anybody who has worked with it
probably considers that blindingly obvious. the entire system has been badly managed from the start, and the majority of retailers who could deal with the chargebacks delayed/didn't bother implementing it
Secondary credit card security systems for online transactions such as Verified by Visa are all about shifting blame rather then curtailing fraud, Cambridge University security researchers argue. The 3D Secure system - branded as either Verified by Visa or MasterCard SecureCode - has become a ubiquitous extra line of security …
given that the only thing keeping credit cards afloat at all is the ``trust'' backed by large amounts of money and chargebacks on the merchants. It never was a securable system, given how you have to give a few magic numbers along with all your personal information to ``pay''. This is a common theme in banking, mind.
I find it ironic that openid is actually ``better'' in this sense, even though it clearly isn't difficult, since it also doesn't quite protect your personal information much, or at all.
Based on experience with the HSBC any time you shop more than 3 things in a row within 30 minutes on sites using Verify By Visa it is marked as fraud and they block your card. So if you are not being a compliant consumerdroid and not shopping for a holiday from a "approved" "bundle" as a compliant consumer should do you get a block straight away. Hotel, flight, parking, car - 4 puchases in 20 minutes on average for at least 1K in total. BOOM - blocked card.
If however the sites you use to shop are not using VBV the purchases actually tend to go through.
So base don experimental evidence and the way their current fraud prevention systems are setup they know it is weak. Just doing the "time to bury bad news" yet again and proclaiming how good it is for fraud prevention.
That is besides the fact that the same HSBC at least initially kept part of the registration state machine in the client browser so anyone using Konq, Firefox or something else that allows to manipulate cookie state and javascript on the client side could have fun with it. And so on.
I'm also with HSBC and used my Visa card heavily in the run-up to Christmas buying travel tickets from all and sundry.
Christmas Eve arrives and my card is locked, meanwhile the World's Local Bank (tm) has buggered off down the pub for a bonus-fuelled piss-up.
When I eventually got through to someone called Charles (in Bangalore) they couldn't explain why the card was locked, only that certain security issues had been raised - but nothing so serious that a few minutes listening to the godawful three bar HSBC anthem (all of their long-suffering customers will know it well) couldn't put right with a short spot of [tappity] and the requisite 'have you thought about buying home insurance from HSBC?' question.
I totally agree....if a website uses VbV I go elsewhere. If I can comment about this on the website I do.
Oddly enough my local council now uses VbV for online transactions. Now I have to pay my monthly council tax payments by phone rather than online. Bastards!
First time I saw 'Verified by Visa', I was a bit doubtful it was legit. Even though I was shopping on a top ranked online site.
I called my Credit Card company. The call center had never heard of Verified by Visa. So they immediatly stopped my card.
Couple of days later they'd obviously been given the training course on what it was.
It is not the merchants who do this it's the banks. They demand that compaines use verified by visa or securecode, or face higher interchange rates (the amount that the merchant is charged for a card payment).
If the decision is £m's in incready bank charges per year or £000,000's to install and maintain VbV then the business will always go with option 2.
MasterCard and Visa have build an infrastructure that allows individual banks to decide how secure their internet purchases must be. Banks make their own tradeoffs around (i) security versus customer convenience; and (ii) timelines for migrating their entire customer base to secure logins for internet banking and SC/VbV purchases.
Password/DOB based schemes are not totally secure. But they are enough of a barrier to stop >75% of opportunistic fraud.
Card readers with challenge-response codes verified by the credit card PIN are undoubtably more secure, but a pain for customers and a significant implementation headache for a bank with millions of customers. Many banks plan to move to this as a second phase for VbV/SecureCode, but the timeframe is usually aligned with their plans for securing access to their internet banking environments.
Yes, VbV/SecureCode are vulnerable to phishing. This only affects individual merchants, and is relatively quickly detected by banks' fraud analysis.
(posting anonylmously, as i'm a credit card industry insider and have worked on several MC SecureCode implementations)
I utterly despise MC SecureCode, it is utter crap and a total inconvenience. I have lost count of the number of times it has had some fit and blocked my purchase and just returned some meaningless exception code.
You phone the card company, they can't help.
You phone the retailer, they can't help.
So you use a different card and say "FUCK OFF" to MC SecureCode.
Also, the MC SecureCode shit is very badly integrated and my browser throws a fit as 85% of the time it detects MC SecureCode potential XSS. My, that really boost my confidence in MC SecureCode.
Take my advice - boycott retailers that use MC SecureCode/VbV and keep you life simples.
The biggest flaw at the moment is the way you have to enter the password. For those who haven't been through the process try this:
Enter the fourth, seventh and eleventh characters of your password.
In my experience very people can do that off the top of their head. Most people seem to remember passwords more by 'finger habit' than anything else. When I use VbV I've found the most reliable way is to write my password using Notepad and put a row of digits underneath. That's clearly a big FAIL for security.
I have to track nearly a dozen passwords (personal and corporate since our IT people are only slowly hooking every application up to the domain) but VbV is the only time I have difficulty.
