Verified by Visa: bad for security, worse for business
As far as phishing schemes go they don’t come better than Verified by Visa. Fortunately it isn’t actually a scam. However it so closely resembles the perfect online con that this detail makes little practical difference. What’s more it’s turning customers away from merchants who employ the system.
If you use a credit card online you’ve probably come across Verified by Visa (or the Mastercard equivalent, SecureCode.) The systems add an extra password step to online transactions that the companies claim improves security. Unfortunately the user experience is nothing short of tragic and the implementation is counterproductive in the fight against phishing scams.
Last night I watched a friend burn through three Visa credit cards trying to book Eurostar tickets for a short break to France. Each time, the Eurostar website forwarded him and his card details to a page at 3dsecure.com, where he was asked to enter a password he’d previously registered. The site gave him two tries before blocking his card. This happened three times with three different cards. No tickets got bought.
Next, another of our group tried to buy concert tickets, again with a Visa card. Not being sure of her password she hit the “forgotten password” link and filled out the forms to reset it. She then submitted her transaction but was told that there was an authentication problem and she needed to call her bank. Again, no tickets got bought.
Verified by Visa took away about £250 worth of business from various merchants last night. However that’s not the scary part. The way card holders are required to enroll with the system beggars belief.
The first time you shop online at a merchant that supports Verified with your Visa card you are redirected to either a pop-up or an iframe that asks you to register for the system. It collects your name, credit card details, some “secret questions” and a password. It does all this from a domain that is neither the merchants’, your banks nor Visa’s (in fact there seem to be many variations on the domain name of the iframe or pop-up). The system then authorises the transaction and redirects you back to the merchant’s site. For subsequent transactions only the password is required.
How is this different in process or appearance from an email or website, claiming to be from or part of your bank, that takes you off to a third-party domain, asks for your credit card details, and then emails them to a drop-box from where a professional criminal cleans out your account?
Visa have invested heavily in securing their credit system against phishing attacks so I cannot understand why they modelled the Verified by Visa enrollment process on one. They used to be able to say to card-holders, “don’t ever give your passwords or card details to third parties” but now they have to qualify the message with “unless it’s got a Visa logo on it and it sounds something like 3Dsecure.com (or .co.uk, or was it 3-Dsecure.com. Whatever.)” That qualification makes it harder for them to get the anti-phishing message across; makes it more difficult for non-technical users to keep their accounts secure; and, with the increasing practice of embedding the offending password dialogue in an iframe, makes it more difficult to distinguish between legitimate and fraudulent requests for your details and passwords. When was the last time you hit View -> Source and checked for iframes?
What baffles me most is that snail mail works perfectly well as a secure channel for sending out authentication credentials. Why can’t Visa make the banks post out passwords to cardholders (with some literature detailing what the system does and the domain names involved) rather than dreaming up this suspicious-looking online registration system and presenting it to users without warning or explanation? Then they could mandate that the passwords be of high quality and customers could be confident that the system was legitimate. After all, that’s what they do with the PIN numbers for those very same cards, so it’s not like it would be any more effort.
After a suggestion by an online friend I’m tempted to start a list naming and shaming merchants who employ Verified by Visa. I know they’re being leaned on by the credit card companies to adopt the technology, however it would be a more effective method of pushing back than boycotting banks, which people are unlikely to want to do in large numbers. Of course with so few credit card companies to choose from, a boycott of Visa wouldn’t attract sufficient interest to make an impact, even if that’s what I really feel like doing.
Have you got a story of Verified-by-Visa-induced woe to add to the collection? Or perhaps your experience has been positive? Do you have a suggestion for the name-and-shame list? Add them in the comments!
Tagged as banking, credit card, fraud, mastercard, phishing, securecode, security, trust, verified by visa, visa + Categorized as security
whenever i use verified by visa i reset my password. Its a never ending loop. becuase i reset my password last time in a hurry because i wanted to buy something i didn’t remember it. Because you can’t reuse a password, you can’t use something memorable, so you end up using “tuesday1123″ and i’m not going to remember that in 3 months time.
the scary bit for me is that to reset my password it asks for card start and end date, CVN and birthday. all of that is available to the person who stole my wallet with my credit card and my driving license. not at all secure !
I agree 3D Secure is painfully bad.
It’s being pushed on retailers by Visa/Mastercard as a way to remove the risk of chargebacks. For 3DS transactions any chargebacks are the responsibility of the bank, not the retailer. For smaller retailers this is irresistible as it might make the difference between making a profit and going out of business.
I’m not sure naming and shaming these retailers would do much good. The retailer will either not change, and suffer (but Visa won’t notice). Or they’ll change, and get hit with chargebacks, but Visa won’t care as they’re small-fry.
Now if you can find some bigger retailers to boycott that might be more effective as that would also hit Visa’s bottom line. The problem there is that the biggest retailers (amazon, PayPal, and the like) already reject 3DS because they have enough weight with the banks to say ’screw you AND your chargebacks’
I do not like your icons for posting comments. Not accessible.
Agree with your post though – but think the venom needs to be pushed at the CC companies, not the little guy that is already paying through the nose to accept CC payments.
