back to article Net shoppers bullied into being Verified by Visa

The Verified by Visa system may be marketed as an optional opt-in system for internet shoppers, but some banks are forcing users to enrol after only three attempts to avoid it. The unpleasant experiences of Verified by Visa refusenik and Reg reader Steve are likely to be faced by other cardholders, according to Andrew Goodwill …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Note to Steve...

    Steve, get a life.

  2. Anonymous Coward
    Thumb Down

    Mastercard securecode is equally bad as Visa

    The mastercard 'securecode' service is just as horrible as Visa's. As noted in the article, the use of an iframe for verification is a terrible approach, making it essentially impossible for average user to know whether the site is genuine & secure, because the browser only gives you direct information about the containing page. The mastercard securecode website itself has less-than-stellar reliability - it often times out dealing with requests, requiring a re-submit (making you wonder if you're going to be charged multiple times), or fails completely for extended periods of time, forcing you to telephone the retailer to place the order instead, or simply abandon the order.

  3. Peter Mount
    Boffin

    It's not necessarily the banks doing this

    Having implemented 3DSecure for work, part of the api allows the merchant to decide if they want to continue the transaction if the customer has opted out of being verified. When we get the response back, it tells us if it succeeded, failed or they are not enrolled.

    Simply put, if the customer has verified by Visa then the liability is on the bank, but if they are not enrolled and have opted out, the merchant may decide not to accept the liability for that transaction, and decline it themselves.

  4. Anonymous Coward
    Anonymous Coward

    "It's for your own security..."

    Nothing irritates me more than some bank 'phone bod asking me a whole string of stupid question, the answers to which I can never remember, and then telling me that it's for my security.

    This sounds more of the same.

    It's not for my security: I am nicely protected by various consumer and credit laws. It's for you protection you greedy, irritating, lying bastards.

  5. Anonymous Coward
    Dead Vulture

    Waity a minute

    The CCV (or CVV ?) code on the back of the card is to stop credit card fraud. Now I have to have that and a password ? What a bunch of complete w@nkers,er b@nkers.

  6. Daniel Durrans
    Paris Hilton

    I hate VbV

    My main problem with VbV and Securecode is that I don't purchase enough stuff to remember the secure password that I set. So either I have to store that password somewhere, which could be considered to be insecure, or I have to set a password that is very easy for me to remember (which will probably also be insecure).

    I have found that even when there isn't a a "no thanks!" button with Natwest if you get past the first page of activation (before it asks you for a password) then on the second page there is a "cancel" link which has worked every time.

    Paris because the system is retarded.

  7. john doe

    Steve

    dude, you should stop being a anal retentive and just enrol. Resistance is futile!

  8. Anonymous Coward
    Anonymous Coward

    Bullied? You bet!

    From personal experience:

    - Alliance+Leicester bullies you into signing up your debit card. You decline to three times and you are forced to next time.

    - Egg Visa is optional, you decline three times and you should not be bothered again. Egg Money MasterCard is not confirmed.

    - LloydsTSB is optional on the MasterCard.

    There is no doubt that banks are trying to shift away responsibility from themselves to the consumer, all the while claiming that it's for your protection. After all, VbyV and SecureCode mean that YOU are the one holding the credentials, not them. It's Chip-and-Pin for e-Tailers. And we all know how secure Chip-and-Pin is, especially when administered by APACS.

  9. Anonymous Coward
    Anonymous Coward

    Compulsory on Nationwide

    Nationwide sent out new terms and conditions, making it compulsory. I don't want to use it either, since it pushes the liability towards me and makes it harder to prove fraud, but have no choice.

    However changing banks (again) over this - I am not so sure...

  10. Metal Marv
    Thumb Down

    A pain in the Arse

    It is extremely irritating to use as well, especially if you don't use it often. There are sooo many sodding systems that require passwords now, and not just any password, you usually have to make it super long and with numbers in it to make it "unique". All that does is make it longer to type in and means I end up using the same password for multiple systems in a bid to try and remember it!

    Bloody Sarb-Ox regulations!

  11. Anonymous Coward
    Stop

    SecureCode is just as bad

    There is no way to bypass it anymore (and the last time I did my card was stopped until I had a phone call from the bank)

  12. lee harvey osmond

    Happened to me

    Except that the MBNA call centre droid told me that it's being made mandatory soon for all credit cards. Which I very strongly suspect to be a lie.

