back to article Merchants and punters cry foul over Verified by Visa

The Verified by Visa system is becoming harder to avoid, even for those with real doubts about its effectiveness in combating fraud. The experiences of Verified by Visa refusenik and Reg reader Steve reported in our earlier article on the system are being experienced by more and more Register readers. Both Verified by Visa ( …

COMMENTS

This topic is closed for new posts.
  1. Ginger
    Coat

    Use Amex

    They don't have one of these pointless schemes, so you don't have to fret. Of course, you have to find online stores that *take* amex, but that's getting better these days.

    Mine's the one with the card skimmer in the pocket

  2. Anonymous Coward
    Anonymous Coward

    God these things irritate me

    I've got a few domains at 1&1. Last time I updated my credit card details the page was redirected to some unlikely URL which half-loaded some shonky looking box asking for personal details. Obviously I called them and was surprised to hear it was real. No opt out, no added security benefit, totally pointless and a real irritation. Does Shopsafe, etc allow one to avoid these things?

  3. Anonymous Coward
    Paris Hilton

    3D Secure.....

    Is not hinting at 3 factor authentication but the 3 Domains that are involved in the transaction process. The Card Scheme, The Issuer and The Acquirer.

    Perhaps research these topics before you right a 2 page article on them.

    Just a thought.

  4. Anonymous Coward
    Thumb Down

    Bank pressure to use it

    3D-Secure sucks.

    Our bank is applying a lot of pressure for us to implement it on our website, threatening large fines if it isn't implemented soon. From our perspective, it offers us no benefit and presents an obstacle to our users paying online (it's so poorly implemented it looks to the average punter like a phishing attack). Additionally, it offers little or no extra security and the service is completely unreliable.

    We're holding out as best we can but with the pressure on the merchant to implement it on pain of fines is plain shitty.

  5. Nigel Wright

    You have to question the kind of fugged up thinking...

    ....that goes on behind such policies.

    Poor security like this is as bad as no security because of the negative impact a breach of said security will have. Just what is the point of a 3rd tier that can be so easily broken? I could conceivably gain control of the accounts of any of my friends without them knowing in a matter of minutes.

    What sort of fools think these schemes up?

  6. Matt

    As you say

    not more secure, just an excuse for the bank to try and disclaim any liability.

  7. AJames
    Thumb Up

    Totally agree

    The notion that VbV and Securecode are adding any real security is ludicrous. The popup window that appears asking for my confidential information could be coming from anyone - there's no way for me to verify it. And once the information is given out in the course of a purchase, I can't believe it's secure any more. I'm supposed to just trust that the information I entered while purchasing from Merchant X went only to credit card site Y? Give me a break!

  8. Anonymous Coward
    Anonymous Coward

    works fine for me

    stop QQing

  9. Andy Livingstone

    Sodding Banks

    Thought they needed our billions to get recapitalised - not to keep on playing silly buggers.

  10. Skinny
    Black Helicopters

    Surprisingly

    The first time I encountered this 'system' was when I was purchasing a Bletchly Park T-Shirt from El Reg's own Cash 'n' Carrion.

    I was very dubious about the pop up, and it meant an otherwise 5 minute purchase took closer to 30 minutes, as I checked and double checked URL's and owners of IP addresses etc.

  11. Anonymous Coward
    Anonymous Coward

    Even the banks dont know what its for

    First time I used Verified by Visa (on dabs IIRC) i didnt know what it was, but went through the process and it worked.

    I then started to get twitchy, and wondered if it had been some clever phish. So called the card help line, who didnt know what it was either and THEY insisted on cancelling my card.

    It turns out it was all legal and above board, but the call centre had no idea what it was.

    Heres a thought tho. If the banks we're even keener to cancel credit cards, we wouldnt be in credit crunch now!!!

  12. Anonymous Coward
    Thumb Down

    avoids all fraud

    ok, it doesn't avoid fraud really:

    1. you steal a credit card

    2. you buy online where they request 3d secure details

    3. you sign up for 3d secure - normally having the card to hand is all you need

    4. get free stuff

    (this is scuppered if they have already signed up to 3d secure - but why would they? - to create more hassle while buying online?)

    best way to take advantage of this is to setup an ecommerce website and all those nice stolen cards used as above will have payments that will have to be honoured, so you get the money :-)

  13. Anonymous Coward
    Anonymous Coward

    invulnerable? it's child's play

    So I set up a website, and operate a man-in-the-middle attack on VbyV. End user is none the wiser since they see a page identical to one they're expecting (including their secret message that PROVES(!) they are seeing the real page as served by Visa), and I get their details whilst actually processing the transaction for real. Just need to insert a couple of "auth failed" pages so I can ask for each of the letters of their passphrase 3 at a time, and I'm done.

    Piece of piss. The banks should sack their security idiots...

  14. Roberto Hortal

    Recommendation or mandate?

    I run a large transactional site in the UK. Interestingly the message I've got is not that issuing banks are deciding individually to mandate these schemes but that the Visa themselves mandate VbyV and will fine non-takers (merchants). I'd be interested in other readers' experiences.

    Myself, I just use my Amex when shopping online. No hassle with passwords, no worries about phishing and cashback on top. Beat that, 3D secure.

  15. Rande Knight
    Stop

    Ditto

    And then there's the wonderfully secure signup procedure to set your password - gee, noone would know my mothers maiden name (the same as mine after the divorce!)

  16. JakeyC
    Pirate

    A glimpse of the future

    Organisations such as Visa who promote their security systems as near-infallible and then refuse to believe genuine claims from victims on the grounds that its 'impossible' to be broken gives us a glimpse of the future ID Card fallout.

    Obviously UK.gov won't cough to any 'holes' in the system so when (not if) the cards are cloned/forged/stolen by terrorists/pirates/chavs and the victim goes to the Govt. to complain, they'll be told they can't have had their ID stolen as the cards are totally secure.

    Cue people being sectioned in secure units for believing that the ID card system could be fallible when everyone knows that's impossible. A bit like Sarah Connor when she insisted that Arnie and his ilk were on their way.

    Da-dum dum-dadum

    Da-dum dum-dadum

    Da da daa

    da da da

    Da da daa

    da da daaaaaa daa

    da da daa

    etc.

