Net shoppers bullied into being Verified by Visa The Verified by Visa system may be marketed as an optional opt-in system for internet shoppers, but some banks are forcing users to enrol after only three attempts to avoid it. The unpleasant experiences of Verified by Visa refusenik and Reg reader Steve are likely to be faced by other cardholders, according to Andrew Goodwill …
What's supposed to happen is that a merchant can only get the 3DSecure liability shift if they're not on the Visa/Mastercard "chargeback monitoring" list. This means they're less of a "risk" as far as the card issuers are concerned and as such get a lower "cost-per-transaction" rate.
The merchants are happy because they get a lower card processing fees and liability shifts to the card issuing bank for fraudulent transactions (although not for "goods not received" chargebacks).
The acquiring (merchant) banks get a reduction in certain transaction rates and the issuing banks, well, they're bound by the industry code they're in - but I guess they're hoping for improved "trust" in online shopping and therefore an increase in online transactions.
3DSecure is an improvement - but it's not ideal... better would involve a physical card reader (generating some sort of per-transaction hash value) combined with online login and punters would never enter [full] card details on any website ever again.
It's an attempt at nice fluffy web of trust as it stands... however the only drawback is how that trust can be broken.
The preferred method of embedding the 3DSecure login in an iFrame means that the user can't see where that login page actually comes from. If I wanted to set up a scam website I could just as easily set up a scam 3DSecure login page and capture those details as well.
Alternatively, If it IS possible to poison the DNS system (as has been recently highlighted) a sophisticated attack _might_ be able to inject it's own fake 3DS login page into that iFrame and capture the details (highly unlikely though, there are easier ways).
Once the bad guys have got your 3DSecure login the whole "trust" thing starts to crumble.
----
As an aside - I'm not quite sure how this will affect reliability... data gets bounced around a lot. Card details go from the merchant to the payment gateway and then a load of transaction id's and hash values are thrown around in a big loop. Something like:
merchant -> payment gateway -> merchant -> 3DS bank page -> merchant -> payment gateway -> merchant.
If simplicity is the key to robustness I can see this falling over occasionally; you've introduced a third point of failure into the system. Without 3DS it's a much more pleasant:
merchant -> payment gateway -> merchant.
--
posted AC as I'm in the middle of implementing it
One of the worst side-effects is that Verified by Visa makes international use of credit cards much harder. A relative of mine in the US tried to buy a train ticket in Peru - the company handling this turned out to be based in the UK, and required Verified by Visa. His US Visa card would not work. In the end we bought him the ticket, and he paid us back.
A little later I tried to buy an airline ticket from a US website, but they would only accept credit cards from the US, Canada, Australia, and the Phillipines. Apparently our cards are so much less secure than from these other countries. Once upon a time a Visa or Mastercard would work almost anywhere - but the system is breaking apart rapidly.
I concur. We were basically told by RBOS we had to implement SecureCode for Maestro cards by last June or we couldn't support the card type (or rather, there would be financial penalties if we didn't). Having been through two implementations with two different payment gateways now, I think its a complete pile of shit, and easily spoofed. We've actually only implemented it on Maestro and are putting off other cards until we absolutely have to because so many people don't like, understand or trust it (despite us implementing a LOT of handholding), and its hurt sales conversion on debit cards quite badly. Interestingly, the daddy of E-Commerce sites isn't supporting 3DS/VbV at all; and they don't worry overmuch about CVV either...
Compulsory with Smile - they didn't just offer me the chance to sign up, they actually signed up for me and used my answer to one of their existing security questions as the password. So now to every little site I buy anything from, I have to type in an important detail they could later use to impersonate me at my bank.
Yeah, great way to increase security.
I have no problem with Verified by Visa or any other such scheme, however I do have a problem with the script kiddies that attempt to implement it on retailers websites and don't do it properly (in my experience over 50% of the time).
I'm lucky enough to be an Expat living in the sunshine, with a locally issued visa card. Sometimes I want to order stuff from the UK and thats where the problems start. The ordering process goes fine, the VbV goes fine and is passed, but then the site comes back with a declined message. This the upshot of which is the value of the now declined transaction is held as pending on my card (because Visa passed the transaction).
Having spoken to support on a couple of sites its because though VbV comes back as ok things like the postcode/address don't because some foreign banks don't verify on things like postcode (which is part of a non VbV transaction). If your going to accept VbV on a site do so, and do it properly.
"It's almost as if they are /trying/ to make it look like a phishing attempt!"