The other fail with VbV is that it's easy to circumvent. A friend has given up trying to enter their password and either lets it fail or just goes for 'I forgot it'. They've been doing this for a couple of years now and aside from a few extra clicks it's never stopped them buying things.
I suspect it's like Chip 'n' Pin - it's a get out strategy. Something they can point to if a transaction is disputed that they hope will let them off the hook. They don't want to protect our money - they just don't want to have to reimburse us.
The are a pain, require too many passwords, and are no substite for just not being stupid.
I hate them and will not use any site that uses these. Lord knows what it is like for someone who only shops on line from time to time and is not so happy with internet shopping.
No different. How many readers have a shroud which totally covers the magnetic strip when you insert it? How many of us know what's inside that box?
A local petrol station (chip and pin equipped) was cloning cards for months. They'd got the skimmer mounted on the chip and pin device, mounted so it looked like part of the casing.
It's not about securing customer finances, it's about shifting blame. It always is. If they wanted to make it secure, the PIN system would be thrown out and we'd have one-time authentication (code is a hash of PIN, Date and Time, and amount. Code can't be used any other time), or two-factor authentication (Something you are, something you have, something you know. Pick two).
You may think that Chip and Pin / 3D security are two-factor: They're not. The card is an identifier, not part of the security system. An RFID token, or photographic ID would be a second factor. In online transactions, everything is always "something you know" as you only need to know the details of the card holder to bypass the system / authenticate successfully.
Natwest have a two-factor authentication system for their online banking, so it can be done.
...that EMV Chip and PIN cards are mostly an exercise in shifting the blame, you don't have the details. The card IS part of the security system and contains a small crypto processor.
They DO have secure one-time authentication in the EMV system. The card itself produces a cryptogram of the transaction amount, date, time and a few other bits and pieces that the terminal verifies. the card also produces another cryptogram that the terminal cannot read and is sent to the authorising bank so that it can verify that the transaction details are identical as understood by the card and the terminal and nobody's trying to interfere.
Yes - you can still skim magnetic stripe card details and use them in some places. That is the weak link. EMV is only secure if merchants refuse to take mag-stripe transactions.
...bears poop in the woods.
Not to diss the guys behind the research, who are top notch and deserve credit (and deserve to be listened to a lot more closely by the buffoonish powers that be), but anyone who has been handling card payments on a website has known that this is pretty much the case ever since the gormless scheme was introduced. Like the CVC (CVV, Card Security Code, call it what you will) it's just a mechanism for the banks to offload as much responsibility for fraudulent transactions as they can to either the merchant or the cardholder.
That way, they get to keep more of our money so that they can widdle it up the wall on dodgy investments and pay themselves ludicrous bonuses.
Eventually everywhere I wanted to buy something from had Verified by Visa in the process, so I had to give up and go with the flow.
It was obvious from the outset that like Chip & Pin the only reason for this existing is to push fraud liability back onto the customer. If you wanted to make the PIN properly secure, you should separate the PIN entry from the system processing the payment - let the cardholder have direct entry on the card or their own machine. Combining PIN entry hardware with validation token receipt means that the machine is susceptible to interference to record PINs and account details as a pair.
If I had the power, I'd get real security researchers to lay down some minimum legal standards for security which must be met before anyone can claim enough system integrity to push liability somewhere else. You'd probably want to do this at a europe-wide level though.
You should not be able to blame someone for revealing secret information when it isn't secret anyway. That should be classed as fraud on the part of the credit institution. Perhaps one day they'll piss off someone rich enough to make a case out of it.
They have a concierge contact Their financial staff (who they told to buy them something) based upon the pre-agreed parameters setup by the bank and the Person's staff of financial agents. They don't sully their hands dealing with the riff-raff.
If someone DARES to commit fraud using a line of credit (NEVER call it a "credit card" - those are for the plebs) under Their name, the bank bends over backwards to remove the offending error and flaps furiously that such a thing could happen, AND IT WILL NEVER HAPPEN AGAIN.
Basically - If you have the money that such a thing would cause an issue they would get upset over, the bank won't let it become an issue they would get upset over. :(
The same as the anti-virus/phishing software being peddled by the banks directly via their online banking systems - I'd put money on the fact that the banks will try to deny liability if you don't use [b]their[/b] AV software rather than another reputable solution... Its all about passing blame and avoiding payouts
In the early 1980's I was working as an engineer tracing a problem with duplicate transactions on cash machines. I saw on the news that night, a spokesman for the bank I had been brought in to help, telling how people who were complaining of duplicate transactions were mistaken. It was fraud, it physically could not happen. It must be a family member, they MUST have told the pin number to someone, it was not possible for the system to duplicate a transaction.
Yet there I was, working on a problem were duplicate transactions were being logged....
Trust them not.
I was ultimately able to opt out of this for one of my cards with a simple phone call (though finding the right number to call turned out to be less simple). What I don't know is what effect this has on my liability (or at least the liability that might be assumed before an ombudsman has to be involved). Not been able to do so for other cards as I can't find anyone to talk to with a clue.