  17. Jez Caudle
    Go

    I have implemented this ...

    ... where I work and it wasn't easy.

    To avoid the phishing attacks most banks allow you to add a phrase that is displayed every time the 3DSec box appears. I have set this up with all my cards as I opted in so I could test the system I was building.

    Most banks ask for the whole password which a key logger would get. But if your OS is full of security holes that is hardly the banks fault. What is the banks fault is the moving of the liability from the CC company basically to you. It was explained to me that successful 3DSec makes it almost impossible for a person to claim fraud, the only defence being "that someone was holding a gun to my head"!

    My cousin runs a airport transport service. He picked up a party of 15 who had pre-paid via CC. 6 months later the money was removed from his account as the CC owner claimed it had been used fraudulently. My cousin worked his nuts off to prove the guy had used the service. He is loving 3DSec, now he doesn't have to photograph every punter who uses his service as he requires 3DSec.

    When we forced users to use 3DSec here our sales plummeted, so unless the bank says that payment can not be made unless the person goes through it - we don't do it. The amount we lost in legitimate sales was huge compared to the amount of fraudulent sales, which was and still is negligent.

    For those that do not like Sec3D, can you please stop complaining and suggest an effective, secure alternative please?

  18. Anonymous Coward
    Pirate

    Good article

    Well written.

    BTW, can't you just always tell the ideas that start in a board room, vs. the ones that come from engineers?

  19. Anonymous Coward
    Thumb Down

    ARG

    God I hate VbyV, its one of the most painful things ever. Whats more annoying is that the site sometimes doesn't seem to work with my install of Firefox (probably noScript) so I've lost out on tickets with ticketmaster (another REALLY poor site) and all sorts of internet payments.

    Just give us all a secureID type dongle, or build something like it into the card. (maybe with an rfid in there that pushes out the code when it powers up, then you'd just need a cheep reader on the PC. How hard is that?!) Just anything than this damn mess we have now.

  20. bbchops

    noscript

    was convinced this was a cross site scripting attack when I tried to buy pizza off the internet the other night. I was certainly very unsure about filling out the crappy-looking form the first time I was presented with it.

  21. Anonymous Coward
    Thumb Down

    Loss of sales

    As a vendor, my issue is with the approx 25% fall through rate on almost entirely completed transactions once implementing 3D secure at the insistence of our gateway provider. This is because the whole 3D secure 'system' is not being marketed or publicised by the card issuers, so the first thing a punter hears about it is a scratty looking pop-up when he/she first stumbles upon a sales site using it.

    It does look like phishing, it asks too many sensitive questions like d.o.b. and maiden name.

    The card issuers should make the registration to the 3D secure scheme the responsibility of the banks, not us sucker vendors who have to suffer lost sales while 'promoting' the benefits of the scheme as best we can.

    I'm sick of it and wish there was a way we could de-implement 3D secure, but Protx will not allow us to process Maestro cards unless we use 3D secure.

  22. Stevie

    I don't understand

    Credit cards are fundamentally an insecure document. The whole point is to divulge all the secrets that anyone cares to layer onto them. The issue is really one of identifying whether the card is being used by the person that owns it or one of their nominated agents. This can never be ascertained over a computer link or a phone line. It wouldn't matter how secure the connection, the fundamental problem doesn't go away, and the real worrier is that banks are subtly swinging towards a "card always is in the hands of the owner" assumption, leaving the owner with the bills when this isn't the case.

    What is required is a massive bottom-to-top overhaul of the whole sorry mess. The card owner should be able to select just how secure they want their card to be (with the understanding that the more secure, the harder to use) and ofset that against how much of the damage they will assume in the event of a fraud. The banks should be offering to place the same credit fraud alert practices at the disposal of the card owner, for a reasonable operating charge of course.

    That way, if I am paranoid about my card use (and who wouldn't be?) I can have myself phoned every time a charge is made against the account and verbally OK it or challenge it. Yes it is cumbersome and yes it will be more expensive to implement, but it doesn't involve any technology that isn't already available.

    Next, the banks have got to stop letting their employess get talked into divulging personal details of account holders by phone, no matter how heart-rending or oily the caller is. The vast majority of bank fraud starts with someone talking a bank employee (who is trained to know better) into changing a credential over the phone.

    As for this nonsensical "Verified (my arse) By Visa" scheme, opt out as a consumer by phoning in your order or doing without.

    One good outcome of the recent credit squeeze is that the mountain of dangerously fraud-prone "preapproval" mailings for credit cards delivered my way has died from about two a week to nil. My spending patterns haven't changed, just the banks willingness to waste time trying to make me spend more. Every time I cleared a credit card balance (and I do that monthly usually) would precipitate a tree death in the dimwit assumption I would love another credit card.

  23. Daniel B.
    Thumb Down

    Tokens?

    First, I wondered where was the high-tech hologram security when I first heard about "3DSecure". Because that's what it sounds like to the common punter, doesn't it?

    Secondly, my own country (Mexico) has mandated those OTP tokens for e-banking since March 2007. However, MasterCard SecureCode and VbV don't use this, and it seems it can't, even if I already have my OTP token in that bank!

    So basically, it is *less* secure for me to use VbV/MC SecureCode than to do stuff on my online banking site because of this. And I had to sign up for these schemes anyway, as my telco's gone "mandatory" on these schemes. Oh, and the card from the one bank that hasn't deployed SecureCode is being declined on 3DSec-enabled sites as well.

  24. lglethal Silver badge
    Thumb Down

    GridSure doesnt sound any more secure then 3dSecure

    Maybe i missed something (im an engineer not a programmer), but the GridSoft scheme that was detailed didnt sound much more secure against a good phishing site then the current VbV setup.

    A box with randomly generated numbers but which you choose the box beforehand. Piece of piss to phish, someone goes to purchase something, you pull up a pre-made screen with the box and your own non-randomly generated numbers the person types in the number and boom you have which boxes they used. If the numbers are only 1-9, then you need to create an error screen and on the second go a new set of random numbers gives you the exact order of the boxes. Follow this by another error screen, switch to the real site, the person enters their details, makes their purchase none the wiser and you now have their details.