Indeed. When I've had to use it, Mastercard's system triggers a XSS alert in Firefox3 with NoScript installed, which you then have to override manually.
Oh, and my wife chose the secure ID password, so I can never remember the damn thing. But she did a pretty good job of choosing a secure one. I have taught her well.
However, more security = better if it's done well enough, hence the GO icon.
My bank also made this mandatory - i.e. when I tried to pay with my card, there was no "no thanks" button. This combined with the fact that they won't give me full access to my on-line banking (i.e. making money transfers) without a card reader led me to discover that their slogan was indeed correct (although between them, my new bank, and my credit card company, they have screwed up at least one of my direct debits during the transfer to my new bank).
Looking at their page on VbV, it seems that they have decided to automatically sign every customer up, but rather than have us all remember a new password, they have cleverly decided to use the "memorable name" from the existing security.
Now this is great, I don't have to remember anything new, BUT given that most people will use their mother's maiden name as the memorable name, it is hardly worth bothering with, besides, using the same password for multiple things is bad practice.
From the Smile website:
"How to Cancel"
Q: I don’t want to use Verified by Visa (VbV) how do I deactivate my account(s)?
A: VbV protects your account(s) from unauthorised use. If a VbV password is registered by the Bank/smile, your card cannot be used at VbV subscribed merchants unless the password is entered for extra security. If a VbV password is not registered your card may still be used for online transactions. Therefore to protect our customers The Co-operative Bank/smile aim to register all of our card accounts for VbV.
Q: I cannot use Verified by Visa, what alternatives are there for me?
A: Simply contact customer services on the usual telephone number or e-mail address and we will be able to discuss alternatives with you."
Norwegian banks have a common BankID scheme that's used for Verified by Visa.
The confirmation page runs a Java applet that first requires you to enter you personal ID no. (Norwegian equivalent of social security no.), and the prompts you for a 6-digit code from an electronic code generator and a personal password.
You use the same method to log on to your net bank, and requires another verification whenever you try to either pay something via the net bank or transfer money out of your account.
With this scheme, for a transaction to be completed, you need:
a) Your visa number.
b) Your verification code.
c) Your ID number.
d) A one-time code that can only be had if you physically posess the key generator.
e) Your personal password.
It works pretty well, and even works on a mac...
Are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.
Every time I canceled the transaction, MBNA blocked my card and then some drone would phone me and ask me to give identification. I explain that when someone calls me out of the blue I have no idea who they are, and if they ask for personal information, MBNA recommends that I dont give it. The last time they said that I was just being silly and the information was of no use to anyone. I explained that they themselves needed this information to allow someone access to my account so it most definately was of use to someone.
Also, as I recall, the Ts and Cs used to say
"You understand that you are financially responsible for all purchases made using 3D Secure" (which I complained about each time I had to unlock my account) but now says
"You understand that you are financially responsible for all purchases made by you using 3D Secure"
I'm seeing more and more this "if its complicated its secure" mentality.
"The CCV (or CVV ?) code on the back of the card is to stop credit card fraud."
Yes it was but, of course they soon discovered the fatal flaw in that - if someone has stolen your card, they can simply read the number off the back!! DUH!
No system will completely stop fraud but at least this reduces it considerably by the user having to know some security information which is not obtainable by purely having possession of the card.
The system is now mandatory for e-tailers (at least those on Streamline).
Air Canada.
Wife used my credit card to book flights. Air Canada insisted on an enrollment, which I assumed was some sort of Air Canada thing and, it being late at night and us needing to "get a life" back I said "Ok, use password blahblahblah, I'll remember it next time we use Air Canada, which will be in several years time". Next day I realised I would be stuck with this credential wherever I shop.
Thank you Visa. If you wanted me to enroll in this thing I would have done so willingly since it absolves me of one more liability. All you had to do was *write* to me and explain the reason and method. This "web ambush ploy" device is only ever going to cause the sort of hostility that the commenters so readily report.
You'd think that a company that had done business before teh interwebz would be unsusceptible to the terse rudeness that has supplanted Olde Worlde Biz Polite in the brave new world.
Oh well.
... it needs stating explicitly:
IF THEY RING YOU, DON'T RESPOND TO THE "I'LL JUST TAKE YOU THROUGH SECURITY" QUESTIONS!!
It's very simple... the questions are intended to check that anyone ringing the bank/card company knows things that should be known to the real cardholder... i.e. "verification" of the caller.
So, if THEY ring YOU, you should ask THEM for information that they should have on file, so that YOU can verify THEM as a legitimate caller.