Biggest problem is the implementation which embeds the request for additional information (or, most of the same information all over again....) within the merchant's website in such a way that you can't readily see where the information is being sent and therefore distinguish between a real and rogue merchant - it's basically an open invitation to phishing.
Not that poor security in card-processing should be a surprise to anyone by now...
Because VbV and SecureCode don't let you use the same password twice, and because they have such tight password requirements, I can never remember the password I have set with them, so I have to write it down, or change it every time (by confirming my DoB etc) I make a purchase...
Writing it down obviously isn't the best option :o)
Never mind a target for phishing, it's always looked like the most basic phishing attack to begin with. My parents, who I've managed to train quite well, refused to use it at first as it seemed dodgy. In their defence, it was a redirect that was neither the shopping site, a visa domain or indeed one of the bank's domain. It's very very difficult for the average Joe to identify a genuine Verified By Visa request.
It must be one of the most utterly useless security check ever designed (maybe next to the 3-digit CVV code - all you're really doing is extending the card number from 16 digits to 19), especially as pointed out in the article it's trivial to reset the password.
If I remember correctly, way back in the early noughties when I was writing ecommerce sites and the 3-digit CVV was introduced, the instruction was that it was never to be stored anywhere in your DB, on pain of some kind of nastiness to your merchant account. I presume (but don't know) it's also not stored in a machine-readable format on the card.
Thus, the extra level of security this provides is not to turn a 16-digit number into a 19-digit one, but to guard against your card number being usable if a database where it's stored is compromised (quite likely at the time, having seen the sort of shoddy code being rushed out back then) or your card is skimmed.
So, in theory, if a card number is presented with CVV it is more likely that the person presenting it has (access to) the physical card, and less likely that they're using a card number stolen from somewhere.
I do recall having to tell coders who hadn't read the documentation that the CVV wasn't to be stored in the DB, so I'm assuming that there are various implementations out there that do store it and thus neuter it as a security measure - it's a slightly brittle solution in that respect.
You must never store the CVV number anywhere, ever...
PCI guidelines expressly forbid it - you even have to explicitly state you do not store that data to even get PCI compliance.
We hate VbV and Mastercard secure with a vengeance, and so far have resisted being forced into implementing it.
This post has been deleted by its author
I think the Verified by visa scheme has just tipped me over the biological limit for remembering passwords. I just can't remember the sodding thing.
They really just don't get it. It doesn't matter how many usernames and passwords credit card companies and banks ask for IT'S STILL ONLY SINGLE FACTOR.
Can't the sods get together and make a token?
Yup, several times I've had to phone up the (un)helpline (which last time I tried found they're not 24/7, bloody inconvenient to say the least) because I couldn't remember the VbV password and entering in details as-printed-on-the-card along with DoB etc. didn't work, so now I've taken a new route to picking passwords for these annoying multiple-layer 'security' systems.
Swearwords.
Easy to remember because when you get to the 3rd password entry to buy something not even £20, your patience runs out and you start going "OHFORFUCKSAKE" so that's what you use as your password.
I have had a protracted battle with my Bank, First Direct, and VISA over this. First Direct claim it is VISA insisting on it, VISA claim it is First Direct. Despite many calls and emails i can find no one who is prepared to admit that they are responsible for the service, so not only is it pushing the risk to the customer no one in the banking world is willing to take responsibility for it.
I object most strongly to it as to use it I am forced to accept terms that I can not adhere to. The conditions of sign up state that you must not write down or record in a recoverable electronic means the password. Doing so immediately makes you liable for any fraudulent use. Well I am badly dyslexic so failing to write the password down effectively locks me out. As dyslexia is a recognised disability by the equalities legislation I informed both my bank and VISA that they were discriminating against me. Thats when the "it's their fault" pass the parcel started.
Right now I do not buy from any retailer who uses verified by VISA and am looking for a bank that does not use verified by VISA though so far no luck...
used OTPs but they were supplied in a small keyfob device. Press a button on the device and the screen displayed the next 6-digit code. The equivalent code was also generated on the server side to match.
I would be happy with such a device for consumer banking. Or maybe supply it as a mobile app.
I have one of those keyfobs too and am happy with the security it brings. You are right it should be brought to consumer banking too. However I wouldn't trust it as a mobile app, there's too much opportunity for a hacked smartphone to intercept the cypher key used in generation.
Also if the bank phones me they use the more trustworthy method of quoting half my postcode/DOB/security question and asking that I complete it. That is decent secret sharing and wish chip & pin machines did something similar.
As I understand it some of the securecode-type variants let an account holder upload a picture which is shown back to them at checkout to gain their trust. This is poor secret sharing as it's wide open to MITM attacks, mitigated further by the use of iframes.
(Thumbs up for one time passcodes)
I work for a major investment bank, and these are issued routinely to all staff so that we can access all systems remotely (when working at home, DR etc.).
And yes, the keyfob principle (6 digit code regenerated every 30 secs) is also available as an app on everybody's blackberry.
So good question, why hasn't this been implemented for consumer banking?
