The Verified by Visa system may be marketed as an optional opt-in system for internet shoppers, but some banks are forcing users to enrol after only three attempts to avoid it. The unpleasant experiences of Verified by Visa refusenik and Reg reader Steve are likely to be faced by other cardholders, according to Andrew Goodwill, …
MBNA = idiots
I used to have an MBNA card.
When rung up by them (and this happened many times) it went like this
(beyond belief but believe me this is verbatim)
MBNA: This is MBNA here what's your first line of address ?
Me: <tells them number and street>
MBNA: What's your password ?
Me: If someone rang you up out of the blue and asked you for your address then password, would you give it to them ?
MBNA: I need your password to continue this conversation
Me: You're not going to get it, please tell me this was recorded and then ask your supervisor to play it back.
MBNA: Are you not going to tell me the password then ?
MBNA: I can only continue after you tell me your password. It's for your own security.
>I have Egg Visa and Mastercard, and both signup routes failed at the same >point: they denied that my card number existed. That was some weeks back. >Egg have yet to come back with an explanation.
Egg are a joke - apart from the cancellation of customer cards that don't make them any money, they are a nightmare to deal with.
Last year I was trying to check into a hotel in LA but my Egg Visa card was declined, when I rang them they told me that fraudulent use had been detected, the card was cancelled automatically and replacement would arrive [back in the UK] within 72 hours - the fraud their system had detected was 'someone' trying to use my Egg card in LA.
Is fraid that hard to spot?
All it takes is a right click on the iframe to check it features SSL.
And a fake site is going to ask me for the whole password, not the standard 3 digits of said password. If you don't realise that then you deserve to have your details stolen.
Rembering passwords is now outdated. You have to make it non word, somtimes with Capitals, somtimes with numbers and somtimes with a symbol, somtimes no more than 8 letters. Different for every site and then perhaps only use it evrey 1-2 months. This leads needing a password repositry. Now a chain is only as strong as its weekest link so if evreyone started using repositries they would become number one target for attacks.
I think for now the most secure we have is the chip and pin, One time pass system and this only requires memory of a four digit number and having a card present.
[sarcastic] at least with VbV you only really need to "remember" your date of birth as this is all the forgot password box needs to let it sail through (why cant i just make that 8 digit number my password)
This is why I don't shop online without my Amex
I despise Visa. The fact that a) they are managed by different banks and b) said bank can sell it to another bank just SUCKS. I had my SunTrust Visa, which was managed by MBNA sold to Bank of America. We all know how much ass BOA sucks. Well they promptly switched me to a no grace period card, since I never carry a balance (on any of my cards). So I TRIED to cancel - talk about rude account reps. Took me two calls to cancel.
I NEVER have this trouble with Amex..why? because Amex controls Amex. Are they perfect? Hell no. Are they 5000x better than Visa? Yep.
what a prat
What is it with the British and the dogged avoidance of things related to security?
I worked on deploying a 3d Secure system 3 years ago and while it may not be ultra secure and open to potential attacks it is still better than nothing.
Sometimes you just have to do it. By the way it was never intended by Vis or MasterCard that it stay opt-in. it was just until people got used to the idea.
Steve complain about something else, and Reg editors stop given screen space to whiners. i come here for a sceptical look at real news.
Mine's the one with the ID card in it, (since I am an immigrant I should be getting mine in November along with the airport workers)
Cyota/securesuite has been mentioned before in Register stories and in comments: I agree with Mo, and others - it's wrong for banks to be encouraging their customers to type in personal financial details to a website of an unknown company.
About the suggestion of OTP SecurID-like tokens on credit cards - ironically RSA have announced such a product (see http://www.securityinfowatch.com/online/Financial/RSA-puts-SecurID-into-card-form-factor/16047SIW339 - and i'm sure other companies are working on it too). But I suspect the cost would be too high for banks to consider buying and distributing them - it seems they'd rather take the loss on fraud instead, or pass it onto their customers, instead.
Smile: "A really secure e-mail"
I'm not sure I like having to enter my Smile password on other shopping websites. How do I know they're not phishing for it? That compromises my normal Smile logon.
Here's the email I got from Smile on the 3rd June that I've only just bothered to read. That third paragraph says they've automatically registered your cards with VbV and "If you do not use the service, we may not authorise further internet transactions with participating retailers and suppliers." and they've already changed (or "varied" in newspeak) their terms and conditions for me.
There are some shady types out there on the interweb, just dying to get their grubby little hands on your debit and credit card numbers. That's why we're introducing a service called Verified by Visa, which lets us work with Visa to make sure your online transactions are more secure than ever.
How? To take security up to the next level, the memorable name you've chosen for your internet banking access is now also your Verified by Visa password which you'll be asked to confirm every time you shop online at participating retailers. This adds a whole extra layer of security to your online shopping. And because you haven't written this down anywhere - you haven't, have you? - only you know it, so it's much harder for anyone else to use your card details without your knowledge.