    What I know about Verified by Visa (aka 3DSecure, and probably some other names too) comes from having read the manual to support it in a webstore. It appears to me to be a move to a three-factor authentication scheme, where the third factor adds no strength because it is likely to be stolen or leaked or compromised by all the same means a black hat would use to get at the first two. Since the shopper's 'secret' will have been presented, under the terms and conditions, the shopper has no right to repudiate the transaction. Or put another way, this is a way of shifting credit card fraud losses from the banks to the shoppers, and the shoppers get no benefit from this that I can see.

  13. Jusme
    Unhappy

    Lost them one customer...

    Verified by Visa is one* of the reasons I no longer use Barclaycard. Pretty much every time I had to use it the password was not recognised and I had to "reset it", which just meant entering my DOB and a new password, hardly very secure.

    * The other reasons are the hair-trigger on their online fraud prevention system, which seems to block every transaction until I spend 10 minutes on the phone to them, and the con-trick they've pulled with the online payments where you're fooled into paying more than you need to if you elect to pay "balance in full" (they include recent transactions not shown on your statement and not required to be paid until the following month).

    No such problems with Mastercard (yet...)

  14. Andy
    Alert

    Couldn't agree more

    My main on-line purchase used to be pizza for the development team. It's now impossible to order a pizza on-line without registering for verified by somebody. The outcome of this is that my development team now get bacon butties from the local truck stop instead of pizza if we pull a late nighter.

    On a more serious note (although not much is more serious than lack of pizza) I think any on-line shop that takes your credit card details is suspect. I far prefer to be redirected to a real bank site that I trust and recognise to do this. The same applies to verified by... I really don't want to enter my card details, security code and extra security password into a web page that is under the Domino's pizza domain.

    Chip and PIN made my Barclaycard unusable in real life (nowhere local to change the PIN to something memorable). Verified by means I can't use it on-line either.

  15. john loader

    What's the problem?

    Having been ripped off 3 times by on-line fraud I applaud the verified by Visa process - in fact I pestered my bank to introduce it. Anything that makes it safer to buy online must be a bonus. And site owners want it to protect themselves as they have had to carry the cost of fraud and hence had to reflect that cost in their prices.

    I haven't seen any adverse security issues with the scheme anywhere. Why the resistance?

  16. simon
    Unhappy

    Gave in eventually

    ...after running out of 'not at this time', but through a quirk of the system I now have 2 VbyV accounts for the same card - that means I have to look very carefully at the 'security' page so that I enter the right characters from the right password.....ho hum.

    Frankly I'm not impressed with the system, it seems clunky and adds yet another step in an online ordering transaction which is probably already teeming with 'security' features.

    And as for the 'it's to make your transactions more secure' excuse - I think it's got much more to do with shifting liability onto the consumer for fraudulent use,

    after all "...that huge overseas bound order *must* have been you because it was handled by VbyV and nobody would know your details unless you've given them away (which is your fault stuid!)....".

    I don't know what the answer is, but this kludge isn't it.

  17. Mike

    Is it really that bad?

    I've not had any issues using it. Yeah, it is another layer of hassle but it does have a purpose.

    I understand that remembering the password could be an issue for people who only buy something every 6 months or so, but what is Steve's excuse?

    He must be living an idyllic life if this is worth getting all upset about.

  18. Kevin Fullerton
    Black Helicopters

    smile

    Had an e-mail this morning from my bank (smile) that they're enrolling in VbV and that one of the security questions asked as part of the bank logon is now our VbV password - not sure if this is a good thing or not yet

  19. David Harper
    Jobs Horns

    Even worse - you can renenroll

    Because of the password strength for the verified by visa scheme forcing you to use 2 digits I of course had forgotten it.

    Imagine my suprise then when I found out I could click on the enrollment link and resignup. Now I got to the point where I could enter a password and got the error back saying "Must include 2 digits". This acted as a remindar to what my password was so I tried that - after which I got "You've already used that password" - so I gave up renrollment at that point.

    However it seems that it's completly unsecure if at any point you can enroll in the scheme and create a new password!