    How is that anymore secure then VbV?

    Both systems are shite, and just a way for the banks and visa/mastercard to offload there liability back to us...

  25. Paul
    Flame

    Hate it.

    I don't see any advantage at all from the customer's perspective. Merchants I can see liking it (assuming it were implemented in a way that didn't chase away customers), because it does protect them. But it doesn't protect me at all. The worst part is how it's presented, you just get this stupid page asking you for extra information unexpectedly, it really does look like a phishing attempt.

  26. Anonymous Coward
    Anonymous Coward

    PINsentry

    Since quite a few banks have introduced pin verification devices for logging on to online banking or for setting up standing orders online then why don't the banks use this as their third factor?

    Seems a bit pointless for GrIDsure to be developing 3D Secure Plus when it essentially already exists?

  27. John Murgatroyd

    Errmmm

    I just click on "register later" and then ignore it.

    It works at the moment, when it doesn't I'll lose the card...

  28. Mark H
    Thumb Up

    No big deal

    I've used MasterCard SecureCode for ages - never considered it to be a problem. In fact it adds a level of reassurance that a site is secure. The Personal Greeting should allay anyone's fears of being Phished:

    'What is a Personal Greeting?

    The Personal Greeting is a message that you create during sign-up. Each time you make an online purchase at a participating store/retailer, you will be prompted to enter your SecureCode. At this time, you'll see your Personal Greeting and other purchase details. The Personal Greeting is your assurance that you are communicating with your card issuer. If the Personal Greeting displayed in the pop-up box is incorrect, you should not enter your SecureCode, but should instead contact Customer Service immediately by calling the phone number on the back of your MasterCard card, to report a possible fraud.'

    http://www.mastercard.com/uk/personal/en/cardholderservices/securecode/faqs.html

  29. James Henstridge
    Boffin

    VbV passwords

    Verified by Visa involves the merchant sending the customer to the customer's bank's website (or someone the bank has contracted out VbyV handling to) where they are meant to authenticate themselves, after which they are returned to the merchant site.

    While it seems common for banks to use simple passwords for this, they could use anything. It could be RSA secureid tokens, one time passwords sent to you via SMS or anything else. If the bank wants you to take on liability they should provide something less easy to fake (or less dangerous when it does get faked).

  30. Mike
    Boffin

    The problem is in the implementation

    You can have 15-factor authentication, but as long as the auths are fixed, scammers -will- figure out a way to get and use them.

    In Spain, my bank implements the method by sending me a random 6-digit number via SMS to my mobile phone, which I must have previously registered in person at my bank. It's very difficult to steal mobile phones over the internet, which makes the process fairly secure, and doesn't use a static password or code.

    On the other hand, a MC card I have was only asked for the CCVC -again- as the verification method, which seems very stupid and pointless.

    The problem lies in the strength of the third factor. Another bank for example uses a physical plastic card with a grid of 50 4-digit random numbers, and on the verification page, you are asked for one of the 50 codes at random. Unless the scammers find a way to steal plastic over the internet, it's a fairly secure approach too.

  31. Laurence Penney

    Rang all my phishing alarm bells

    securesuite.co.uk rang all my phishing alarm bells when I encountered it trying to book a Brussels Airlines ticket in Dec 2007. I investigated, because I really wanted the ticket. Googling led me to this page, containing stories of disgruntled, confused people:

    http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam

    I decided it was probably genuine but didn’t want to risk it. Amazingly the airline has a phone number where I got the ticket at the same price(!), so I thought I'd ignore the problem.

    At this time the 'whois' info was no longer "cyota, 8 west 38th street, new york", as it had been in late 2006, but was now something more suspicious: "cyota, 7 Shenkar Street, Herzelia, ny, 46733, IL". Wikipedia told me that Herzelia is a suburb of Tel Aviv.

    Who was this company, cyota? How come an Israeli organization, bizarrely with "NY" in its address, was mediating between me and my bank?

    Upon further investigation, Cyota, appears to have been an Israeli security firm, headed by one Amir Orad, and bought by RSA Security in 2005:

    http://findarticles.com/p/articles/mi_m0EIN/is_2003_April_8/ai_99748350

    http://www.rsa.com/press_release.aspx?id=6316

    http://www.crime-research.org/news/12.05.2005/1228/

    http://www.highbeam.com/doc/1G1-158592380.html

    So a defunct company name is listed as the registrant. It was all very weird. I called my bank's helpline. They had never heard of cyota.

    An hour or so later I needed an advance train ticket. First Great Western also use securesuite.co.uk - I also really needed that ticket so bit the bullet and gave my damn date of birth to the annoying “3D Secure” window. All totally against my anti-phishing self-training.

    The next day I went into my bank to complain about the security problem. They've never heard of Verified by Visa, SecureSuite, or cyota or course.

    As of October 2008 the whois info has changed yet again: "8200 Greensboro Drive, Suite 1100, NULL, Mclean VA, 22102, US". EasyJet, whose site I use a lot, now uses Verified by Visa, so I'm resigned to using the horrible system.

  32. dave

    @ Daniel B RE Tokens

    "However, MasterCard SecureCode and VbV don't use this, and it seems it can't, even if I already have my OTP token in that bank"

    3DSecure is simply a framework so a customer can be sent to the bank during the transaction, and the result securely sent to the retailer.

    What happens on the banks servers, and how they come to decide if you passed or failed is entirely up to them - they can use tokens, or little calculator like devices or whatever they like.

  33. Crispin Edwards
    Unhappy

    Disappointing Article

    I don't often read the register but this seems a particularly poorly researched article with just the kind of biased negative view that proliferates through the online industry giving credence to the e-comm sites that refuse to implement. Clearly John Leyden doesn't know his 3D-Secure from his elbow making statements like, "Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme." as detailed in feedback below.

    Other 'bloopers' include:

    "These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank"

    If in an iFrame, the user can't see the URL the content has come from plus what is your banks own logo if not a connection, not to mention the website's name and the PAM? I'm interested in the claim to be able to reproduce the PAM in a phishing site, but not surprised- no matter how secure the solution, e-commerce still requires the user to have some sense not to buy from a phishing site.