You just call someone and claim to be from their bank. You tell them that before you explain why you are calling you need to know their DOB as a security check.
Sounds stupid and short sighted?
Yes - good ol' Barclays use that system.
Their Pinsentry seems secure but the problem with that is that I don't have my bank card with me when I'm using my computer. It's a right PITA having to get up to go and fetch it just so I can see my balances.
I always point out to them that I need characters 3,6 and 9 from their PIN code. When they quibble I 'discover' they haven't requested one so cannot speak to them as they cannot verify their ID. 9 times out of 10 I know why they are ringing and deal with it in background and it has now progressed that they try to use a different security check system for me which comprises me answering details about my DOB....well that is more secure then.
I have even prepared a 15 page docuemtn for an authorised person to complete to request a PIN but no-one has gone for it yet.
...but if someone phones me up and asks me for confidential information then I want THEM to be able to prove who THEY are. Usually I just say "Look, if you're really from my bank then I'll phone back and ask to speak to you - what's your name and department". They're only ever going to refuse if they're NOT who they initially claimed to be...
Bloody pain the arse those things. In some cases you could just ignore them asking you, or in some cases use another card. But now I've had to give in otherwise getting hold of stuff would be a lot more difficult.
Though I agree 100% with the article, and many other previous Reg commentards, like the PIN it's just another way for the banks to shift the blame to the customer as they can't possibly be in the wrong can they?
Thankfully not every credit card company has been forced into this yet. This is why I like my RBS Mint Visa card so much - they don't use that daft "security" system. Instead they have a internal fraud system that works very well.
Last year someone used my card in the US. Only spent £1 on some Web Hosting, but Mint spotted this as dodgy and blocked the card straight away. When I phoned them to find out what had happened, I got a very helpful guy in Scotland who even briefly unlocked the card to allow me to complete one more payment from the old card before he issued me a new one.
(Darn... now I am sounding like an advert...) If RBS can avoid this stupid system, and instead pay people to actually create a system that properly tracks fraud - why can't the other banks?
What doesn't surprise me is watching my clients trying to use this system with their cards. You see them forget the passwords, or write them onto the card (!!) This "security" is a joke and too easy to reset. (And I have lost count of the number of times clients have given up on a purchase due to VbyV breaking...)
Surely a more secure system would be for the customers not to provide card details to retailers but use the ability of Public Key Encryption to transmit the information securely.
eg.
Customer visits website, fills up basket and proceeds to checkout.
At checkout customer completes name, address, delivery address , cost, card type before proceeding to payment.
At payment, the Customer's Browser generates an encrypted message (using the public certificate of Card Vendor) consisting of the name, delivery address, cost, card details and a random string of characters from the web site's public certificate which is then sent to the retailer.
The retailer stores the encrypted message with the customer order details as payment method
The retailer then encrypts customer name, address, delivery address, card type, cost and customer generated message to the Payment Clearing Centre.
The Payment Clearing Centre decrypts the retailer message and uses the Card Supplier Type details to know which Card Supplier needs to process the request.
The Card Supplier receives the payment request details from Payment Clearing Centre which decrypts the Customer message, verifies the Name, Address, Delivery Address, Card, Total details against its records and the vendor supplied details. Authorisation for payment can be made to the Retailer.
In terms of refunds the Retailer can use the Customer encrypted message to return money onto the card, this encrypted message would automatically expire after a year.
"At payment, the Customer's Browser generates an encrypted message (using the public certificate of Card Vendor) consisting of the name, delivery address, cost, card details and a random string of characters from the web site's public certificate which is then sent to the retailer"
How are you planning on encrypting/signing a message using someone else's public cert?
The point of the public cert is that you use it to decrypt an encrypted message that was created/signed with the equivalent private cert. The cert holder keeps a tight hold of their private cert, because otherwise they're allowing anyone to impersonate them.
I'd love to be able to generate signed messages pretending to be Barclays or Lloyds or HSBC just because I had a copy of their public cert. I'd be filthy rich by now if I could do that :-)
"The point of the public cert is that you use it to decrypt an encrypted message that was created/signed with the equivalent private cert."
You've reeaaally missed the point of PKE. It works in two ways, both "signing" or "encrypting", but essentially the same thing.
If I give you my public key, then two things can happen:
1) You can encrypt a message with it. It's a one-way function that cannot be decrypted without knowing the private key. I am the only person that can decrypt it
2) I can encrypt/sign a message with it. Anyone can read it with the public key, but know that only the private key holder could have encrypted/signed it.
The clue is in the name - PUBLIC key.
For many years the credit card companies have been doing their damnest to put the blame on the customer (or even the retailer) They're doing their best to (legally) wriggle out of their legal responsibilites.
Can I claim a degree from Cambridge Uni, 'cause I worked out the lack of security in verified by visa years ago.
It CREATES an op for fraud. If the check fails, you have to phone them and cough up your details!!! So anyone can just put the VbV page, have it 'fail' and collect...