  20. BS

    Note to Anonymous Coward

    Anonymous Coward, get a life!

  21. myxiplx

    @ john loader

    The problem is that it doesn't make it any more secure, it just shifts liability from the merchant to the bank.

    I'd actually argue that for the majority of users it makes things less secure. You're now training people that it's normal for a website to ask for your card details twice - once on the main site, and another in a box that looks nothing like the site, but has some 'Verified by Visa' or other crap written somewhere.

    This scheme is a godsend for phishsers. The banks have just undone all their good work telling people to watch out for phishing attacks by implementing something that the average punter can't distinguish from even a very crude attack.

  22. BS

    On a tangent.

    Nationwide now require me to use their card reader. One problem -- I don't have any cards! I don't use them so why would I want them, I certainly don't want them for the sole purpose of using a card reader.

  23. yet another Matt
    Thumb Down

    More Secure or Less Secure?

    When I was offered to create a username and password for my credit card, my first impression was 'Ok, I will.' But after my password being rejected I was very confused. There was a bizarre stipulation in it that meant the password cannot be more than 8 letters in length and can't contain special chatacters (so [A-Z, a-z, 0-9])

    WTF?! You have to create a secure username and password that is less secure than the account I am using to purchase the item in the first place.

    So I promptly skipped the page. I realised though, using something physical in your hand (your card) and something in your head (user&pass) is better than just your card. So it is better, sort of.

  24. Stef

    @ john loader

    Sorry to hear you've been ripped off online (has not happened to me yet, and I do virtually all my shopping online except for suits and shirts).

    Did you get the credit card company to refund you when you were ripped off? If the answer is yes, then you can kiss that goodbye if you happen to get ripped off in the future. They consider the Verified by Visa to be invulnerable, so any claims that you have been ripped off will fall on deaf ears.

  25. Craig

    Worse yet..

    As a previous implementer, I've found that many banks returned that people were enrolled in the system, even when they were not, and the page the card issuer returned, where usually it would be an entry form, were advertising material for the scheme. At least one company I implemented this for chose to bypass 3dsecure for mastercard and visa.

    Thats not even getting into the issues I had implementing the first version of the api I was given, which required that I store credit card details between payment stages, including ccv. All because the payment processor didn't store any stateful information. This may have been payment provider specific however. And was already corrected before I was pushed to implement it.

    Makes you wonder what sites out there are storing details using archaic versions of the api however.

  26. sproot
    Paris Hilton

    SecureCode

    After many failed attempts to use it I found that Mastercard SecureCrap is only supported on Windows + mac.

    Since I would never enter any financial info into a Windows PC and I don't own a mac I sent my Mastercard back.

    Perhaps if they'd hired some developers to produce it instead of a beancounter it would work properly?

    Paris. Just because.

  27. Daniel
    Paris Hilton

    in the interests of security ...

    ... I am reverting to keeping a box of used tenners under the bed.

    Paris, because her box has been on a few beds.

  28. Bruce
    Happy

    Way around signing up!!!

    Simple way around the VbyV screen is to type in the first page of details then click the sign up button, then on the next page where you should enter a password simply click the really small cancel button at the bottom of the page and your purchase will be accepted, works for me anyway!!!

    give it a go, these two systems are total crap!

  29. Anonymous Coward
    Thumb Down

    Credit cards! P.I.T.A.!

    I dumped all but one of my credit cards, last one has a £250 limit, too much bloody trouble! The bank keeps bullying me by upping it and I ring up at least every 2 months to get it back down, they always ask why and I tell them, "Because you lot are a bunch of useless scumbags who couldn't be trusted to look after a fecking goldfish, I am not trusting my financial security with you lot more than I have to, put the limit back down or close the account, your choice.". I have to tolerate debit cards if I want to shop anywhere, once again active account has a limit on it.

    It just seems everywhere you go these days, these corps are simply looking to shift their responsibilities the poor sod who had the misfortune to sign up with them!

  30. Trevor Watt
    Go

    @ BS

    Currently Nationwide's card reader is only for transfers on their own on-line banking site. But it works very well and requires the person using the account to have the card, pin and the card reader.

    Personally I dont mind VBV as the hassle of having your card used for a fraudulant transaction is a PITA. I know, it has happend more than once with both of my cards, the common denominator for the off-line card use being a local petrol station.....

