the crime being investigated.”

The proportionality test barrier can’t be very high if councils are able to satisfy themselves it’s met in cases of littering.

The article mentions that 19 councils asked for the survey questions to be submitted under the Freedom of Information Act, but it doesn’t list which ones. Fortunately, I have already submitted an FoI request to Cardiff council to find out how my local administration has used the laws since they came into force. I was hoping to discover whether Cardiff was a Clouseau Council in time for the local elections this week, but sadly the mandated one-month turn-around time expires a fortnight after the polls close.

How does your local authority shape up in the cracking-walnuts-with-sledgehammers department? Is this an election issue in your area? Hit the comments link and share your thoughts.

The Regulation of Investigatory Powers bill was sold as being a vital tool in the fight against child abuse, serious and organised crime, and yes, even terrorism. Now that it’s an Act of Parliament, we find it’s actually being used to enforce school catchment areas and target nuisance dog poo. Is wanting the best education for your child a criminal offence? I don’t think so. Not even a little one.

Keith Vaz, the Labour chairman of the Commons home affairs committee, said:

“I am astonished that this very serious legislation is being misused in this way in cases which seem to be petty and vindictive. We have just completed an inquiry into the surveillance society and we have noted that there has been a huge growth in the use of these laws. The people responsible have some very serious questions to answer.”

While I agree councils should have been more restrained, the fact that it’s legal for them to behave like this is the fault of the Government. If it was never the intent for RIPA powers to be used in a “petty and vindictive” way, then why does the legislation allow it? I think the people with “very serious questions” to answer are the MPs who keep passing laws you could drive a bus through.

It is poor civic hygiene to install laws that could someday facilitate a police state. RIPA was supposed to combat bogeymen, not help pettifogging bureaucracies snoop on hard-working families. How can we trust the Home Secretary now as she presses for increased powers of detention without charge internment without a shred of evidence to suggest they’re either necessary or proportionate? It’s not very re-assuring to hear that only suspected terrorists will be interred when the risk of being accused as such is increasing all the time.

Legislators must think much harder about how such laws could be abused, and less hard about what great headlines they’ll make, lest public trust and human rights become things of the past.