@Tim – yikes, that’s not good
@Nik – Excellent point. I feel like we need to complain else none of the supply chain players will understand that their customers are tearing their hair out. However we should be careful to target our protests where they will have the greatest chance of achieving change. Any ideas?
@huh? Point taken about the comments box – thanks for the feedback. I’m currently looking at making some changes to the way comments work here. Watch this space!
Also @huh? Do you think we can make enough noise for CC companies to take our objections into consideration? I think we need to recruit some vendors to the cause too since they’re the ones through whom business flows to Visa et al.
I got sent this link via Twitter – if you’re a Verified by Visa objector it might be of interest. Take action!
http://www.pledgebank.com/securecodesucks
I am convinced the VbV was created to STOP bank card security. It is NUTS. I have personally not purchased SEVERAL big ticket items because of VbV. I have NEVER seen a worse implementation of technology in my life. IT SEEMS like a con, then when you get stopped you have no choice but to call some stranger and give them a TON of personal information OVER the phone system (public for sure) only to get it unblocked so you can go thru a frustration onling transaction all over again. WHO is the MORON that invented VbV because it is c r a p. I am NOT going to purchase online anymore … in fact I believe that VbV was created to continue the ruining of the American economy. Maybe it should be call BUShWARE.
Dell is the latest company to lose my business because of Verify By Visa … They lost out on a PC sale.
What a great way to destroy an economy and frustrate MILLIONS of people … great job Verify by Visa … whoever you are.
Having avoided using my credit card online for a very long time I had no choice this week, I got slapped with the Verified by Visa form but I just couldn’t pick a password I thought secure that met their requirements because they specify a (far too short) maximum length.
Why? it can’t be the amount of space it will take up in storage since they will obviously be applying a cryptographic hash function to the password, won’t they? please god tell me they are so the outputs will be the same length even if I pick a twenty character password and you pick a thirty-five character one. Even wanting to do input checking doesn’t need there to be such a ridiculously short upper bound.
I hit the fuck off button, I suspect I won’t be able to do that for much longer.
Absolutely couldn’t agree more!
Every christmas present I’ve bought this month I’ve been presented with an iframe with a HSBC and VISA logo on.
I keep hitting the “no thanks” button but it still keeps asking me
I’ve worked with 3d Secure in my job as a web development manager and I know how it all works with unsecured javascript posts and iframes. It is absolutely shocking how bad it is for card security
The day the website insists I sign up for “verified by visa” I will simply stop shopping online
Chase Bank is one of the biggest banks in America. Do a quick Google search for “Chase Verified by Visa”. The link goes to an https site hosted under securesuite (dot) net, which just so happens to be a fraudulent fishing site.
To make matters worse, securesuite (dot) net used to be controlled by Chase, and used to be used by their Verified by Visa implementation.
You can see the old link for yourself on the demo.chase.com link on:
http://www.google.com/search?q=chase+verified+by+visa
This is all shockingly awful. It’s kind of sad, too, to see that whoever controls securesuite (dot) net is using a VeriSign certificate to do so. You’d think VeriSign might make sure it’s not handing out SSL certificates to known criminals.
You also might think Chase would care to do a little more SEO policing of “Chase Verified by Visa”. I tried calling Visa about this and they refer all calls about Verified by Visa to Chase. I tried calling Chase, and they said Visa controls Verified by Visa, and that they can’t do anything about it.
What really roils me, though, is that it’s impossible to make purchases on some websites (such as Delta Airlines’ website) without going through the Verified by Visa charade.
Had no problem with Verified by Visa until the last two weeks when I have been unable to use elements of my password requested.
V by V say they have been having problems. I have managed to withdraw my Debit card from the system, not tried Credit card yet but have requested same
Disgusting. Truly. I’ve never seen a more offensive implementation of a security mechanism on an account. I’ve been to a couple sites now that don’t even give an option to opt-out. And I simply can’t bring myself to give in to the system and just hand over my info. So instead, Discover got my money. I can’t possibly see how this was deemed a better way to do this than a simple change to the cardholder’s agreement everyone has to abide by in order to keep their credit card. All they’d have to do is issue out a pamphlet along with an updated agreement, and require people to sign up for an online pincode/password by such and such date in order to continue using their cards. That gets everyone on-board, gives them the proper info they need to be armed with in order to avoid phishing, and does it in a way that feels legitimate and secure to those placing their trust and money into these companies.
This was a good article to read. Today I spent 15 minutes, an hour, & then another 15 minutes on hold to the Visa Verification line trying to get my password changed, after the forgot password thing blocked me out. I read this article & typed this response during the last phase! I only wanted to pay for my 16-25 railcard, & if I stay on hold much longer I’ll probably have racked up another £26 in phone bills! What makes it worse is the boring, looped music & the woman constantly ‘apologising’ for my situation. Even student finance doesn’t take this long. I’ve only used it once or twice before & had no complaints til now…
Also, it doesn’t actually tell you on the V by V site the number I’m currently calling. I had to be put through via my bank. I have now been on the phone 22 minutes. Not impressed AT ALL.
I’ve just tried to purchase 2 things from different companies but can’t because of the verification password. I know my password and yes I did write it down in an odd place for security. The trouble is that my card was eaten by a faulty ATM so I was given a new one…….I just need to somehow change the dates …..but how?