The Verified by Visa system is becoming harder to avoid, even for those with real doubts about its effectiveness in combating fraud. The experiences of Verified by Visa refusenik and Reg reader Steve reported in our earlier article on the system are being experienced by more and more Register readers. Both Verified by Visa ( …
They don't have one of these pointless schemes, so you don't have to fret. Of course, you have to find online stores that *take* amex, but that's getting better these days.
Mine's the one with the card skimmer in the pocket
God these things irritate me
I've got a few domains at 1&1. Last time I updated my credit card details the page was redirected to some unlikely URL which half-loaded some shonky looking box asking for personal details. Obviously I called them and was surprised to hear it was real. No opt out, no added security benefit, totally pointless and a real irritation. Does Shopsafe, etc allow one to avoid these things?
Is not hinting at 3 factor authentication but the 3 Domains that are involved in the transaction process. The Card Scheme, The Issuer and The Acquirer.
Perhaps research these topics before you right a 2 page article on them.
Just a thought.
Bank pressure to use it
Our bank is applying a lot of pressure for us to implement it on our website, threatening large fines if it isn't implemented soon. From our perspective, it offers us no benefit and presents an obstacle to our users paying online (it's so poorly implemented it looks to the average punter like a phishing attack). Additionally, it offers little or no extra security and the service is completely unreliable.
We're holding out as best we can but with the pressure on the merchant to implement it on pain of fines is plain shitty.
You have to question the kind of fugged up thinking...
....that goes on behind such policies.
Poor security like this is as bad as no security because of the negative impact a breach of said security will have. Just what is the point of a 3rd tier that can be so easily broken? I could conceivably gain control of the accounts of any of my friends without them knowing in a matter of minutes.
What sort of fools think these schemes up?
As you say
not more secure, just an excuse for the bank to try and disclaim any liability.
The notion that VbV and Securecode are adding any real security is ludicrous. The popup window that appears asking for my confidential information could be coming from anyone - there's no way for me to verify it. And once the information is given out in the course of a purchase, I can't believe it's secure any more. I'm supposed to just trust that the information I entered while purchasing from Merchant X went only to credit card site Y? Give me a break!
works fine for me
Thought they needed our billions to get recapitalised - not to keep on playing silly buggers.
The first time I encountered this 'system' was when I was purchasing a Bletchly Park T-Shirt from El Reg's own Cash 'n' Carrion.
I was very dubious about the pop up, and it meant an otherwise 5 minute purchase took closer to 30 minutes, as I checked and double checked URL's and owners of IP addresses etc.
Even the banks dont know what its for
First time I used Verified by Visa (on dabs IIRC) i didnt know what it was, but went through the process and it worked.
I then started to get twitchy, and wondered if it had been some clever phish. So called the card help line, who didnt know what it was either and THEY insisted on cancelling my card.
It turns out it was all legal and above board, but the call centre had no idea what it was.
Heres a thought tho. If the banks we're even keener to cancel credit cards, we wouldnt be in credit crunch now!!!
avoids all fraud
ok, it doesn't avoid fraud really:
1. you steal a credit card
2. you buy online where they request 3d secure details
3. you sign up for 3d secure - normally having the card to hand is all you need
4. get free stuff
(this is scuppered if they have already signed up to 3d secure - but why would they? - to create more hassle while buying online?)
best way to take advantage of this is to setup an ecommerce website and all those nice stolen cards used as above will have payments that will have to be honoured, so you get the money :-)
invulnerable? it's child's play
So I set up a website, and operate a man-in-the-middle attack on VbyV. End user is none the wiser since they see a page identical to one they're expecting (including their secret message that PROVES(!) they are seeing the real page as served by Visa), and I get their details whilst actually processing the transaction for real. Just need to insert a couple of "auth failed" pages so I can ask for each of the letters of their passphrase 3 at a time, and I'm done.
Piece of piss. The banks should sack their security idiots...
Recommendation or mandate?
I run a large transactional site in the UK. Interestingly the message I've got is not that issuing banks are deciding individually to mandate these schemes but that the Visa themselves mandate VbyV and will fine non-takers (merchants). I'd be interested in other readers' experiences.