Your smile card(s) and any personal cards you hold with The Co-operative Bank will be automatically registered for Verified by Visa in about 30 days. Then, if you pay for goods or services ordered on the internet using your card and the retailer or supplier participates in Verified by Visa you will need to use the service. If you do not use the service, we may not authorise further internet transactions with participating retailers and suppliers. If you have a current account with us, your terms and conditions have already been varied to include this condition, please refer to condition 9.8. Credit Card Accounts with an authorised card will not yet be registered for Verified by Visa.
Forgotten your password? Not to worry. Just choose another one and either call us on 0870 843 2265 to tell us or go online to register it. This way, your transactions will be safer - meaning there'll be one less thing in life to worry about (you're on your own with that decision to paint the bedroom lime green).
Oh, and in other news they've also asked me to always login and send them a secure message whenever I go abroad so they know not to automatically bar it and then make me spend lots of time and money on my roaming mobile to re-activate it. I used to like Smile, but now they're turning into Frown.
That Co-op card won't be any good to you for much longer. They are enrolling everyone in VbV. I got my letter yesterday.
Re: Is fraid that hard to spot?
"All it takes is a right click on the iframe to check it features SSL"
Yep, and you'll find that this unexpected IFRAME is for some bizarro domain in Brazil.
And you *willingly* re-entered your credit card number and details into this box??
Tell you what, I have a bridge I'd like to sell you.
Criminals have SSL certs too, you know. SSL != "secure"
banks are not the same as payment agencies
There seems to be some confusion here, banks are not the same as the payment agencies. Visa, Mastercard, AMEX et al mandate to banks how they should operate. The security required by the payment agencies is constantly improving hence you see change in what is required.
There is not some conspiracy to make customers responsible for fraud. The requirements are to make fraud less likely to occur, hence why the transactions are being pulled back into the bank's datacentres, rather than the merchants. This removes (or will do when it is fully complete) the merchant as a potential weak point in the security chain. It should also be remembered that if customers of banks do become the victims of fraud, it is the customers as a whole who loose out, the money that the bank uses to refund them is ultimately contributed by the other customers.
The CCV number is only designed to prevent someone taking an impression of the card, it means that you can't use one of the old-style swipey card and carbon paper thingums or take a single sided photocopy of a card and be able to use it online/on the phone. That is all it does, it is a small security feature.
SecureID tokens would be great for each customer of a bank, but they are _very_ expensive. Typically you are looking at £50 a pop, obviously this would come down drastically in the kind of bulk that a bank would use, but they do break and they do expire, they are vastly more expensive than a card and one of the readers that are currently being used.
As another point, if the merchants can pass off the authentication to the banks and have no need to have the kind of systems security mandated by the payment agencies, this will be good for the customers, as you don't have to fund the extra infrastructure involved.
Re:Smile: "A really secure e-mail"
Smile Visa have the *worst* online fraud department I've ever come accross.
Within a few weeks of getting my card, some bozo accidentally (?) entered my card number when buying tickets on Ryanair.
Despite the fact that his name, address and everything else didn't match, they still processed the payment. Then they took a whole month to respond to three secure messages and a phone call disputing the charge, before finally deciding (two days before I go on holiday) that they need to cancel the card and issue a new one "to protect you from fraud".
Eventually they decide that the transaction was fraudulent, and issue a refund - to the cancelled card!!
Once I'd finally got my money back, I gladly cancelled the card (in writing). Even so, it still shows up as a live account when I log in to the website...
No :-) for you.
The issues I have with VbV are:
2. My bank enforces the password to be the same as one of the passwords I use to log into my online bank account. Before VbV that was known to me only and used to access one service. Now it's potentialy known to someone else and used to access more than one service. I want to have separate passwords, but the bank "recognises that people have difficulty with this and so have arranged for them to always be the same".
This is a wonderful business model
That is, if Visa wants to promote use of American Express, which I've been using since I first hit a Verified by Visa screen!
@ James Prior
I would say a lot of people are not as technically aware as yourself.
Why should they have to right click in an iframe when the point is that this is an inherently bad way of implementing 'security'.
Your comment makes you sound like a pompous twat.
Number, numbers, numbers...
should make the number crunching cybergeeks happy. So what do you all complain about one more line of code in the matrix of personalIDentity?
These things were supposed to prevent fraud too. Why aren't they working? Why is any system going to work better? There are inherent risks in dealing with any type of funds transfer be they cash, travelers checks, money cards, whatever. Theft is a part of money and everyone must accept the risks and go on about life. There is nothing that will prevent fraud 100%. Life would be better if people would accept this and move on.