I have never seen a more pathetic financial 'value added' 'feature'. It adds no value, whilst wasting my time. Moreover, SOMEONE is paying for this 'free' 'service' (pain in the arse)... Now who could that be?!... Oh, ME and YOU and all card users. it costs users money indirectly (to administrate - even if part of those costs are borne by retailers, the cost is INEVITABLY passed...). We pay for this 'free' 'service' - that does no good.
I challenge you to find a customer that this ever did any good for. It is a pain for users, a pain for retailers. It offers no value, it doesn't do what it says on the tin. It is total shy T.
Just a 'value added CON'. A way for someone somewhere to justify more charges under the pretext of it being for our good.
Thanks by no thanks. Or better still; shove it! Classic 'trick'. Exactly the sort of thing that made CC comps famous. Offering stuff for free and in fact collecting money for it through a back door designed into the system.
In the article, John states that
"DOBs are readily available on the public record (in the UK at least)."
I am most curious as to what kind of public record is referred to, is there any further details that can be shared on this front?
As in, how would one go about finding a person's date of birth, what kind of information would be required? I would like to know how readily available my DOB actually is!
Searchable indexes to UK births, deaths and marriages are widely available. For example, the births' index shows only your name, the quarter and year of your birth, and the district your birth was registered.
Getting a copy of your birth certificate from the General Record Office costs £7 and if you were born within the last 50 years, you must supply your date of birth, actual birth place and your parents' names including mother's maiden name.
This step always gets me...especially since passwords cannot be reused...ever! Normally I just enter a string of expletives as the new password, but obviously don't 'remember' my rage for next time.
Banks are going down this route too, with pointless "security" software which is specifcally designed to say "well, we did all WE could do...you must be liable!".
A complete waste of space...as are the mini plastic card readers many are forced to use to carry out online banking. Externalising the cost of security to users while saving money on telebanking and their awful branch services.
argh, i really really hate this bloody verified by visa thing, it fails so often it's unreal. on the other hand it has saved me quite a bit of money as there's been more thna one occasion when i have gone to pay for something online, that box pops up just as you think you're all set and done, and then it fails to reload, or dosn't say if it worked or not, or the page just goes blank.
and then i'm not sure if i've paid or not and just give up on it. i think i'm going to have get a new type of card actually. presumably you can't request the bank to turn it off for your card?
I original had it turned on for my card, then forgot the password, when i found out how crap it was i found up the bank and the women was very helpful, asking me why would i want to remove a layer of security, I then walked her throw how easy it was for me to reset her password and not only lock her out but to also buy stuff, she quickly removed it from my account.
It's so obvious really: you've got code that depends on a hidden javascript form activation to complete, often running in an iframe. It's a bitch for developers to set up and undermines security in many ways, especially for end users running a good prophylactic plugin like NoScript to prevent their machines being exploited by malicious client-side code.
It's plain wrong and if the big card processors are genuinely more concerned with the security of their users' cash than with deferring the liability of fraud then they should get together and develop something that can be permanently integrated into the browser framework and enforces the security of the transaction, like a bank-centric version of HTTPS that can't be easily spoofed.
Wake up and smell the coffee.
You didn't have to be a "security researcher" to see that "Verified By Visa" was a pile of poo right from the first day it was introduced. Why has it taken so long for someone to point this out?
The very fact that anyone can reset it and apply for a new password if they have both the card and very basic personal info makes it a totally pointless extra hoop to jump through while shopping online.
....businesses don't use these added features.
The number on the back, which protects you against somebody getting hold of an old-style carbon-copy from the days of physical card machines, still isn't used by some American internet traders.
The deals go through.
A few months ago I went to a petrol station in the US. The pump wouldn't work, so I went inside and was told I needed to insert a credit card in the pump to start it, regardless of whether I wanted to pay at the pump or not - I imagine to stop people driving off without paying.
I went back to the pump and put my card in. It seems they don't have the number on the back, so they instead ask for your numeric zip code, which I don't have as I live in the UK.
I went back in the shop and had to hand over my card whilst I filled up (again, presumably to stop people driving off). When I finished I went to pay, she swiped my card and gave it back to me. That was it, without signing or anything. It appears they don't care if you pay with a stolen card, as long as they get the money!
the pumps here work fairly well... by entering your ZIP code (like a postcode but 5 digits) they can confirm against the billing address. If someone has stolen the card that information is possibly less easy to identify than the CVN which is on the back of the card
When you leave your card inside while you fill up (interesting twist that... normally when I've had to go inside they swipe the card there and then to pre-load a $ amount on the pump) I guess they could verify with the card number and CVN (but I doubt it)
Most transactions below $25 in food and petrol places you don't have to sign for on Visa.
It came as a real shock to me recently when I was back in the US and couldn't pay at the pump but I guess the Brits still like their queues and face time (off topic: the petrol station had at least 3 cameras I could see inside the store as well as the ones outside - the US doesn't make me feel litle a prison inmate just to put fuel in my car!)
This "convenience" is just to make face-to-face transactions as liable to the customer as web transactions. Most transactions are under $25 (in the US) and it is a price break for liability/return for the cards... so they make it more "convenient" by not requiring you to sign for under that amount.
