They don't have one of these pointless schemes, so you don't have to fret. Of course, you have to find online stores that *take* amex, but that's getting better these days.

Mine's the one with the card skimmer in the pocket

Is not hinting at 3 factor authentication but the 3 Domains that are involved in the transaction process. The Card Scheme, The Issuer and The Acquirer.

Perhaps research these topics before you right a 2 page article on them.

Just a thought.

3D-Secure sucks.

Our bank is applying a lot of pressure for us to implement it on our website, threatening large fines if it isn't implemented soon. From our perspective, it offers us no benefit and presents an obstacle to our users paying online (it's so poorly implemented it looks to the average punter like a phishing attack). Additionally, it offers little or no extra security and the service is completely unreliable.

We're holding out as best we can but with the pressure on the merchant to implement it on pain of fines is plain shitty.

The notion that VbV and Securecode are adding any real security is ludicrous. The popup window that appears asking for my confidential information could be coming from anyone - there's no way for me to verify it. And once the information is given out in the course of a purchase, I can't believe it's secure any more. I'm supposed to just trust that the information I entered while purchasing from Merchant X went only to credit card site Y? Give me a break!

The first time I encountered this 'system' was when I was purchasing a Bletchly Park T-Shirt from El Reg's own Cash 'n' Carrion.

I was very dubious about the pop up, and it meant an otherwise 5 minute purchase took closer to 30 minutes, as I checked and double checked URL's and owners of IP addresses etc.

ok, it doesn't avoid fraud really:

1. you steal a credit card

2. you buy online where they request 3d secure details

3. you sign up for 3d secure - normally having the card to hand is all you need

4. get free stuff

(this is scuppered if they have already signed up to 3d secure - but why would they? - to create more hassle while buying online?)

best way to take advantage of this is to setup an ecommerce website and all those nice stolen cards used as above will have payments that will have to be honoured, so you get the money :-)

And then there's the wonderfully secure signup procedure to set your password - gee, noone would know my mothers maiden name (the same as mine after the divorce!)

Organisations such as Visa who promote their security systems as near-infallible and then refuse to believe genuine claims from victims on the grounds that its 'impossible' to be broken gives us a glimpse of the future ID Card fallout.

Obviously UK.gov won't cough to any 'holes' in the system so when (not if) the cards are cloned/forged/stolen by terrorists/pirates/chavs and the victim goes to the Govt. to complain, they'll be told they can't have had their ID stolen as the cards are totally secure.

Cue people being sectioned in secure units for believing that the ID card system could be fallible when everyone knows that's impossible. A bit like Sarah Connor when she insisted that Arnie and his ilk were on their way.

Da-dum dum-dadum

Da-dum dum-dadum

Da da daa

da da da

Da da daa

da da daaaaaa daa

da da daa

etc.

... where I work and it wasn't easy.

To avoid the phishing attacks most banks allow you to add a phrase that is displayed every time the 3DSec box appears. I have set this up with all my cards as I opted in so I could test the system I was building.

Most banks ask for the whole password which a key logger would get. But if your OS is full of security holes that is hardly the banks fault. What is the banks fault is the moving of the liability from the CC company basically to you. It was explained to me that successful 3DSec makes it almost impossible for a person to claim fraud, the only defence being "that someone was holding a gun to my head"!

My cousin runs a airport transport service. He picked up a party of 15 who had pre-paid via CC. 6 months later the money was removed from his account as the CC owner claimed it had been used fraudulently. My cousin worked his nuts off to prove the guy had used the service. He is loving 3DSec, now he doesn't have to photograph every punter who uses his service as he requires 3DSec.

When we forced users to use 3DSec here our sales plummeted, so unless the bank says that payment can not be made unless the person goes through it - we don't do it. The amount we lost in legitimate sales was huge compared to the amount of fraudulent sales, which was and still is negligent.

For those that do not like Sec3D, can you please stop complaining and suggest an effective, secure alternative please?

Well written.

BTW, can't you just always tell the ideas that start in a board room, vs. the ones that come from engineers?

God I hate VbyV, its one of the most painful things ever. Whats more annoying is that the site sometimes doesn't seem to work with my install of Firefox (probably noScript) so I've lost out on tickets with ticketmaster (another REALLY poor site) and all sorts of internet payments.

Just give us all a secureID type dongle, or build something like it into the card. (maybe with an rfid in there that pushes out the code when it powers up, then you'd just need a cheep reader on the PC. How hard is that?!) Just anything than this damn mess we have now.