Myself, I just use my Amex when shopping online. No hassle with passwords, no worries about phishing and cashback on top. Beat that, 3D secure.
And then there's the wonderfully secure signup procedure to set your password - gee, noone would know my mothers maiden name (the same as mine after the divorce!)
A glimpse of the future
Organisations such as Visa who promote their security systems as near-infallible and then refuse to believe genuine claims from victims on the grounds that its 'impossible' to be broken gives us a glimpse of the future ID Card fallout.
Obviously UK.gov won't cough to any 'holes' in the system so when (not if) the cards are cloned/forged/stolen by terrorists/pirates/chavs and the victim goes to the Govt. to complain, they'll be told they can't have had their ID stolen as the cards are totally secure.
Cue people being sectioned in secure units for believing that the ID card system could be fallible when everyone knows that's impossible. A bit like Sarah Connor when she insisted that Arnie and his ilk were on their way.
Da da daa
da da da
Da da daa
da da daaaaaa daa
da da daa
I have implemented this ...
... where I work and it wasn't easy.
To avoid the phishing attacks most banks allow you to add a phrase that is displayed every time the 3DSec box appears. I have set this up with all my cards as I opted in so I could test the system I was building.
Most banks ask for the whole password which a key logger would get. But if your OS is full of security holes that is hardly the banks fault. What is the banks fault is the moving of the liability from the CC company basically to you. It was explained to me that successful 3DSec makes it almost impossible for a person to claim fraud, the only defence being "that someone was holding a gun to my head"!
My cousin runs a airport transport service. He picked up a party of 15 who had pre-paid via CC. 6 months later the money was removed from his account as the CC owner claimed it had been used fraudulently. My cousin worked his nuts off to prove the guy had used the service. He is loving 3DSec, now he doesn't have to photograph every punter who uses his service as he requires 3DSec.
When we forced users to use 3DSec here our sales plummeted, so unless the bank says that payment can not be made unless the person goes through it - we don't do it. The amount we lost in legitimate sales was huge compared to the amount of fraudulent sales, which was and still is negligent.
For those that do not like Sec3D, can you please stop complaining and suggest an effective, secure alternative please?
BTW, can't you just always tell the ideas that start in a board room, vs. the ones that come from engineers?
God I hate VbyV, its one of the most painful things ever. Whats more annoying is that the site sometimes doesn't seem to work with my install of Firefox (probably noScript) so I've lost out on tickets with ticketmaster (another REALLY poor site) and all sorts of internet payments.
Just give us all a secureID type dongle, or build something like it into the card. (maybe with an rfid in there that pushes out the code when it powers up, then you'd just need a cheep reader on the PC. How hard is that?!) Just anything than this damn mess we have now.
was convinced this was a cross site scripting attack when I tried to buy pizza off the internet the other night. I was certainly very unsure about filling out the crappy-looking form the first time I was presented with it.
Loss of sales
As a vendor, my issue is with the approx 25% fall through rate on almost entirely completed transactions once implementing 3D secure at the insistence of our gateway provider. This is because the whole 3D secure 'system' is not being marketed or publicised by the card issuers, so the first thing a punter hears about it is a scratty looking pop-up when he/she first stumbles upon a sales site using it.
It does look like phishing, it asks too many sensitive questions like d.o.b. and maiden name.
The card issuers should make the registration to the 3D secure scheme the responsibility of the banks, not us sucker vendors who have to suffer lost sales while 'promoting' the benefits of the scheme as best we can.
I'm sick of it and wish there was a way we could de-implement 3D secure, but Protx will not allow us to process Maestro cards unless we use 3D secure.
I don't understand
Credit cards are fundamentally an insecure document. The whole point is to divulge all the secrets that anyone cares to layer onto them. The issue is really one of identifying whether the card is being used by the person that owns it or one of their nominated agents. This can never be ascertained over a computer link or a phone line. It wouldn't matter how secure the connection, the fundamental problem doesn't go away, and the real worrier is that banks are subtly swinging towards a "card always is in the hands of the owner" assumption, leaving the owner with the bills when this isn't the case.