However, under the terms and conditions, if you don't sign, THE CARD IS NOT LIABLE *AT ALL*, as the minimum security verification of checking that signature is unavailable. So, as long as a thief doesn't get anything more than $25 at a time (say a CD, dinner, gas - half a tank, though), you are liable for those transactions. Listen to those adverts next time when they wax lyrical about "not being held responsible for fraud"... you will hear or see the caveat of "signed transactions" somewhere.
Again, the cards make you liable at your own expense instead of protecting you. They only protect themselves from liablility. Convenient, eh?
When I was asked for my zip code I just put '111111' in and the transaction proceeded without a hitch. That was a couple of years ago on a tour of Yosemite and the San Franciso area. I well remember the shock on the first fill after a day's driving. It cost so little ($25 I think) that I thought the pump was faulty :)
Maybe they've tightened things up by now but I wouldn't know. The last couple of times it's been a company hire car and I've never driven far enough to need to fill up. When 'Da Boss' is picking up the tab you might as well just drop the car off and let the rental company charge for the fill :)
The 3dSecure system does have some merit. I have one credit card that is used extensively for online purchasing. If fraud appears on this card then without 3d secure all I have is the claim that one of these web sites has leaked information and it has then be used elsewhere. With 3dsecure I can point out to the credit card company that they have either accepted transactions without a password from someone who knows public information about me or accepted a change of password from someone who knows public information about me. This puts the legal ball solidly in their court instead of the unknown one of many web sites that would otherwise be the only culpable entity.
As far as I am concerned this system worsens the credit card company legal position against the customer as they can no longer offload the issue to a customer versus web vendor dispute claiming they are an innocent intermediary.
Another problem with Verified by Visa is that it requires you to globally enable JavaScript to work. Many people disable javascript by default for security reasons. So in order to implement one security method (VbyV, which we're now told is worthless) you're required to disable another security system (NoScript, etc, which is proven to prevent a wide range of nastiness).
Demanding banks change their ways! LOL! You research lads are bloody funny!
Listen Cambridge based pillocks, the only reason for the banks to invest in anything, absolutely anything, is if they get a profit from it! It's that simple! Nothing more, nothing less! Got it?
The banks only do things for customers if it's in the bank's interest to do so, and ultimately if there is some money to be made. Overdrafts being a classic example, the bank lends you money, you pay it back with interest or a fixed charge.
The bank ALWAYS wins, despite anything you want, the bank ALWAYS gets what it wants!
It's worrying that the notorious Paypal is more secure than something put together by the largest credit car company in the world.
Of course the worst part is the password reset procedure and it would be so easy to make that more secure without inconveniencing customers.
We all know that the banks will fight tooth and claw against giving refunds where VerifiedByVisa has been (easilly) bypassed, but has this ever been tested in a court of law? I suspect that a successful legal challenge to this sharp practice would prompt a hasty redesign of the whole system. The only reason VbV exists is to blame the customer for the fraud.
Yes it's a PITA but many merchants, including us, had little choice but to implement it or stop accepting Maestro transactions - it is now mandatory for anyone processing Maestro transactions to use Mastercard SecureCode for those transactions (and has been since June 2009 ... although the original deadline was June 2007, nobody implemented it and it slipped).
Last year, however, Mastercard put pressure on the merchant banks and we received a lovely letter from ours saying that if we didn't implement 3D Secure (for Maestro transactions) in the next 2 month's we could be liable for a £20,000 a month fine - however, if we DID participate in the 3D Secure scheme then we'd get a greatly reduced cost-per-transaction rate for ALL transactions made using 3D Secure... so since we had to implement it anyway...
The thing is though - it does NOT push liability back to the customer, but to the customer's bank (arguably this could result in higher bank charges and the customer paying in the end but still... ); it doesn't make the customer any more liable than they were before. For once, the banks aren't entirely to blame - they're accepting slightly higher liability - it's the credit card companies (Visa and Mastercard) that pushed the change because, previously, THEY were liable for fraudulent transactions - there was no real incentive for the banks themselves to get their shit together.
About the only up-side, really, for the 3D Secure system is that any merchant participating in the scheme must comply to PCI regulations - part of which covers a certain (minimal) level of security and penetration testing - which means the legitimate sites might be a teeeeeeeeny little bit more secure (if they're small operations) and Bob Haxxor of badsite.com has to just work a little bit harder to make his site look convincing - oh and it takes an extra couple of minutes to get access to the card holder's date of birth so that you can use that stolen credit card.
So it _is_ more secure - in the way that attaching a parachute with two strands of hair might be safer than just one - but it tries to imply a much greater level of security than it actually imbues which is never good.
SecureCode ./ Verified by Visa is not mandatory for Maestro transactions. At least not in the UK. We were asked to implement it by our payment processor, and once we had read the spec and finished laughing, we told them to forget about it. Enough of their clients told them the same, and as a result we don't implement it - nor do we get charged extra on our transactions (as some processors do if you opt out).