It's very small-minded, and I should be ashamed of myself, but I just love it when this happens... they ring me up, and I ask them for verification. Of course, they usually reach "Data Protection Act" within the first 5 seconds, after which the time taken (for them to give up completely) varies from under a minute (bright employee who understands the logic of what I'm saying) to - in one case - 20 minutes of arguing, which was nice, because they had rung me on my 07092 personal number (50p per minute)... payback for all of those stupid 0870 numbers that they love to use...
Paris, as she is expensive and charges by the minute as well...
What in the world did we do before plastic. He who doesn't want to use the system, their system btw, can choose, well ... not to use their system. It is their ballgame after all and they set the rules.
Maybe we all need to do ourselves a favor and just cut up all our cards and revert to personal responsibility. I know, not the real world, but my two cards will go when they get to be a problem.
Oh frelling well.
This post has been deleted by its author
VbV and MS SC are in place to protect the Consumer (yes you idjits), the merchant and the bank. Believe it or not, your bank is not the bad guy in this.
The card schemes developed 3D Secure in association with company I work with. Well, actually Visa did. It is secure, it does work. We even have technology in place beat ECI 5, 6 and 7 type fraud. This is too expensive for the banks mostly as they don't like to spend money making their customers money secure.......
3D secure is most effective when used in conjunction with CAP/DPA or other OTP solutions similar to the system in Norway or with a risk assessment engine to determine the legitimacy of the transaction.
Stop whinging. You'll be pissed when you order 26 plasma TV's and pay for shipping to Estonia whilst you were asleep and end up wishing you'd enrolled.
Paris, as even she knows it ain't that bad.........
Smile.co.uk (internet banking division of Co-op bank) have made VbV mandatory on my debit and credit card as have the issuers on several mastercards I had.
While I do think Steve should get out more, 'tis true that the system is open to exploitation and something better has to be found (one time password generation etc)
However, if you are a bsiness owner, surely you'd want to reduce your exposure to fraud and resulting chargebacks so I'm sure you'd be opting yourself in Steve.
In the meantime Steve, you could always apply for an American Express card as they don't at presrnt have an equivalent system but are red hot on fraud monitoring which is no bad thing (had several calls asking me to verify transactions)
You decide how secure you want to be with it.
As for the extra security no one wants to deal with....well guess what? Deal with it! It's not the bank's fault.
Banks have to place these new features to comply with new US FEDERAL regulations. They are not going anywhere. It sucks you have to deal with the issues and banks try to make it painless but there is always pain with anything new.
"Yes it was but, of course they soon discovered the fatal flaw in that - if someone has stolen your card, they can simply read the number off the back!! DUH!"
So, some sort of Personal Identification Number number is in order then?
Srsly though, you could make a webserver secure, by not connecting it to the internet, you could prevent people dying in car crashes by banning all cars, and you could prevent credit card fraud, by not issuing credit cards.
At the end of the day, if you prevent people from using such things, or make them inconvenient to use, you defeat the object of having them. You have to draw the line somewhere, and IMHO, this sort of thing is a step too far.
At the end of the day, there will always be the kind of scum about who think it's okay for them to take other people's property, and they're really to blame. Whilst what they do is not acceptable, we have to accept that those people exist. As much as it is important to make it difficult or impossible for them to commit their crimes, it is as important to catch the bastards and lock them up (I know, I know, it's not an ideal world and we all have to lock our doors, but like I said above, you have to draw the line somewhere)
Barclays Verified by Visa allows anyone who has the credit card in their hands to set a new password for VbV with just the card details and the card owner's date of birth. Since the latter is trivial to discover for most people, this adds almost no additional security to the process.
http://fonant.blogspot.com/2008/06/verified-by-visa-barclays-style-zero.html
And, of course, the whole secure-page-in-an-iframe thing makes it pretty difficult to check that the form you're typing your card details into is legitimate.
That must be the answer.
Yes I know some people find them cumbersome, but unlike the VbV / SecureCore jokes, they can in principle be made genuinely secure.
Does any bank use these for normal online card transactions (as opposed to home banking)? If so I'd like to change to that bank.
"Yes it was but, of course they soon discovered the fatal flaw in that - if someone has stolen your card, they can simply read the number off the back!! DUH!"
Worse still ...the kid at Kinko's with the large photocopier in the back can copy both sides of the card ...instead of just the front.
Look ma ...I have a credit card!
Paris, because she likes it kinkos ...or kink-ish ...whatever.