    "Punters aren't informed up front that a merchant has signed up to Verified by Visa."

    Yes they are. It is a requirement of 3D-Secure that the site displays logos prior to the checkout page.

    "sites... routinely deliver a dialogue box using a pop-up window"

    Pop-ups have been outlawed for years in VbyV implementations.

    "it's hard to see how card details + CVV number + VbyV login is any more robust."

    In the same light, if card and signature was no longer considered secure I suppose it is hard to see how card and PIN is any more secure? Illogical.

  34. Anonymous Coward
    Anonymous Coward

    Why not use offline card readers

    Since many bank customers now have off-line card readers which can be used to verify a user's identity or sign transactions, why are the banks that have issued such devices not using them? The codes they generate are "one time" and therefore less amenable to phishing or replay attacks (although not completely invulnerable).

  35. Anonymous Coward
    Heart

    @ AC 13:22

    "Perhaps research these topics before you right a 2 page article on them.

    Just a thought."

    ...

    "Write" is the correct word to use to describe the creation of such an article of media as the 2-page article to which you refer.

    Perhaps research these topics before you write a snarky comment on them.

    Just a thought;o)

  36. FreeTard

    It's annoying enough to make you cancel the order

    I've found myself get frustrated with it on occasion, enough to cancel the order altogether.

  37. Anonymous Coward
    Anonymous Coward

    Not a conspiracy

    There seems to be some confusion - Banks are not the same thing as Payment Agencies, the payment agencies, Visa and Mastercard are mandating that the banks use these systems. It is not an excuse to make customers responsible for fraud on their accounts. The advantage is that the payments are processed by the bank, without the online trader ever seeing your card details, you therefore have significantly better security of your card data.

    The password thing will be tightened up as people get used to the idea of using the new system.

    All banks will be using this type of system in the next year or so, otherwise they'll be ponying up a very large ammount of cash to the payment agencies in the form of fines.

    Anon, becuase it's my job.

  38. Anonymous Coward
    Anonymous Coward

    @Laurence Penney

    I wrote to The Register in mid-April about a phishy transaction, but it didn't seem to be taken seriously:-

    I did a transaction on a GX Communications website this evening (nee Pipex), and at the end of the transaction was directed to a page called "Barclays Secure" asking me for details about my account with Barclays. Everything looked like it could be Barclays, I checked that I was on a secure site and then entered the details requested. But the URL looked a bit unfamiliar: smartsuite.net. I did a Whois and up came some details about an Israeli company. So I rang Barclays and asked whether my details were in fact secure. They had heard of Barclays Secure, but not securesuite.com, "it doesn't sound right", said the Customer Services man who answered "it should always say Barclays". Asked to speak to a supervisor: none available, they are all in a meeting. Helpful. So what am I supposed to do? Cancel all my cards? Change my Date of Birth? No, sir, your money is safe. Is it? Perhaps TheRegister might be better equipped at getting to the bottom of this one. A secondary question: If securesuite is something to do with Barclays, does the data Protection Register entry for Barclays permit them to allow a third party in Israel to process UK transactions?

  39. Charlotte
    Thumb Down

    Could be worse

    I was recently asked by an established online retailer to provide a scanned copy via email of either my drivers license or my last bank statement. I refused as its personal information, not a secure transfer, they couldn't tell me how it would be processed and how were they going to verify they wern't fake anyway? They locked my account and canceled my order. This was all because I wanted to ship to another address other than the billing address. My bank could see the transaction pending before it was canceled by the retailer and said they had no problems with it whatsoever.

    SecureCode and VbyV are annoying and not secure, but I would prefer that to being ID'd to buy a gift for someone.

  40. James O'Brien
    Alert

    I recall

    Back about a year and a half or two ago I saw this on Newegg.coms website when I went to place an order. Immediately said hell no to doing this and giving the information as all the bells and klaxons were going off. Closed the window and the order went through without a hitch. A little while later same thing same site so for shits and giggles, since I was ditching the card after that order anyway, I decided to see what would happen so I filled in the information. It kept failing said I had reached my max attempts so I closed the window and VIOLA order went through. Is it still this buggy or was I just an unlucky beta tester for it?

  41. Will Godfrey Silver badge

    As for me

    I've started sending cheques again

  42. Anonymous Coward
    Linux

    For some reason...

    ...I was seeing "Verified by Vista" throughout the article. But although I do have a different version of W*****s available, I use a different operating system on the web.

  43. Anonymous Coward
    Coat

    @Loss of Sales

    I'm probably one of those whose sale you lost when the VbV / SecureCode page appears. I've read the T&Cs and is seems to me that the main purpose of VbV etc is to shift liability from the credit card company to me. I wonder how many people, when they were about to make an important purchase and suddenly got hit by the 'register for VbV / SecureCode' screen, took the time to understand what they were signing up to?

    I've told my card issuer I will not be signing up. I've put this in writing. Every time I get hit by the VbV screen (and not every site tells you that they have now implemented this) I have to bomb out, my card issuer gets an alert and suspends my card as a 'potentially fraudulent activity' has occurred. And here I could go on about my card issuer calling me up and asking me to confirm my security information. When I pointed out that they had called me and could be anyone they got very stroppy.

    So I either don't use sites that have VbV, or phone the company to make the purchase.

    I'm looking for my Palm where I keep all my passwords in an encrypted database.............

  44. David Heffernan
    Thumb Down

    I got stung by this today!

    This afternoon I got an e-mail from Natwest Secure (aka Mastercard SecureCode) telling me I had changed my password. I hadn't. So I rang them and cancelled my card. My card gets cancelled around twice a year. Last time this happened it took me a very long time to persuade them that the transaction made was fraudulent. Apparently since it had been authenticated by SecureCode it must have been me.

    As far as I can tell the banks just do this to try to put the blame for fraud elsewhere. Banks don't have to pay for fraud. It's the credit card owners and the merchants. If they had to pay then they might have some incentive to make the system work!

  45. Anonymous Coward
    Go

    The role of banks

    The problem here appears to be the banks and what they consider secure.