I'd hazard a guess that you're working for a bigger operation than CD001. If you're a big enough customer of the banks, you can tell them to sort their shit out or you'll take your business elsewhere - the smaller operations (which may still be very substantial businesses) don't get that luxury.
It's the old story - if you owe the bank £100K and you can't make the payments, you're in trouble - if you owe them £100mill and can't make the payments, THEY'RE in trouble!
Does anyone else have problems with VbV and a joint account? VbV seems unable to distinguish between my cards and my wife's to the effect that when paying with either debit card it always asks for my VbV password but when using either credit card it always asks for my wife's details.
The bank claim that it's a problem with the merchant not implementing VbV properly but since the problem occurs for all merchants I've ever encountered I'm a bit sceptical.
Binned our "OpenWide" account because of this VbV arse... card details were taken from somewhere, no idea where as I only buy from about 10 sites. Anyhow VbV was reset.. off they went shopping around various clothing sites. "OpenWide" didnt block the card at all and processed the lot of them £2k worth, even though they were in China!
When reported to "Openwide" they didnt consider them to be unusual at the time like WTF and also hit me with £20 overdrawn charge for the pleasure!
I asked if it was possible to limit transactions so they can only ever be authorised in the UK but apparantly they cant do that?! Probably around companies offshoring transactions no doubt.
This is the same company that when I want to transfer £5 between accounts I need to have the physical card, a stupid card reader and enter my PIN.
Needless to say, demanded £20 back and account closed and good riddance...
I registered as a consumer a couple of months ago when I had to buy something from Tesco.com (damn hard to get cheap new CD-Cassette players nowadays). I tried to use a password with non-alpha characters, but it wouldn't let me. Can't remember if it allowed a long passphrase or not, but I just hope I can remember my password next time I need to use VbV, cos I've only had to use it once since I had to register.
My bank, a large southern US institution with a <ahem> sunny, trusting attitude </ahem> have a particularly unpleasant way of trying to force me into VbV.
Every time I try and make a transaction on a VbV enabled site, I remember that VbV is a pile of steaming shit and click the "not now please" button when it tries to convince me to enrol mid-process by entering a few details that literally dozens of companies and agents, etc, know about me. The transaction always appears to complete as normal but within an hour or so, I get a callback from the bank telling me that "suspicious" card activity has been detected and I then have to confirm the transaction with a call centre idiot instead.
So refusing to join a poorly thought out, poorly implemented programme that's nothing more than security theatre is now, apparently, 'suspicious'.
Ross Anderson has come up with some research that suggests that banks security is crap? Really? It's not as if he has a track record of making claims of this nature, while not being able to show any real world explots. Oh, hang on...
I've read the paper and while he makes a couple of good points (use of iframes in particular), he doesn't point to a single real world explot of the system, or anyone who claims to have been made liable for fraud on their account, because of 3DS. He makes various throw away comments, without refrences, such as "this paper has shown that systems such as infocard and openid, had good engineering..." when they've done nothing of the kind. He also makes asserts that RBS have made poor security choices, without backing up this claim in any way. He also mentions the economics of security, again without making any further refrence to why this may be important.
You miss the point. As a techie, my complaint is one that seem to be echoed in the Cambridge report, that VbV adds no security to the transaction process. Instead, it requires an implementation that is remarkably similar to that used for some cross site scripting, embedding an iframe into the host page that's hosted off of an obscurely named server. This encourages users to accept something that should start ringing alarm bells.
This 3d secure crap typically comes up in a small frame inside of whatever site your using, with no way to easily verify you're really talking to mastercard/visa...
I find the whole system just incredibly irritating, and i will always seek to use my american express card online whenever i can simply because it doesn't have anything like this...
Every time I hit the dreaded VbV page I do a double-take - it looks utterly shonky as if it was knocked together by some script kiddie. Wonky fonts and justification, the company logos haphazardly placed on the page. If it at least looked like the public face of a faceless private corporation it would be mildly reassuring.
When I try to make any Visa payments to Edinburgh Council (ie Council Tax payments) I am automagically taken to the TSB page to enter my password and security details before the transaction goes ahead.
Net result: Unless you know my password AND passphrase then you can't use the card to pay Edinburgh Council. That pleases me.
What I am not so impressed by is that there are only two sites I have EVER visited who bothered with this method...
Now, I know that's not VbV - it's better! So why does anyone want (or need) VbV? Everyone thinks it's shit.
My Co-op bank cards (credit and debit) don't require this crap. Are there any others that don't?
I also have a Nationwide credit card. When I first tried to use it online I got an iframe coming from "securesuite.co.uk", which looked a bit odd. So I phoned Nationwide and asked if they had outsourced their VbV backend to this company, or if there was any other reason why I was being asked by them for my Nationwide details. They said that no, this was nothing to do with them. So I abandoned the transaction. I now only use that card in shops.
If you're lucky enough to have avoided using VbV until now, you can continue to do so, even if a site prompts you to sign up:
Complete all the details on the first page of the signup (DoB, email address etc) and hit continue.