Obviously on an IT site, most of the issues raised have been about the various IT (in)security issues. But the WHY behind it has not had too much of an airing. Given the similarity with Chip & Pin, it is quite clear that the banks are, yet again, absolving themselves of any liability. When signatures were used for verification, then the person who accepted the fraudulent signature was liable for the loss, as set out by law (in the UK anyway). Now that PIN is the verification, that law no longer applies, and the cardholder is completely at the mercy of the issuing bank. How on earth can you PROVE that you have not inadvertently let slip your PIN? To the kangaroo court that is the bank's security department. Bank fraud is not a police issue any more.
This trick is so similar to Chip & Spin that it is unbelievable! How can those who were automatically signed up by the Co-op/smile prove that they did not tell anyone else their mother's maiden name? It just takes a couple of enquiries to Somerset House to find that out! As Ross Anderson's crew at Cambridge keep pointing out:- Until the banks are financially responsible for the consequences of their poor security, there will continue to be poor bank security. Just for background reading try:
http://www.chipandspin.co.uk/
http://www.lightbluetouchpaper.org/2008/08/05/card-wars-the-phantom-menace/
http://www.phantomwithdrawals.com/
Of course the banks are doing their best to eliminate cheques. For the person who enquired above about arrangements before plastic, we used cheques and cash. So cash will have a resurgence for a while. How long before it is forbidden and then TIA/Matrix will have all the transaction information in the Government's hands?
so on my machine, which has iframes blocked, and most javascript blocked, and popups blocked... and isn't running MSIE, and isn't a windows machine this works how?
btw, I assume this sort of stuff *fully* complies with the disability discrimination act as applied to websites. e.g. works with screen readers etc?
had this with the only attempt I made to use a crapital one card on line, had never heard of it so naturally closed the window, and decided to phone the bank to report the phishing, not that I figured they'd care much (they didn't the fraud people won't talk to customers.. wtf?) they told me this was for *my* benefit, I did ask if they thought it would have been a good idea to ooohhh you know *tell me about this* that drew a blank.
not used that card on line since, I just phone the retailer and do the transaction by phone. more of a pain, but it generally works.
retailers that I can't contact are getting zip from me anyway.
told crapital one to disable my card and account from being used online, apparently thats "not possible", so much for consumer protection.
plus the last phishing attempt I saw looked vastly more professional than these amateur efforts. least they make the effort.
I had a shitty time setting myself up with VbyV, including going through about a dozen registrations because I kept forgetting my password, via the already-mentioned, woefully inadequate method of confirming my DoB. But now that I'm using it regularly I can remember my fairly strong password.
All the system needs is the ability to lock down your password and prevent further resets without manual verification of your identity (by visiting your branch in person) and then ideally a follow-up phone call and letter to confirm everything and notify you that your VbyV registration will be reactivated in x days, giving you a fighting chance should someone somehow game the system.
I have no problem with retards who write down their passwords getting their accounts emptied, but If the banks are going to pass responsibility for fraudulent net transactions on to their customers, they should at least be providing proper security first. Those bastards.
For accessing on-line banking facilities Barclays issue account holders with a hand held device like a small calculator that you put your chip & pin card into and then type your pin into it. It will then give tou a one time use only, 8-digit pin number to access your account with - a bit like the RSA card type of login for corporate networks. I'm sure something like this could be easily adapted to on-line visa purchases.
I love this one.. and variations of it. My usual answer, if the outcome is not satisfactory, is "uh, no."
Followed by insisting, "we can't help you now; but we sure will do so at some hither-to-unknown time in the future", or something similar I dunno it all sounds the same after awhile.
My own bank had the gall to say "we were the first to offer the service several years ago" when I complained about the approvals process. Yeah, and you haven't done any improvements since I guess..
All Mexican banks are required, by law, to use OTP's since March 2007. However, it seems the banks failed to extend this scheme to the Securecode / VbV apps.
And the whole scheme seems to be discriminating against banks that *haven't* jumped in: one of my MasterCard CC is always declined in 3DSecure-enabled merchant sites. Oh well...
I first ran into this "SecureCode" at two computer websites I buy from. At first I would just click or close the window and still buy my stuff, now it's mandatory and worse it's showing up everywhere.
I couldn't enter a code I'd never signed up for, and when I asked my bank what was going on, it was the little scrolling marquee at the bottom of the website that was supposed to tell me about it. No e-mail, no letter, that's it.
So I sign up for this "SecureCode," which apparently is easy enough to do and to change, which makes me question the whole point to it. If someone steals my identity or swipes my card number, it's easier to change the SecureCode than to know the three letter CID number, as the CID requires actually having the card in hand.