  31. Anonymous Coward
    Paris Hilton

    Big deal

    I use it frequently, it takes less than 30 seconds and I have not had any problems.

    Steve really should find something better to do.

    Paris, because it's so simple even she can manage to use it.

  32. Mo
    Stop

    Having now implemented 3-D Secure support on several e-commerce sites…

    …I can safely say that it's the most cack-handedly-implemented specification I've ever had the misfortune to deal with, and anybody who's done a lot of work with payment gateways will know that's not a statement which can be made lightly.

    The whole thing is massively prone phishing scams—a dodgy retailer can trivially determine the type of card (MasterCard or Visa) from the BIN ranges and present a form to harvest credentials which looks no less legitimate than the official bank-provided ones.

    What's worse is that many UK banks don't even host their 3-D Secure verification pages within their own domain; outsourcing the code I can understand, but having it sat under RSA's “securesuite.co.uk/<bankname>”? Ludicrous. Consumers have no way whatsoever of knowing whether a given 3-D Secure verification page is legitimate or not, and thanks to the liability shift which occurs will be _worse_ off than before if fraud does occur.

    What they SHOULD have done if they wanted security is to embed a one-time-password display into the cards (think RSA SecureID) and had customers enter the OTP along with their card details/CV2 to verify that they were actually holding the card—only the issuer and the person physically holding the card would know what the OTP actually was at any given point in time and it could be safely entered on payment pages and passed to the issuer via the acquiring bank and payment gateway with ease. This would also cut telephone-based card fraud down to approximately zero, except in the cases of actually stolen cards (as opposed to card details).

    Of course, there are probably logistical problems with fitting an LCD display into something that thin, but when fraud losses are the sorts of numbers banks talk about, you have to wonder if it wouldn't be worth it.

    This would have one unintended side effect, though: I wouldn't be able to use my wife's card to buy stuff without her being on the end of the phone. Frankly, though, that'd only be a minor inconvenience.

  33. Anonymous Coward
    Thumb Down

    It'll get worse...

    I've used VbyV often and it's only a minute extra and with the added layer of security I don't mind. If someone did fraudently use my CC number then it's going to be a real hassle...so it's worth it in my mind.

    But, it'll change I believe as my bank Barclays has Pinsentry, which I've never used and think that'll be a real hassle as I've used tokens before to log onto systems and those damn things have crap LCD numbers!

  34. Tom Chiverton
    Alert

    chip and pin NOT mandatory

    C'n'P isn't mandatory at all.

    Go ask your bank.

    Several times. Probably try a few different people.

    It might help if you pretend to be old.

    Eventually you'll find they do 'chip and signature' cards - http://www.rnib.org.uk/xpedio/groups/public/documents/PublicWebsite/public_chipandpin.hcsp

  35. Stuart
    Thumb Down

    3's Top-up service

    Ever run out of credit on 3's broadband service? Easy, you can top up online (yes on a Welsh hillside on a Sunday evening).

    Everything goes fine till 3's system calls for VoV and then blocks it! So you can't Top-up with my NatWest Visa card. Screwed me till I remembered I have a Co-operative Bank Visa card that trusts me.

    Reminds me of when i used to play sharedealing in the office. My friend banked with NatWest and had to send faxes and stuff to confirm a share purchase. I just called a nice lady at my Brum branch. "No problem luv" and that was it. Done on trust (as in knowing your customers). Cheaper & faster. Remind me which bank loses most customer's money?

  36. Anonymous Coward
    Pirate

    Securecode not that Secure

    I have been "directed" to Securecode once in making a standing purchase on-line at a site I knew well. I duely entered the required details. Two hours later HSBC were ringing me up asking if I was using my card to withdraw cash in Thailand.

    Do I think this is a secure method? I rang them up and cancelled my Securecode and password entry.

  37. David Given

    Intelligent Finance

    I'm with IF, and it's compulsory with them, too. I've tried complaining but I always seem to get a munchkin on the other end who doesn't know what I'm talking about.

    What's more, resetting the password is trivially easy and doesn't even require email confirmation, so I'm not sure what it's actually for...

  38. Anonymous Coward
    Anonymous Coward

    I miss..