As a vendor, my issue is with the approx 25% fall through rate on almost entirely completed transactions once implementing 3D secure at the insistence of our gateway provider. This is because the whole 3D secure 'system' is not being marketed or publicised by the card issuers, so the first thing a punter hears about it is a scratty looking pop-up when he/she first stumbles upon a sales site using it.

It does look like phishing, it asks too many sensitive questions like d.o.b. and maiden name.

The card issuers should make the registration to the 3D secure scheme the responsibility of the banks, not us sucker vendors who have to suffer lost sales while 'promoting' the benefits of the scheme as best we can.

I'm sick of it and wish there was a way we could de-implement 3D secure, but Protx will not allow us to process Maestro cards unless we use 3D secure.

First, I wondered where was the high-tech hologram security when I first heard about "3DSecure". Because that's what it sounds like to the common punter, doesn't it?

Secondly, my own country (Mexico) has mandated those OTP tokens for e-banking since March 2007. However, MasterCard SecureCode and VbV don't use this, and it seems it can't, even if I already have my OTP token in that bank!

So basically, it is *less* secure for me to use VbV/MC SecureCode than to do stuff on my online banking site because of this. And I had to sign up for these schemes anyway, as my telco's gone "mandatory" on these schemes. Oh, and the card from the one bank that hasn't deployed SecureCode is being declined on 3DSec-enabled sites as well.

Maybe i missed something (im an engineer not a programmer), but the GridSoft scheme that was detailed didnt sound much more secure against a good phishing site then the current VbV setup.

A box with randomly generated numbers but which you choose the box beforehand. Piece of piss to phish, someone goes to purchase something, you pull up a pre-made screen with the box and your own non-randomly generated numbers the person types in the number and boom you have which boxes they used. If the numbers are only 1-9, then you need to create an error screen and on the second go a new set of random numbers gives you the exact order of the boxes. Follow this by another error screen, switch to the real site, the person enters their details, makes their purchase none the wiser and you now have their details.

How is that anymore secure then VbV?

Both systems are shite, and just a way for the banks and visa/mastercard to offload there liability back to us...

I don't see any advantage at all from the customer's perspective. Merchants I can see liking it (assuming it were implemented in a way that didn't chase away customers), because it does protect them. But it doesn't protect me at all. The worst part is how it's presented, you just get this stupid page asking you for extra information unexpectedly, it really does look like a phishing attempt.

I've used MasterCard SecureCode for ages - never considered it to be a problem. In fact it adds a level of reassurance that a site is secure. The Personal Greeting should allay anyone's fears of being Phished:

'What is a Personal Greeting?

The Personal Greeting is a message that you create during sign-up. Each time you make an online purchase at a participating store/retailer, you will be prompted to enter your SecureCode. At this time, you'll see your Personal Greeting and other purchase details. The Personal Greeting is your assurance that you are communicating with your card issuer. If the Personal Greeting displayed in the pop-up box is incorrect, you should not enter your SecureCode, but should instead contact Customer Service immediately by calling the phone number on the back of your MasterCard card, to report a possible fraud.'

http://www.mastercard.com/uk/personal/en/cardholderservices/securecode/faqs.html

Verified by Visa involves the merchant sending the customer to the customer's bank's website (or someone the bank has contracted out VbyV handling to) where they are meant to authenticate themselves, after which they are returned to the merchant site.

While it seems common for banks to use simple passwords for this, they could use anything. It could be RSA secureid tokens, one time passwords sent to you via SMS or anything else. If the bank wants you to take on liability they should provide something less easy to fake (or less dangerous when it does get faked).

You can have 15-factor authentication, but as long as the auths are fixed, scammers -will- figure out a way to get and use them.

In Spain, my bank implements the method by sending me a random 6-digit number via SMS to my mobile phone, which I must have previously registered in person at my bank. It's very difficult to steal mobile phones over the internet, which makes the process fairly secure, and doesn't use a static password or code.

On the other hand, a MC card I have was only asked for the CCVC -again- as the verification method, which seems very stupid and pointless.

The problem lies in the strength of the third factor. Another bank for example uses a physical plastic card with a grid of 50 4-digit random numbers, and on the verification page, you are asked for one of the 50 codes at random. Unless the scammers find a way to steal plastic over the internet, it's a fairly secure approach too.

I don't often read the register but this seems a particularly poorly researched article with just the kind of biased negative view that proliferates through the online industry giving credence to the e-comm sites that refuse to implement. Clearly John Leyden doesn't know his 3D-Secure from his elbow making statements like, "Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme." as detailed in feedback below.