    Verified by Visa allows the banks to do their extended validation by any means the banks find feasible. For example in Finland, the banks let small transactions (i.e. 20-40 €) go through without any validation besides the card number and ccv. When you do some more expensive shopping you're presented with your netbanks authentication page - which is used in electronic authentication also in more general - where you type in your user number and one-time password.

    This is a far cry from what British banks do when they just tell you to pick yet another pin code. This is true two-factor authentication: you need to both know your user name, card number, ccv and have your one-time password list (this isn't an electronic token - yet) to actually make any valuable transaction. The login pages of the banks do resolve to their proper domains and provide valid ssl certificates and if your shop is kind enough to do a pop-up newer browser actually show this to you.

    So it's actually the British banks who are to blame, not Verified by Visa.

  46. Keith T
    Go

    why not email us after every credit card transaction?

    One password or two, or ten, the responsibility and liability is never on the consumer here in Canada.

    I'd like to see one-time passwords, but the inconvenience of tokens seems to be an insurmountable problem.

    Maybe cell phones could be used to obtain the one-time passwords.

    And why not email us after every credit card transaction?

  47. Karl Dane

    Two-way authentication

    It should be noted that two-way authentication _is_ available, at least with VbyV; you can setup a passphrase that VbyV must display to you, which proves (for a given value of 'prove') that the iframe or popup is actually being presented by VbyV rather than a phisher.

    Better than nothing, certainly.

  48. Anonymous Coward
    Anonymous Coward

    Verified by Visa

    I bought an item from a Uk Tier 1 reseller last week and paid by Visa Card over the phone

    The salesperson then said "I need your Verified by Visa password in order to complete the transaction". (I buy through an account manager as I receive a discount off their on line prices.)

    Having bought on a regular basis from this company for several years I gave the code to him, but am very worried about what happens next time I buy on line from a company I may not know.

    Concerned.

  49. Anonymous Coward
    Anonymous Coward

    GeoffC

    3DSecure is good for the Merchant, and that makes things easier for the customer too.

    Using 3DSecure brings with it a liability shift - so if fraudulent transactions are processed, then the Merchant no longer suffers through chargebacks. This can be expensive, especially where goods have already been shipped, etc. Without the threat of chargebacks then the merchant and customer can transact without the need for extra verification (such as sending ID documents etc), which are often required for larger purchases.

    Unfortunately, the card-issuing banks need to tighten up on the card enrolment to ensure that customers are correctly identified before allowing enrolment.

    As a merchant we have seen quite a bit of fraudulent use, even with 3DS authenticated transactions. Typically we have seen a 'run' on particular bank's cards - and it is apparent to us, (if not to the banks involved) that fraudsters have been able to register large numbers of cards under SecureCode or V*V, either via fishing or just weak enrolment procedure.

    Short of requiring every person to have a card reader on their PC (not a bad idea, IMHO) then 3DS is a workable solution.

    My only gripe is that VISA and MasterCard still rank a merchant based on the level of fraud even if using 3DS and authenticated transactions - and can remove the liability shift or otherwise penalise the merchant if the level is high - despite this obviously being a failure in 3DS enrolment and beyond the merchant's control.

  50. James Henstridge

    Re: Not a conspiracy

    The 3DSecure system doesn't reduce the amount of information being sent to the merchant -- it just adds an extra step to the payment process.

    After all, the merchant won't know which bank website to send you to until you've given the merchant your credit card number.

  51. Anonymous Coward
    Anonymous Coward

    Weakness is in the enrolment

    Unfortunately, the card schemes have left it to the card-issuing banks to determine how a customer enrols for 3DSecure. Here lies the main problem.

    Some card issuers allow enrolment in the middle of a transaction with an online retailer, when the cardholder is redirected to the authentication server. Others require pre-enrolment.

    If (all) the card issuers were to take this seriously, then enrolment would be more difficult, have to be performed in advance of any transactions being attempted, and maybe they might just have take some time to also educate their cardholders how it works, and what webpages they might expect to see when redirected to an authentication server.

  52. Dennis
    Black Helicopters

    @ the Crispin Edwards article

    Hmmm...I personally cannot speak for the veracity of the article, but does Crispin Edwards' comment seem a little too VbyV friendly to anyone else???

    Black helicopter, just in case I'm right.

  53. Anonymous Coward
    Thumb Up

    Do more research on the subject matter

    In order for a phishing attack to occur, the "imposter" VbyV window would have to be able to display the website you are shopping, the amount of the purchase and the personal message you tie to your VbyV password.

    Let's say they can do this:

    3D-Secure is the name of the protocol. Part of this protocol is the use of encypted PayLoads that are passed between the Cardholders Bank, customers browser and the software running at the merchant's website that handles the 3D-Secure Protocol messaging with Visa/MC.

    This phisher would also have to inject a Pay Load that matches the allogorithm of the Issuing Bank's VbyV software that generates this PayLoad. (Upon determining that your card in enrolled an inital payload is also generated to validate at the Issuer to ensure the customers session has not been compromised during transfer to the bank VbV window)

    The software the merchant is running to support VbV then needs to validate this PayLoad. If afaulty PayLoad is injected, this would surely fail and per the protocol the merchant would not continue with the authorization of the credit card. The order would fail before authorization.

    Secondly, your credit card number is not passed to the VbV authentication window. It is partial/masked and encypted, although the phisher may have gotten your password, they still do not have your credit card number to match it to.

    At this point, you may have provided your VbV password to a phisher but this purchase would be prevented and your card number as not been compromised.

    VbyV has evolved quite a bit and I am an avid user of the service on both my Visa and MasterCards.

    Merchant;s for years have been stuck with the resonsibility of managing Fraud on their websites and are still held accountable today. Because Fraud Liability shifts to Issuers and their cardholders does not mean Merchants are off the hook for providing safe environments for consumers to purchase. Phishing in 3DS is quite difficult, this would require not only infiltrating a merchant's SSL environemnt, but it would also require infiltrating the Bank's infrastucture, as well as the VbV Software provider.

    It actually is quite secure, perhaps not the answer for the most secure shopping experience, but a step in the right direction to help level the playing field between Merchants, their customers, and Visa/MC.

    Fraudsters will always try to find ways to beat any new technology, but do research on these technologies before you begin to rip them apart.