What is required is a massive bottom-to-top overhaul of the whole sorry mess. The card owner should be able to select just how secure they want their card to be (with the understanding that the more secure, the harder to use) and ofset that against how much of the damage they will assume in the event of a fraud. The banks should be offering to place the same credit fraud alert practices at the disposal of the card owner, for a reasonable operating charge of course.
That way, if I am paranoid about my card use (and who wouldn't be?) I can have myself phoned every time a charge is made against the account and verbally OK it or challenge it. Yes it is cumbersome and yes it will be more expensive to implement, but it doesn't involve any technology that isn't already available.
Next, the banks have got to stop letting their employess get talked into divulging personal details of account holders by phone, no matter how heart-rending or oily the caller is. The vast majority of bank fraud starts with someone talking a bank employee (who is trained to know better) into changing a credential over the phone.
As for this nonsensical "Verified (my arse) By Visa" scheme, opt out as a consumer by phoning in your order or doing without.
One good outcome of the recent credit squeeze is that the mountain of dangerously fraud-prone "preapproval" mailings for credit cards delivered my way has died from about two a week to nil. My spending patterns haven't changed, just the banks willingness to waste time trying to make me spend more. Every time I cleared a credit card balance (and I do that monthly usually) would precipitate a tree death in the dimwit assumption I would love another credit card.
First, I wondered where was the high-tech hologram security when I first heard about "3DSecure". Because that's what it sounds like to the common punter, doesn't it?
Secondly, my own country (Mexico) has mandated those OTP tokens for e-banking since March 2007. However, MasterCard SecureCode and VbV don't use this, and it seems it can't, even if I already have my OTP token in that bank!
So basically, it is *less* secure for me to use VbV/MC SecureCode than to do stuff on my online banking site because of this. And I had to sign up for these schemes anyway, as my telco's gone "mandatory" on these schemes. Oh, and the card from the one bank that hasn't deployed SecureCode is being declined on 3DSec-enabled sites as well.
GridSure doesnt sound any more secure then 3dSecure
Maybe i missed something (im an engineer not a programmer), but the GridSoft scheme that was detailed didnt sound much more secure against a good phishing site then the current VbV setup.
A box with randomly generated numbers but which you choose the box beforehand. Piece of piss to phish, someone goes to purchase something, you pull up a pre-made screen with the box and your own non-randomly generated numbers the person types in the number and boom you have which boxes they used. If the numbers are only 1-9, then you need to create an error screen and on the second go a new set of random numbers gives you the exact order of the boxes. Follow this by another error screen, switch to the real site, the person enters their details, makes their purchase none the wiser and you now have their details.
How is that anymore secure then VbV?
Both systems are shite, and just a way for the banks and visa/mastercard to offload there liability back to us...
I don't see any advantage at all from the customer's perspective. Merchants I can see liking it (assuming it were implemented in a way that didn't chase away customers), because it does protect them. But it doesn't protect me at all. The worst part is how it's presented, you just get this stupid page asking you for extra information unexpectedly, it really does look like a phishing attempt.
Since quite a few banks have introduced pin verification devices for logging on to online banking or for setting up standing orders online then why don't the banks use this as their third factor?
Seems a bit pointless for GrIDsure to be developing 3D Secure Plus when it essentially already exists?
I just click on "register later" and then ignore it.
It works at the moment, when it doesn't I'll lose the card...
No big deal
I've used MasterCard SecureCode for ages - never considered it to be a problem. In fact it adds a level of reassurance that a site is secure. The Personal Greeting should allay anyone's fears of being Phished:
'What is a Personal Greeting?
The Personal Greeting is a message that you create during sign-up. Each time you make an online purchase at a participating store/retailer, you will be prompted to enter your SecureCode. At this time, you'll see your Personal Greeting and other purchase details. The Personal Greeting is your assurance that you are communicating with your card issuer. If the Personal Greeting displayed in the pop-up box is incorrect, you should not enter your SecureCode, but should instead contact Customer Service immediately by calling the phone number on the back of your MasterCard card, to report a possible fraud.'