Why VbV and Mastercard SecureCode are poor systems
A) Most banks don't tell you the system exists until after you've been shown it.
B) It requires that you re-enter your CC number and further details into an IFrame of obscure origin that you did not expect.
C) If you do expect the IFrame, it's relatively difficult to check that the IFrame is really from your bank/card issuer/payment verification system.
The reason for this is that you do not know WHO is supposed to be sending the IFrame (it's not necessarily your bank), and it's not even the same place each time, so if you check the certificate you don't know if it's the right one.
The form and appearance of the IFrame is the same across the vast majority of users - there are basically two different ones. It's therefore incredibly easy to spoof.
To top it off, all a black hat needs to do to learn all your security details is easy:
1) Spoof an IFrame that looks correct when the user gets to the payment verification stage where it usually appears.
2) Refuse your details, no matter what is entered.
3) Offer the standard "Re-register" options.
4) Harvest all details required to re-register.
5) Pass back to merchant site. Doesn't really matter if they can make the merchant think it's OK or not.
The black hat can now use your credit card any time they want, and you'll never realise it until you get the bill.
Step 1 is the only technically difficult part, but it's only hard if the black hat doesn't have access to the merchant's servers.
So if the black hat is the merchant, or has compromised the merchant's site in some way...
The underlying concept of VbV and Securecode isn't fundamentally bad, but as seems to happen very often it's been incredibly badly implemented.
GIANT Phishing hole
I can see the Phishers coming onto this in flocks! VERY BAD MOVE GREEDY BANKS!
implement something sensible which is verifiable as genuine by the consumer, and more fraud proof. this is VERY alarming!
SecureCode is annoying
All SecureCode does is add yet another password to the list of things I have to remember. A password that's just as easy to snoop as any other, and is easy to phish as Richard suggests above.
SecureCode certainly didn't seem to be voluntary from my perspective as an end user, I couldn't work out any way to buy my goods until I'd enrolled.
It's almost in the same league as the idiots at the bank that call me from an private number, and ask for proof that *I* am who I say I am. Not happening.
That same bank that wants my email address so they can send me stuff, which could just as easily be spoofed.
The very same bank that just has a password and a secret password for internet banking. :rollseyes:
I posted this with the joke icon, because that's what I think their online security is ;)
Perhaps it's some sort of test - if you're too stupid to remember an 8 char password you're too stupid to have a credit card. I have a system for passwords - the password for each site is different but I immediately know what the correct code is even if I haven't used that site for more than a day, or sometimes even 2 days!!!
I mean what, exactly, is the problem? This system is trying to prevent fraud and most people seem to be saying, "NO! STOP! It's too hard - please allow criminals to rip me off cus I'm too stupid to remember a password."
I've used both VbyV and SecureCode and it really isn't that hard.
Cardreader and VbV
In the past I had an ANZ Visa (oz version) which was the first card in Oz to have a chip. A free USB card reader was provided (which work well for GPG now) so the card could be used for the 'new' verified by visa system.
The idea was that once the card was registered, Visa would know it was a chip card and that for any VbV transactions the card would have to be placed in the card reader, proving that the person making the purchase had physical possession of the card. I think a PIN was needed too.
Given how many Chip cards are around now, why isn't this adopted by the banks? Could it be that managing digital certificates is too hard for the average punter? The tax office has stopped requiring them here for online tax returns.
I've only found one online IT retailer that requires VbV or Securecode and as my mastercard provider didn't offer Securecode I couldn't purchase from them. There response was to get a different card and my reply was that I'd order the gear from someone else.
I have a new mastercard now, no chip in it and no securecode option. Hard to believe it's been issued by a bank owned by HBOS!
I guess I'm not the only one. It actually resulted in my receiving a double order (and double-bill) because it looked like my first order was declined... only it wasn't. Yech!
The worst part is it obviously doesn't make *me* the slightest bit safer.
@Alex Re: Too stupid
Alex - Apparently *you're* the one who is too stupid. Nobody's saying they couldn't be bothered to remember another password - we're complaining that this scheme doesn't actually add any extra security, just the illusion of it, and in fact as it currently is implemented it may be making online fraud *easier* for the perpetrators. Worse still, it shifts the burden of proof away from the banks and merchants onto the consumer, who has been opted in against his better judgement into this so-called voluntary scheme. The whole thing stinks.
I'm with First Direct, which since August 1st now uses VbyV for it's Credit Cards and Securecode for it's debit cards. So far I seem to have been lucky in that I haven't yet used a website which has signed up to either system - but I'm sure it's just a matter of time...
First Direct seem to be making the VbyV and Securecode security system mandatory for their customers. You have 3 online opportunities to register - if you don't register, then your card is zapped...
As a cut/paste from First Direct's website will confirm...