    Cheers

  54. Anonymous Coward
    Anonymous Coward

    Seen it from both sides

    As a punter, paying my Council Tax:

    1) Do the usual card-number, CVV etc. bit, then on confirmation page there's some blurb about VbyV with 'proceed' or 'not now'. Choose the former and am directed to a page (no popups) where I repeat some of the card details and set my password. I know my browser is 'clean' and have not visited other sites before going to the Council Tax site. After completion of VbyV I get an email from the council - they got my money.

    2) Same, except having registered now all I have to do is enter my password after the 'proceed' stage. Again, no popups or iframes.

    As a merchant:

    1) Our payment gateway (Protx) tell us 3DSecure is coming, and must be used. We humbly comply. Never mind the banks everyone above seems to be bleating about; we like the bit about how a successful 3DSecure auth negates *OUR* liability.

    2) What we want most of all is for genuine punters to actually be *able* to conduct a purchase with us. So far, 3DS is proving a bloody site more reliable than the horrendous CVV/AVS which regularly throws a shit-fit when the card is (a) foreign, (b) corporate or (c) has a slightly irregular address-numerics format.

    Not that we haven't seen crap-outs that probably happened at the 3DS stage, but less frequently I can assure you.

    And just a brief word to the person who eulogised AmEx up above: Pain.In.The.Arse. Amex transactions can't be reversed on-line [i.e. during the payment process] based on CVV/AVS results, for some reason, so they go through Protx with flying colours and no real checks done. We then have to phone Amex and get a Code 10 [i.e. do the AVS check manually] before we know if the card is legit. We also have to do this when someone does an order by phone, but at least in that scenario we haven't accrued a processing fee yet. Amex is the shittiest card scheme by far from a small mail-order merchant's POV and I for one hope it dies a slow death from arse polyps.

  55. This post has been deleted by its author

  56. Geoff Magnay

    Worrying

    I was recently asked for a VBV transaction (which was genuine) and was prompted for a forgotten (did I ever know it)? password that told me it's the same memorable name as I use to access my bank and VISA account. Nice and easy to remember - but it means if it was a phishing site, the phishers would have access to my VISA and bank account. Whose crazy idea was this?

  57. BillPhollins
    Black Helicopters

    Foreign cards and confused punters

    Another issue with 3D secure is that not everybody uses the same version - we have (or I should say the merchant banks) issues with foreign cards when 3D secure is enabled. They might actually be enrolled, but with a newer or older version of 3D secure from the merchant bank.

    The main problem is the banks themselves are clueless about it, so what chance do the customers have? They're not even told their cards are enrolled half the time. Add to that the crapness of some of the card issuers 3d secure pages, I'm not surprised people don't complete transactions. You can tell it's not a phishing site if it looks crap...

    As for Amex, other than the problem that nobody has them, they are a pain for merchants who want to use multicurrency because Amex force them to open merchant accounts in each country, which is obviously very expensive (probably the idea...)

  58. Alan Fisher

    what's wrong with

    electronic passcode generaters like SecureID and so forth?? Random numbers generated at both ends tied specifically to you, someone then has to steal both to be of any use and then can't steal it online?

    my bank has a sucureid/card reader combination for secure account webpage access and though unwieldy, I think this is much more secure?

  59. Crossbow
    Black Helicopters

    Not even as if it works......

    So far I've managed to avoid VbV, but I did have an interesting demonstration of Mastercard Securecode's utter uselessness..... My boss wanted to order some stuff online, but being a total computard, gave me his CC, and went off to a meeting. So off I go and do his shopping for him, all fine, until securecode pops up. So after a bit of swearing, and leaving the boss a voicemail, I sit there and wait for him to get back to me. 10mins later, a popup tells me the session has expired, so I click ok, expecting to have to go through the whole checkout procedure again later.... But nope, the transaction went through.

    In what way does having an auth step that it doesn't matter if it fails help anyone?

  60. Anonymous Coward
    Happy

    @ Ginger - Ref "Use Amex"

    Hmm. Don't get too comfortable with you Amex card. I have it on good authority that "The times, they are a changing".

  61. Anonymous Coward
    Anonymous Coward

    Some stats

    Here are some interesting stats from our systems:

    ~66% of fraudulent transactions successfully verify with VbyV/MCS - scary!

    ~5% drop rate from checkout once presented with VbyV/MCS

    ~3% increase in telephone transactions July 2006 - June 2007 (without VbyV/MCS) against July 2007 - June 2008 (with VbyV/MCS); change from 0870 to 0845 may have also effected this

    ~12% increase in orders rejected July 2006 - June 2007 (without VbyV/MCS) against July 2007 - June 2008 (with VbyV/MCS) - this can only partly be attributed to the introduction of VbyV/MCS as improvements in our internal fraud analysis will also effect this and the astronomical increase in online credit card fraud

  62. Anonymous Coward
    Boffin

    just received the following spam/scam email

    Obviously the scammers must be reading The Register to get new fraud ideas, as I just received the following:

    --------------------------

    Subject: [koi8-r] VISA Card Departam[koi8-r] ent

    Date: Fri, 24 Oct 2008 04:26:38 -0400

    From: "[koi8-r] support" <support@visa-card.com>

    To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Reply-To: "[koi8-r] security" <security@visa-card.com>

    Note: This is a service message with information related to your Visa Card(s). It may include specific details about , products or online services. If you recently cancelled your card or do not use card anymore please disregard this message.

    Dear VISA Card Member :

    Verified By Visa (R) enhances your existing VISA Card with a personal password of your choice. When you shop at participating online stores, you enter your password in the same way you would enter a PIN at an ATM. It means that only you can use your VISA Card online, giving you the same assurances you have when you use your card in a

    physical store.

    To avoid service interruption we require that you sign up with your card information as soon as possible. Please take a moment to register at Verified by VISA by going to the following address:

    http://verified-byvisa.com/

    Create your personal fraud protection.

    Thank you for your business.

    Sincerely,

    VISA Online Services

    2008 VISA Worldwide. All Rights Reserved

    ---------

    a quick whois reveals the scamsters:

    whois verified-byvisa.com

    [whois.crsnic.net]

    Whois Server Version 2.0

    Domain names in the .com and .net domains can now be registered

    with many different competing registrars. Go to http://www.internic.net

    for detailed information.