Verified by Visa involves the merchant sending the customer to the customer's bank's website (or someone the bank has contracted out VbyV handling to) where they are meant to authenticate themselves, after which they are returned to the merchant site.
While it seems common for banks to use simple passwords for this, they could use anything. It could be RSA secureid tokens, one time passwords sent to you via SMS or anything else. If the bank wants you to take on liability they should provide something less easy to fake (or less dangerous when it does get faked).
The problem is in the implementation
You can have 15-factor authentication, but as long as the auths are fixed, scammers -will- figure out a way to get and use them.
In Spain, my bank implements the method by sending me a random 6-digit number via SMS to my mobile phone, which I must have previously registered in person at my bank. It's very difficult to steal mobile phones over the internet, which makes the process fairly secure, and doesn't use a static password or code.
On the other hand, a MC card I have was only asked for the CCVC -again- as the verification method, which seems very stupid and pointless.
The problem lies in the strength of the third factor. Another bank for example uses a physical plastic card with a grid of 50 4-digit random numbers, and on the verification page, you are asked for one of the 50 codes at random. Unless the scammers find a way to steal plastic over the internet, it's a fairly secure approach too.
Rang all my phishing alarm bells
securesuite.co.uk rang all my phishing alarm bells when I encountered it trying to book a Brussels Airlines ticket in Dec 2007. I investigated, because I really wanted the ticket. Googling led me to this page, containing stories of disgruntled, confused people:
I decided it was probably genuine but didn’t want to risk it. Amazingly the airline has a phone number where I got the ticket at the same price(!), so I thought I'd ignore the problem.
At this time the 'whois' info was no longer "cyota, 8 west 38th street, new york", as it had been in late 2006, but was now something more suspicious: "cyota, 7 Shenkar Street, Herzelia, ny, 46733, IL". Wikipedia told me that Herzelia is a suburb of Tel Aviv.
Who was this company, cyota? How come an Israeli organization, bizarrely with "NY" in its address, was mediating between me and my bank?
Upon further investigation, Cyota, appears to have been an Israeli security firm, headed by one Amir Orad, and bought by RSA Security in 2005:
So a defunct company name is listed as the registrant. It was all very weird. I called my bank's helpline. They had never heard of cyota.
An hour or so later I needed an advance train ticket. First Great Western also use securesuite.co.uk - I also really needed that ticket so bit the bullet and gave my damn date of birth to the annoying “3D Secure” window. All totally against my anti-phishing self-training.
The next day I went into my bank to complain about the security problem. They've never heard of Verified by Visa, SecureSuite, or cyota or course.
As of October 2008 the whois info has changed yet again: "8200 Greensboro Drive, Suite 1100, NULL, Mclean VA, 22102, US". EasyJet, whose site I use a lot, now uses Verified by Visa, so I'm resigned to using the horrible system.
@ Daniel B RE Tokens
"However, MasterCard SecureCode and VbV don't use this, and it seems it can't, even if I already have my OTP token in that bank"
3DSecure is simply a framework so a customer can be sent to the bank during the transaction, and the result securely sent to the retailer.
What happens on the banks servers, and how they come to decide if you passed or failed is entirely up to them - they can use tokens, or little calculator like devices or whatever they like.
I don't often read the register but this seems a particularly poorly researched article with just the kind of biased negative view that proliferates through the online industry giving credence to the e-comm sites that refuse to implement. Clearly John Leyden doesn't know his 3D-Secure from his elbow making statements like, "Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme." as detailed in feedback below.
Other 'bloopers' include:
"These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank"
If in an iFrame, the user can't see the URL the content has come from plus what is your banks own logo if not a connection, not to mention the website's name and the PAM? I'm interested in the claim to be able to reproduce the PAM in a phishing site, but not surprised- no matter how secure the solution, e-commerce still requires the user to have some sense not to buy from a phishing site.
"Punters aren't informed up front that a merchant has signed up to Verified by Visa."
Yes they are. It is a requirement of 3D-Secure that the site displays logos prior to the checkout page.
"sites... routinely deliver a dialogue box using a pop-up window"
Pop-ups have been outlawed for years in VbyV implementations.