Other 'bloopers' include:

"These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank"

If in an iFrame, the user can't see the URL the content has come from plus what is your banks own logo if not a connection, not to mention the website's name and the PAM? I'm interested in the claim to be able to reproduce the PAM in a phishing site, but not surprised- no matter how secure the solution, e-commerce still requires the user to have some sense not to buy from a phishing site.

"Punters aren't informed up front that a merchant has signed up to Verified by Visa."

Yes they are. It is a requirement of 3D-Secure that the site displays logos prior to the checkout page.

"sites... routinely deliver a dialogue box using a pop-up window"

Pop-ups have been outlawed for years in VbyV implementations.

"it's hard to see how card details + CVV number + VbyV login is any more robust."

In the same light, if card and signature was no longer considered secure I suppose it is hard to see how card and PIN is any more secure? Illogical.

"Perhaps research these topics before you right a 2 page article on them.

Just a thought."

...

"Write" is the correct word to use to describe the creation of such an article of media as the 2-page article to which you refer.

Perhaps research these topics before you write a snarky comment on them.

Just a thought;o)

I was recently asked by an established online retailer to provide a scanned copy via email of either my drivers license or my last bank statement. I refused as its personal information, not a secure transfer, they couldn't tell me how it would be processed and how were they going to verify they wern't fake anyway? They locked my account and canceled my order. This was all because I wanted to ship to another address other than the billing address. My bank could see the transaction pending before it was canceled by the retailer and said they had no problems with it whatsoever.

SecureCode and VbyV are annoying and not secure, but I would prefer that to being ID'd to buy a gift for someone.

Back about a year and a half or two ago I saw this on Newegg.coms website when I went to place an order. Immediately said hell no to doing this and giving the information as all the bells and klaxons were going off. Closed the window and the order went through without a hitch. A little while later same thing same site so for shits and giggles, since I was ditching the card after that order anyway, I decided to see what would happen so I filled in the information. It kept failing said I had reached my max attempts so I closed the window and VIOLA order went through. Is it still this buggy or was I just an unlucky beta tester for it?

...I was seeing "Verified by Vista" throughout the article. But although I do have a different version of W*****s available, I use a different operating system on the web.

I'm probably one of those whose sale you lost when the VbV / SecureCode page appears. I've read the T&Cs and is seems to me that the main purpose of VbV etc is to shift liability from the credit card company to me. I wonder how many people, when they were about to make an important purchase and suddenly got hit by the 'register for VbV / SecureCode' screen, took the time to understand what they were signing up to?

I've told my card issuer I will not be signing up. I've put this in writing. Every time I get hit by the VbV screen (and not every site tells you that they have now implemented this) I have to bomb out, my card issuer gets an alert and suspends my card as a 'potentially fraudulent activity' has occurred. And here I could go on about my card issuer calling me up and asking me to confirm my security information. When I pointed out that they had called me and could be anyone they got very stroppy.

So I either don't use sites that have VbV, or phone the company to make the purchase.

I'm looking for my Palm where I keep all my passwords in an encrypted database.............

This afternoon I got an e-mail from Natwest Secure (aka Mastercard SecureCode) telling me I had changed my password. I hadn't. So I rang them and cancelled my card. My card gets cancelled around twice a year. Last time this happened it took me a very long time to persuade them that the transaction made was fraudulent. Apparently since it had been authenticated by SecureCode it must have been me.

As far as I can tell the banks just do this to try to put the blame for fraud elsewhere. Banks don't have to pay for fraud. It's the credit card owners and the merchants. If they had to pay then they might have some incentive to make the system work!

The problem here appears to be the banks and what they consider secure.

Verified by Visa allows the banks to do their extended validation by any means the banks find feasible. For example in Finland, the banks let small transactions (i.e. 20-40 €) go through without any validation besides the card number and ccv. When you do some more expensive shopping you're presented with your netbanks authentication page - which is used in electronic authentication also in more general - where you type in your user number and one-time password.

This is a far cry from what British banks do when they just tell you to pick yet another pin code. This is true two-factor authentication: you need to both know your user name, card number, ccv and have your one-time password list (this isn't an electronic token - yet) to actually make any valuable transaction. The login pages of the banks do resolve to their proper domains and provide valid ssl certificates and if your shop is kind enough to do a pop-up newer browser actually show this to you.

So it's actually the British banks who are to blame, not Verified by Visa.

One password or two, or ten, the responsibility and liability is never on the consumer here in Canada.

I'd like to see one-time passwords, but the inconvenience of tokens seems to be an insurmountable problem.

Maybe cell phones could be used to obtain the one-time passwords.

And why not email us after every credit card transaction?