    Domain Name: VERIFIED-BYVISA.COM

    Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.

    Whois Server: grs.hichina.com

    Referral URL: http://www.net.cn

    Name Server: NS1.SILIVANTRA.COM

    Name Server: NS2.SILIVANTRA.COM

    Status: ok

    Updated Date: 19-oct-2008

    Creation Date: 17-oct-2008

    Expiration Date: 17-oct-2009

  63. Samuel Pickard
    Unhappy

    Password policy is driving me to be less secure

    My biggest problem with VbV and SecureCode is their password policy. I can see all the small steps they've made, and why individually why they're more secure, but the overall result is that I'm never sure what my password is.

    So the password has to have a minimum length, intercapped, characters and digits - pretty standard. But passwords like this can be difficult to remember, but not impossible and its my cards right, so I should pay attention.

    Then, instead of entering the password, I'm asked for three characters from it, and I find myself counting out what I think my password is on my fingers. And I get it wrong. Did I miscount or have I mis-remembered. So I try what I think it is again, and again its rejected. So I rack my brains for what else it may be, enter my best guess, find I've got it wrong again and now my password is disabled.

    So I complete the form to reset the password (which is waayyy easier to break than my password), and for my new password I enter what I thought it should be in the first place. It then tells me that I've used that password and I have to think of (yet) another password for it. I try to make it sensible and memorable, but not obvious. I find adapting Bob Dylan lyrics particularly good for this (7h3yllst0n3y0uwh3ny0ur3ly1ng0nth3fl00r), but I now know that I'll have a problem remembering this next month when I want to use the card again.

    So I end up emailing myself my password, in plain text, effectively nullifying their attempt at security, and now its my fault if my account gets hacked as I've sent my password though the internet.

  64. Anonymous Coward
    Flame

    @ LH

    You are right. The whole set-up of 3D Secure is up to the issuing bank. Many of them have intorduced the solution to be "compliant", not to add security. The Nordics have combined it with CAP/EMV technology to great effect and it has also been publicised in a much better fashion. Well, it has actually been publicised, rather than implemented and no one told about it!

    THe same goes for the password re-set issue that was mentioned in the other article yesterday. This is again, set up according to the banks wishes and can be as simple or as complicated as the banks want. It would seem most banks opt for the very basic standard method.

    If anyone should eb blamed, it's the bank. Not the schemes and not the protocol.

  65. Jake Rialto
    Coat

    Liability

    I implemented VBV for a bank, and the reason they're all so keen as mustard is because in cardholder not present scenarios the liability used to be their's. With VBV the liability is passed back to Visa. The merchant acquirers (the banks) therefore are putting pressure on the merchants to adopt the scheme to reduce their losses.

  66. Vince

    @ AC re Stroppy people when asked to prove who THEY are...

    "And here I could go on about my card issuer calling me up and asking me to confirm my security information. When I pointed out that they had called me and could be anyone they got very stroppy."

    I had similar recently, with MBNA - however, they were actually clued up. When I said "but I need to verify you as well, he was happy for me to ask HIM a security question relating to my account first (I asked him to confirm the 'n'th letter in my password and the last letter of my postcode as a basic test (about as good as it will get!)

    He then asked me a few password characters and so on, and we completed enough basic checks to give some reassurance. Points to MBNA for thinking about customer security properly.

    (Of course, they were ringing me because the overly active anti-fraud system thinks pretty much weekly something I do is likely to be fraudulent, to the point where I now expect my regular calls from various card providers).

  67. Anonymous Coward
    Unhappy

    From personal experience

    i can say "Verified by Visa" is a fucking shambles.

    Never has buying anything been such a painful and pointless chore. In my absolute worst case i was on the phone to some scripted twat with a thick Scottish accent repeating:

    "i nee 't ha yer personal passcode befer i cen process the transaction. De yer ha yer personal passcode. "...

    "No... i dont know what passcode you mean"...

    " th personal passcode yer made when yer started th service"...

    "i dont remember what it was"...

    "but i nee 't ha yer personal passcode befer i cen processes the transaction. De yer ha yer personal passcode. "...

    "No... i dont know what passcode you mean"... and it went on like this for another 40 minutes until i said bollocks to him and canceled the purchase.

    As soon as i see that "Verified by Visa" shit, i just quit and try to get what i want somewhere else.

  68. Anonymous Coward
    Stop

    looks like

    I won't be shopping online, then

  69. Chris Cheale

    @Amex

    > Use Amex

    > They don't have one of these pointless schemes,

    Wrong - they call it SecureCode or somesuch and has been in place for over a year...

    http://www10.americanexpress.com/sif/cda/page/0,1641,18776,00.asp

  70. Anonymous Coward
    Anonymous Coward

    Alternatives

    1. Card readers. Using challenge-response, you could prove that you possess the card. (The only risk is modified readers skimming your PIN for use in foreign ATMs or whatever: you'd have to ensure you used a reader of good provenance).

    2. Or, for people who find card readers annoying: it should be possible to embed a little LCD on the credit card itself (like those RSA dongles) with a one-time code on it.

  71. Anonymous Coward
    Boffin

    Abbreviationally Challenged

    "Steve, our original source, had problems with MDNA and Egg."

    You should tell Steve that Mitochondrial DNA is passed on from your mother, so it's always going to be in the egg (Sperm does contain a small amount of MDNA, but it's destroyed after fertilization)

    Perhaps you meant MBNA?

  72. Gis Bun
    Happy

    uh huh

    Well, aside from who takes responsibility, at least entering a password is better than a few years ago when there was no verification.

  73. Anonymous Coward
    Anonymous Coward

    @James Henstridge re not a conspiracy

    The merchant knows which Bank you belong to, but the merchant doesn't store your authentication information, none of the back end details of the transaction are hosted on their systems. There is far less scope for a dodgy merchant, or sysadmin at a merchant to nick your card information and it's associated auth details.

  74. David Silver badge
    Flame

    I will NEVER sign up to Verified by Visa

    I'm really pleased to see The Register highlighting the strong public feeling against the scam that is Verified by Visa.