"it's hard to see how card details + CVV number + VbyV login is any more robust."
In the same light, if card and signature was no longer considered secure I suppose it is hard to see how card and PIN is any more secure? Illogical.
Why not use offline card readers
Since many bank customers now have off-line card readers which can be used to verify a user's identity or sign transactions, why are the banks that have issued such devices not using them? The codes they generate are "one time" and therefore less amenable to phishing or replay attacks (although not completely invulnerable).
@ AC 13:22
"Perhaps research these topics before you right a 2 page article on them.
Just a thought."
"Write" is the correct word to use to describe the creation of such an article of media as the 2-page article to which you refer.
Perhaps research these topics before you write a snarky comment on them.
Just a thought;o)
It's annoying enough to make you cancel the order
I've found myself get frustrated with it on occasion, enough to cancel the order altogether.
Not a conspiracy
There seems to be some confusion - Banks are not the same thing as Payment Agencies, the payment agencies, Visa and Mastercard are mandating that the banks use these systems. It is not an excuse to make customers responsible for fraud on their accounts. The advantage is that the payments are processed by the bank, without the online trader ever seeing your card details, you therefore have significantly better security of your card data.
The password thing will be tightened up as people get used to the idea of using the new system.
All banks will be using this type of system in the next year or so, otherwise they'll be ponying up a very large ammount of cash to the payment agencies in the form of fines.
Anon, becuase it's my job.
I wrote to The Register in mid-April about a phishy transaction, but it didn't seem to be taken seriously:-
I did a transaction on a GX Communications website this evening (nee Pipex), and at the end of the transaction was directed to a page called "Barclays Secure" asking me for details about my account with Barclays. Everything looked like it could be Barclays, I checked that I was on a secure site and then entered the details requested. But the URL looked a bit unfamiliar: smartsuite.net. I did a Whois and up came some details about an Israeli company. So I rang Barclays and asked whether my details were in fact secure. They had heard of Barclays Secure, but not securesuite.com, "it doesn't sound right", said the Customer Services man who answered "it should always say Barclays". Asked to speak to a supervisor: none available, they are all in a meeting. Helpful. So what am I supposed to do? Cancel all my cards? Change my Date of Birth? No, sir, your money is safe. Is it? Perhaps TheRegister might be better equipped at getting to the bottom of this one. A secondary question: If securesuite is something to do with Barclays, does the data Protection Register entry for Barclays permit them to allow a third party in Israel to process UK transactions?
Could be worse
I was recently asked by an established online retailer to provide a scanned copy via email of either my drivers license or my last bank statement. I refused as its personal information, not a secure transfer, they couldn't tell me how it would be processed and how were they going to verify they wern't fake anyway? They locked my account and canceled my order. This was all because I wanted to ship to another address other than the billing address. My bank could see the transaction pending before it was canceled by the retailer and said they had no problems with it whatsoever.
SecureCode and VbyV are annoying and not secure, but I would prefer that to being ID'd to buy a gift for someone.
Back about a year and a half or two ago I saw this on Newegg.coms website when I went to place an order. Immediately said hell no to doing this and giving the information as all the bells and klaxons were going off. Closed the window and the order went through without a hitch. A little while later same thing same site so for shits and giggles, since I was ditching the card after that order anyway, I decided to see what would happen so I filled in the information. It kept failing said I had reached my max attempts so I closed the window and VIOLA order went through. Is it still this buggy or was I just an unlucky beta tester for it?
As for me
I've started sending cheques again
For some reason...
...I was seeing "Verified by Vista" throughout the article. But although I do have a different version of W*****s available, I use a different operating system on the web.
@Loss of Sales
I'm probably one of those whose sale you lost when the VbV / SecureCode page appears. I've read the T&Cs and is seems to me that the main purpose of VbV etc is to shift liability from the credit card company to me. I wonder how many people, when they were about to make an important purchase and suddenly got hit by the 'register for VbV / SecureCode' screen, took the time to understand what they were signing up to?