On the second page, there's a "Cancel" link at the bottom right.
Hit that and you'll be cheerily returned to the merchant where your transaction will have completed, and you still won't have a VbV account.
Has been working for me for the past few years...
I have several cards. Two require verified by visa, so those don't get my online business. Vote with your feet. American Express is a good alternative (I got 80 quid cashback for taking out the card, and nectar points for using it), and I have another for sites that don't like Amex.
Nationwide has also lost my business, as they now require ten different auxiliary passwords, such as "your favourite pop song" and "your favourite film". I pointed out that people who actually have such favourites are likely to change their choices more often than the question will be asked, but apparently they can't see it.
I note that most smaller vendors are running websites on shared hosting that is not PCI DSS compliant. But the servers and routers are configured so that the security sweep is passed.
Unfortunately, My reading of the PCI DSS spec leads me to believe that a Merchant is not actually verifying that they are compliant by passing the security sweep.
Indeed it is my belief that should fraud be committed via your site, the bank could throw the book at you due to all the procedural issues not to mention technical issues that are covered by the spec, but are not proved to be safe via the security sweep.
Indeed, in my opinion, this entire system is designed so that banks can once again blame merchants, because they have signed on the dotted line, assuring said banks that their systems are secure.
My advice to my clients is to use a payment service that does all the payment magic on their network (not on their shared hosting), and that the service is PCI LEVEL 1 compliant. That way, you can self certify with all confidence (then if the bank blames you, you can blame your PSP).
Is my reading correct in this? I'd love to know!
At least not by all. newegg.com always prompts me for VbV, but recently been using NoScript to disable JavaScript. When the VbV window popped up, it was blank, and I couldn't do anything. I relogged in to find my order wasn't there yet. So I chatted w/ newegg, and they said just to ignore it, it isn't required. Sure enough 10 minutes later the order was there and it went through. So, just ignore VbV, apparently it isn't required.
Beer because we all need more. :)
Yup. We had a card password changed without our intervention. I've posted about this before, luckily I noticed the password change notification email go past the mail server for one of us on a day we'd never have checked the email. Quick call to A&L. Of course its their system that was breached BUT they still had to replace the card! All because its too easy to change the password.
Fortunately this seems to have permanently disabled VbyV on that account as it seems to never get triggered.
I have found on occasion that if NoScript is running/enabled at just the right level the VbyV appears to seemlessly fail while allowing the transaction to complete. This may be another shoddy aspect of its implementation.
Agree totally that it resembles (is?) a dodgy cross site script and uses stupid URLs. Why not use VbyV or something well known. What's funny is the real low end third party processing sites used by small traders (things like protx) actually look/feel more professional.
Ms Hilton as even she'd verify your identity more thoroughly than the banks.
I hate the VbyV thing... very early on I worked out how to bypass it. It's still time consuming, but works 99% of the time:
Simply enter your CCV and DOB on the first dialog as requested, on dialog #2 where it announces IT'S choice for YOUR username, and asks you for a password, simply click on the little 'cancel' link at the bottom. This cancelling is never forwarded to the vender, and your transaction will go through as normal. I do this all the time, and have only had it fail once. It's still very annoying, but at least I'm not giving yet another database my card and other personal details.
Also, I've noticed that some card companies issue the 2nd cardholder a clone of the primary cardholders card, complete with identical numbers - this screws up VbyV and Mastercards Secure thingy, as you are effectively asked to create a joint username and password system - something that is explicitly prohibited in the T&Cs of the card agreement. ;)
Doesn't really matter whether its VfV or not, Visa are just a bunch of clueless wankers.
Case in point - I try to buy a lappie online (Dell) while on hols as its on sale. I proxy through our home server so theres no alarm bells ringing due to foreign IP addresses. Result - rejected. I get back home and enquire what the fuck they think they're playing at - to be told that it was a suspicious transaction involving computer equipment. I point out (patiently this time) that the credit card has been used for sod all other than computer equipment for years. I then tell them exactly the amount and the merchant that will be presenting the transaction. I tell them that this will be happening in an hour. Result - exactly the bloody same. Rang again. Same. This went on until I told them that it it happened again I'd be closing the account - and all other accounts with the issuing bank (First Direct again). That worked for now.
Fuckwits.
I got troubled by VbV for the first time in AGES when doing an Argos order recently. Totally forgot my password and, as these banking things can be very varied (e.g. Lloyds make you choose a 6-digit number) and there were no clues, I didn't even know where to start. After making a few fairly random stabs at well-worn passwords I gave up and requested a reset.
Which was far too bloody easy for my liking. All it wanted was AN email address (NOT sending to the one registered with my online bank, which issues my Visa card), and my MONTH of birth, which must be so bloody easy to get hold of I could probably stop a local chav in the street, bet that he couldn't find it out independently within a half hour, and lose.
And we wonder how the banks ended up making so many fundamental mistakes that they nearly failed? Even Yahoo mail has better security than this... and one account is still registered to a "real world" address I haven't used in over 10 years.