So to buy online now I need a minimum of my card number, expiration date, CID number, and now this SecureCode. If they're real uptight I'll need my phone number and address, and if they're real snots or governmental my mother's maiden name and the last four digits of my social security number.
Anyone remember the good old days of cash?
I have 3 separate Visa credit cards and only one is registered for online purchases/transactions via Verified by VISA (VbV). I never ran into any problems with VbV. I did make my VbV password extremely strong and takes time to look it up in order to enter it, but I have not encountered any problems.
ANZ bank enrolled, except they did it only for their Australian customers, not their New Zealand customers. But Visa doesn't know that, so whenever I (as a kiwi customer) try to make a purchase, I get a 'Verified by..." dialog that I cannot fill out, because as one of their kiwi customers I cannot sign up for it.
It's completely screwed up and annoying. I wrote about this madness here ( http://www.geekzone.co.nz/foobar/5256 ) and here ( http://www.geekzone.co.nz/foobar/5294 )
VbyV is a load of b**cks. It prompts you for the same information you just entered on the ordering page of the website! Ah, it does ask you for your date of birth and VbV have the wrong DoB set for me and I've been refused permission to make the purchase! I rang up VbyV and we clarified this, but alas, the DoB didn't get changed.
I've given up with the muppets. So whenever I make a purchase and I have to use VbV I have to remember to enter the wrong date.
Some people are applauding the introduction of these schemes as an effective way to prevent fraud.
If you want to really prevent fraud, give the customer a RSA SecureRemote Key Fob token, where the integer on the display changes every 1 minute.
I'd happy pay an extra £10 or even £20 to prevent fraud on my account.
This will be a far more effective way to increase security. It will probably virtually wipe out credit card fraud overnight if the CC card companies introduced it. But they won't.
Yes, we are whining about it. And do you know why? Because it is an exceedingly crap way of preventing fraud, and a highly irritating system to use. The fraudsters know that 3D Secure verified transactions sail through fraud profiling, and make use of that by also collecting the details required to reset the password.
The Cyota implementation is absolutely appalling, the emails it generates look exactly like phishing emails (even down to the masked URL). The registration details for securesuite.co.uk look very dodgy. I could continue, but you get the gist.
Given that you work for a company who designed the system, you can hardly be objective about it.
And no, I wouldn't be that pissed off about 26 TVs being ordered on my card, because I don't bear the cost of that fraud, the merchant does!
Notice how the carrot is that the merchant is less liable for loss since that's accepted by the bank if you use this. So it's the merchants who push this on the buyers, very smart. The stick is that buyers will have their card blocked if they refuse. At the same time it does not really cut down on fraud, just introduces a new weakness. This can mean that there are a lot of calls to have cards unblocked and new passwords issued. And the phishing site mimic of the varification screen.
In my office, we have to input the numerics from the postcode where statements for the card go, and the numerics from the address, as well as the usual card number, cvv and expiry date, for any cardholder-not-present transactions. This is supposed to help with (combatting) fraud (someone can have all the details, but is presumed not to know where the card "lives").
the thing i dont understand is how easy it is to make a new password, anyone with your DOB and card could easily just do it themselves anyway, i have made a new password about 10 times as I can never remember it,
to be honest, given that its so easy to do it, this 'steve' isn't proving anything to anyone by not just enrolling, he's just caused himself a load of hassle by making himself look dodgy (as is the point of the system, im actually somewhat encouraged that this thing seemingly would do something if someone had actually acquired /some/ of my details) and not bought a load of things he would've liked to, well done!
...but good to see El Reg finally covering this. About a year ago I got plssed off with being forced to partake of the 'optional' Verified by Visa plan. I very nearly left my bank as a result, but then just used a different card for all online purchases. Now I'm being told that I have to use Mastercard's 'SecureCode' for that card.
I tried to explain to the bank that I'm not a technophobe; I know what precautions to take in order that my cards don't get ripped off online, and that the CCV, cardholder name and address are all supposed to stop card fraud. One simple password (probably the same as my other passwords so I can remember it) isn't really going to make a huge amount of difference. But as usual, they just parrot the party line about it being for security. Numbnuts
I thought this was about people being bullied to use *Vista* (Verified by Vista).
D'oh!
PS I've had a cold call from my bank and they wanted security questions answered and I asked what it was about to see if they needed to know this. Unfortunately, knowing the answer to what they wanted to talk to me about was insecure (unlike me giving them my mothers maiden name, which is of no use to scammers...).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