""From August/September 2008 when you place an order over the internet with organisations that participate in MasterCard SecureCode™ (for Maestro debit cards) or Verified by Visa™ (for Visa debit cards) (designed to prevent fraud) you will be invited to register for the service applicable to your debit card. If you do not do so, as part of our fraud prevention measures, we may not authorise the payment for your order and further internet transactions with participating organisations.""
I'm concerned about the systems from the point of view of forgotten passwords. It seems incredible that you can steal a credit/debit card, and then with just the info on that card (plus the cardholder's DoB) you can create a new password and then start to make fraudulent online transactions. Madness. How is this an extra layer of security??
I for one will not be registering with VbyV or Securecode. If this reduces the number of online sites I can use to make purchases, then so be it, but I'm not entering my details into a pop-up and laying myself open to possible online fraud. Fuck them.
I hate this god damned thing and have been at the last stage of many purchases, when it decides to pop up and tell me I must sign up and remember BS security details. All times I have refused. One time I managed to get past it somehow. Another time I went to another website to buy the item and all the other times I just didn't buy what I planned to. Their loss.
Here's what I find MOST annoying. Websites and services are constantly signing you up to extra things, making you choose a password and security questions. You must remember these 5000 answers and codes for each place you use, they must all be different and not easy to guess but you must also not write them down anywhere.
If you forget or mistype/misguess your password 3 times you are locked out of using your card/account and must (probably wait until the next day) phone up, answer security questions over the phone (a different set!!) tell them everything you bought last and how much it cost (hopefully you remember that!) then you must wait for them to activate your card/account again.
Oh, but not before you make another NEW password that you will remember this time.
I am absolutely fuming at this Visa verifying scheme. It is nothing but inconveniencing customers and making THEIR lives easier. I also do not want to use it but as far as I know switching banks/cards is pointless as all plan to implement it.
I do not want to have my card frozen or purchase cancelled/stalled all because I forgot or mistyped some random UNNEEDED password and answers to a mini-quiz.
I am also not sure if the website you buy from gets this info. Does anyone know? I haven't been able to find out yet. All I get is their spin for the sheeple about how good and safe and secure and necessary it is. I don't want the email used for verification passed on to every company I buy from. I use throw-away email addresses to buy goods and do not plan on changing that.
It looks like you are the stupid one. You have missed basic details about their supposed fraud protection for customers. Do yourself (and us) a favor and get over yourself quickly. Most of us here have read that password making method that you are so smugly trying to pass off as your own little genius idea, and as such, your password is not as secure as you think it is. Since most computer savvy people (and normal people too) are aware of many people using that type of password, you are definitely not as high and mighty as you think you are, and may even leave yourself MORE vulnerable.
Also, since your passwords follow a pattern, and are actually very simple (by admission!), whereas most peoples (that you are criticizing) are the randomised, long, number + letter combination...It would actually MAKE YOU the stupid one (once again), since you employ an easy to remember, and easier to crack password system, and everyone else is memorizing about 20 individual combinations. How did you not get that?
FYI people not agreeing with 'your' method does not make them stupid. Not taking the easy route does not make one stupid. Having a bad memory does not make someone stupid either. We are not talking about remembering ONE 8 character password here. Too bad. Good luck.
Always think simply.
I am not in banking and not a heavy card user but I think that I have a much simpler system and no third party interrogation. The question, is anybody interested? Banks like most large institutions create departments of wizards who never get it right but that doesn't seem to matter. In the meantime its the customer who looses out. If there is a bank that is interested I am here.
secure - well...
pick a bank...
What a lot of people bemoaning the phishing potential of the scheme are missing is that a properly written issuer system will present the user with a personalised message when asking for their password.
If you don't see the message, it's not your issuer. VbV/SecureCode is a good system.
Admittedly, some issuers don't implement the personalised message, or present a static one. This is poor practice, and I'd recommend complaining to your issuer or switching if this is the case.
How on earth is the average punter supposed to realise that the absence of a "personalised message" means they are being phished? Especially when the personalised message is optional and most issuers don't bother with it anyway.
And the IFRAME implementation means that even if you DO have the nous to check the certificate, you find it's registered to an untrusted third party in a foreign country.
Good systems need to work in the real world.
As implemented, VbV/SecureCode is not the good system that you claim it is.
See my Sat 9th. Every card change brings inconvenience or another group of card-breakers. As Anonymous Coward says good systems need to work in the real world and the one I have in mind makes the card anonymous to all but the approving bank and only in a brief form to them. No passwords!!!
IF IT WORKS it would be almost invisible. More importantly, considering how people hate change, it is virtually the same as prior to VbV for the user.
Any suggestions on who to approach.
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Did Apple's iOS make you physically SICK? Try swallowing version 7.1
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Video Snowden: You can't trust SPOOKS with your DATA
- Review Distro diaspora: Four flavours of Ubuntu unpacked