    I will NEVER sign up to Verified by Visa: the liability shift that blames the cardholder for everything, the dodgy typo-scammer domain name (and the even dodgier domain registration: just what is going on there with the ever-changing whois records, can we trust such a company with our data?), the shonky phishing-like implementation, no way!

    Just as I'd started to have trust in internet shopping, I've since made far fewer internet purchases since some misguided retailers started foisting VbV onto us. Result: it's the realworld high street shops that are getting my money, and the internet retailers are losing out on my potential purchases instead.

    If we need increased card security, there must be far more sensible ways of doing it. Many banks now issue card-reader devices which can be used to authorise internet banking transactions: combined with BACS "Faster Payments" wouldn't this be a good way to make internet payments more securely - and it'd really give the finger to Visa and MasterCard for introducing such an idiotic scam in the first place!

  75. David Silver badge

    3DSecure signup: per-card or per-account?

    I understand that where your card issuer forces you to sign-up to 3DSecure (rather than you being dumb enough to opt-in voluntarily), you are allowed to make 3 online transactions before you are absolutely forced to sign-up and cannot then make any more online transactions.

    Does anybody know if the 3 transaction "grace period" applies to a specific-numbered card (which we all know has a finite validity period) or to your account overall (indefinite validity)? If the former, it strikes me that when I reach transaction number 3, I could simply report my card "lost" and ask for a new one, with a new card number, thus resetting the clock. Since I'd be doing this precisely in order to maintain my own security, I'd like to see the card issuers attempt to argue against new cards being issued for that particular reason!

  76. Anonymous Coward
    Unhappy

    @Vince

    You're lucky - a few years ago (before I had a major falling-out with the stroppy gits) I had several "conversations" with MBNA where they would ring me and demand to know all the normal "security" information - name, plus selected bits of the address (ie house number/name, the whole first line or the postcode).

    Each time I pointed out that they had called me; if I was up to no good in the house (I'd broken in, or whatever) then I would not answer the phone anyway, and if I had suffered a complete brainfart and answered a phone in a house I was robbing, then there was probably a 99.99% chance I had found an envelope with the ownwers' names and adress on (as if I wouldn't know *which* house I was in anyway...)

    In all the years I had the card, only ONE of the telephone staff actually gave me his name and the phone number (matched the one on the statements, since he really did work for MBNA) so I could call them back rather than just take his word for it... most of the staff just got even more stroppy, one simply put the phone down and one - after I'd had a particularly bad day at work and demanded to know how he would verify HIS identity since he had called me - threatened to pass me over to his Supervisor for rude and offensive behaviour... so I told him I'd **love** to speak to his supervisor and let them know just how much value I placed on their so-called "security". but then the line just went dead...

  77. Liam Nagle
    Thumb Down

    Forced to register

    Last week I needed to buy a plane ticket on line from BA. To complete the transaction I had no option except to register with Verified by Visa. This is despite not wishing to register and buying the ticket via my BA Executive Club account, which should in any case have added an extra layer of security.

  78. Igor Mozolevsky
    Coat

    Don't fault Visa...

    ... if your card issuer is inept... I know at least of one card issuer that uses one time passwords for VbV and there's no way to change anything at the prompt. You go to the ATM, print a slip that has a unique ticket number and ten passwords, when you pay, their VbV prompt asks you for password number P on ticket number T and that password is not used any more on that ticket. Granted, the issuer is not a UK one...

  79. Schultz

    More hassle, same security

    Doesn't sound like the solution. Back to the drawing board!

  80. Scott
    Coat

    8D

    I just invented 8D it asks for 8 diffrent passwords very secure oh and this IS secure you see theres no way a phishing attack can get all 8 passwords hackers are to stupid?????? much better than 3 anyway and my system you only have to enter 25 diffrent personal details from height, weight and length?

  81. Daniel Nebdal

    Passwords?

    Hmm, all online bank sites in Norway that I'm aware of use some form of authentication keyfobs plus a PIN - and that's also what we use for VbV. Of course, this means that you can't get past a VbV screen unless you're set up for online banking - but I don't think the "online shopping but not banking"-subset is large enough for that to be a big problem.

  82. lucinda styles
    Alert

    Good solutions need not be mandated

    A solution if it works need not be mandated. We should all be wary of anything thats forced.

    Its high time that the UK competition office take a look at this monopolistic practice by the big card schemes of imposing ineffective solutions onto the market. There are other more effective solutions. This awful practice of ramming a solution (because you can) must end in order to finally bring QUALITY solutions and products into the market !

    If UK had effective consumer protection agencies, mandated solutions would not stand a chance. The best thing to do, I believe - is to REPORT the card schemes to the UK competition office.

  83. Dave
    Black Helicopters

    Don't like it myself

    Whenever I've been confronted by the VbyV screen I've declined to sign up, I'm not comfortable with inputting the personal information they ask for.

    The only effect to me has been that I now pay my council tax and BT phone bill using the automated telephone CC system, rather than a website.

    If Amazon UK, or my web hosting provider start requiring it, I suspect I'll opt to pay by cheque.

  84. Andrew
    Stop

    Inadequate Security on All card Txns

    The issue is that the various organisations, APACS, Banks, Card issuing companies, IT Solutions Companies and retailers are all looking at this seperately.

    The retailers do everything at the cheapest possible cost, the banks say it is the retailers problems, VISA and Mastercard say that it is down to the banks and APACS tries but fails to bring them all in together.

    Fraud has improved in the customer present world and despite peoples ranting, chip and pin has improved things however this has been marred by stupid short cuts being taken by both the banks and the retailers. Also nothing at the time of implementation was done about the user experience which is not good!

    VBy V and 3D Secure have been put into place to look at on-line fraud and theoretically to protect the consumer. It Fails!!!!!!

    I would advise people only to use sites that they know and trust and where you have confidence in the e-tailer. Also only deliver items to your registered address - That cuts out fraud. Some sites will do more checks e.g. against electoral role. It is only through the application of common sense and other interrogation of personal data that we can cut online fraud. Not VByV or 3D Secure which is basically useless!

This topic is closed for new posts.

Other stories you might like