I've told my card issuer I will not be signing up. I've put this in writing. Every time I get hit by the VbV screen (and not every site tells you that they have now implemented this) I have to bomb out, my card issuer gets an alert and suspends my card as a 'potentially fraudulent activity' has occurred. And here I could go on about my card issuer calling me up and asking me to confirm my security information. When I pointed out that they had called me and could be anyone they got very stroppy.
So I either don't use sites that have VbV, or phone the company to make the purchase.
I'm looking for my Palm where I keep all my passwords in an encrypted database.............
I got stung by this today!
This afternoon I got an e-mail from Natwest Secure (aka Mastercard SecureCode) telling me I had changed my password. I hadn't. So I rang them and cancelled my card. My card gets cancelled around twice a year. Last time this happened it took me a very long time to persuade them that the transaction made was fraudulent. Apparently since it had been authenticated by SecureCode it must have been me.
As far as I can tell the banks just do this to try to put the blame for fraud elsewhere. Banks don't have to pay for fraud. It's the credit card owners and the merchants. If they had to pay then they might have some incentive to make the system work!
The role of banks
The problem here appears to be the banks and what they consider secure.
Verified by Visa allows the banks to do their extended validation by any means the banks find feasible. For example in Finland, the banks let small transactions (i.e. 20-40 €) go through without any validation besides the card number and ccv. When you do some more expensive shopping you're presented with your netbanks authentication page - which is used in electronic authentication also in more general - where you type in your user number and one-time password.
This is a far cry from what British banks do when they just tell you to pick yet another pin code. This is true two-factor authentication: you need to both know your user name, card number, ccv and have your one-time password list (this isn't an electronic token - yet) to actually make any valuable transaction. The login pages of the banks do resolve to their proper domains and provide valid ssl certificates and if your shop is kind enough to do a pop-up newer browser actually show this to you.
So it's actually the British banks who are to blame, not Verified by Visa.
why not email us after every credit card transaction?
One password or two, or ten, the responsibility and liability is never on the consumer here in Canada.
I'd like to see one-time passwords, but the inconvenience of tokens seems to be an insurmountable problem.
Maybe cell phones could be used to obtain the one-time passwords.
And why not email us after every credit card transaction?
It should be noted that two-way authentication _is_ available, at least with VbyV; you can setup a passphrase that VbyV must display to you, which proves (for a given value of 'prove') that the iframe or popup is actually being presented by VbyV rather than a phisher.
Better than nothing, certainly.
Verified by Visa
I bought an item from a Uk Tier 1 reseller last week and paid by Visa Card over the phone
The salesperson then said "I need your Verified by Visa password in order to complete the transaction". (I buy through an account manager as I receive a discount off their on line prices.)
Having bought on a regular basis from this company for several years I gave the code to him, but am very worried about what happens next time I buy on line from a company I may not know.
3DSecure is good for the Merchant, and that makes things easier for the customer too.
Using 3DSecure brings with it a liability shift - so if fraudulent transactions are processed, then the Merchant no longer suffers through chargebacks. This can be expensive, especially where goods have already been shipped, etc. Without the threat of chargebacks then the merchant and customer can transact without the need for extra verification (such as sending ID documents etc), which are often required for larger purchases.
Unfortunately, the card-issuing banks need to tighten up on the card enrolment to ensure that customers are correctly identified before allowing enrolment.
As a merchant we have seen quite a bit of fraudulent use, even with 3DS authenticated transactions. Typically we have seen a 'run' on particular bank's cards - and it is apparent to us, (if not to the banks involved) that fraudsters have been able to register large numbers of cards under SecureCode or V*V, either via fishing or just weak enrolment procedure.
Short of requiring every person to have a card reader on their PC (not a bad idea, IMHO) then 3DS is a workable solution.
My only gripe is that VISA and MasterCard still rank a merchant based on the level of fraud even if using 3DS and authenticated transactions - and can remove the liability shift or otherwise penalise the merchant if the level is high - despite this obviously being a failure in 3DS enrolment and beyond the merchant's control.
Re: Not a conspiracy
The 3DSecure system doesn't reduce the amount of information being sent to the merchant -- it just adds an extra step to the payment process.
After all, the merchant won't know which bank website to send you to until you've given the merchant your credit card number.