    The temporary "generated" card system we used to have (Orbis). That the design was a bit faulty should have been resolved instead of this crudpile we now have (some services do a double-dip to ensure you're valid; this does not work as the number is singe-use).

    Heck, even paypal is better than the current system.

  39. TimM
    Unhappy

    Multiple account hassle

    The main issue I have is the number of accounts that get created. Somehow I've managed to get two cards by different issuers under the same account but others automatically get a new account created and it just invents a user name.

    Remembering passwords is going to be worse though. I have a hard enough time as it is with the hundreds of passwords I need to surf the web anyway.

    Of course I could use the same password everywhere, but then I may as well give my front door keys to Mr Burglar and say "help yourself", as it's about the same level of security.

  40. Anonymous Coward
    Anonymous Coward

    Card readers are a PITA

    I have a barclays one, or rather I have 2 one at home one at work. And I use it so infrequently I've currently forgot the pin and locked the card anyway. No interbank compatability is a pain would I have to have one for each card?

    Still got a few free watch cells out of them.

  41. Keith Oborn

    I tried to sign up--

    - and failed. I have Egg Visa and Mastercard, and both signup routes failed at the same point: they denied that my card number existed.

    That was some weeks back. Egg have yet to come back with an explanation.

    I await with interest the first time my card gets blocked--.

  42. James Pickett
    Unhappy

    Security

    Sounds like the banks' version of WGA, i.e. ostensibly of benefit to you (dear valued customer) to really only of benefit to them, so they can wriggle out of claims for fraud. Which isn't possible now, of course...

  43. Ross Ryles

    Couldn't sign up when I tried!

    I tried resistance but was forced to sign up when trying to buy a gift. However when I tried to sign up I was told my details were incorrect! I checked them all carefully which wasn't difficult as the only thing required that wasn't printed on the card was my date of birth. I think I know my date of birth. Apparently not. After several phone calls I was told that I had been born on 11th November 2011! At least it was obviously wrong and so I could get it corrected. Unfortunately the correction would take 2 working days to complete. By that time, the gift would have been too late. I'm Vexed by Visa.

    In their defense, there is a feeble attempt to reassure users that the VbV page is authentic. You can set a custom greeting message that is displayed on the first page. At least that is the case with Barclays VbV. I also approve of the idea of card readers that produce a one time pass code. The implementation of it however doesn't fill me with trust. The first digit it returns is always 3 and I can usually guess the second digit! Cryptographically secure??? I think not.

  44. Rob Aley
    Alert

    A merchants view ...

    As a merchant (www.oxfordethical.co.uk) we weren't allowed to accept maestro cards until we enrolled in 3D secure with our provider (barclaycard business), which then rolls it out across all card types. I generally welcome it and think it can do for online sales what chip and pin did for card holder present sales i.e. generally reduce fraud without affecting sales levels (in some cases increasing them as chip and pin can be faster, which is why the likes of MacDonalds are now accepting cards).

    However it needs to be implements fully, across all cards, and made mandatory.

    - Without it at all, there is lots of fraud

    - With it partially as it is now, there is some fraud reduction, some increase, and lots of customers put off

    - With it rolled out fully, there will be lots of fraud reduction and customer familiarity will mean that they aren't put off (well, most of them).

    The only downside in the way it is implemented now is that it is too easy for fraudsters to "copy". When I use my egg card which is enrolled, there is a "customer message" line which appears on the screen asking for my password. This should contain something such as phrase I have provided them in advance, so I know it is a genuine screen. However currently it just has a marketing or generic "this is all secure" type message. Make this work correctly, roll it out across all card types and banks, make it compulsory and fraud will drop dramatically.

    Nothing is ever perfect or will stop fraud completely, but I think this is the best current bet. And for those saying the banks are only doing this to protect themselves, well, duh! But remember that being as they are, they would pass down the extra costs of fraud to customers or the merchants (who mostly add it to the price of their goods) anyway. They'll never let it touch their profits, but at least this way consumers don't end up paying for it.

  45. Steve

    Mastercard outright lie to you if you ask them about it.

    After getting my card repeatedly declined while trying to order something over the phone because the "postcode didn't match" the guy taking the order let slip the word "securecode". He was only running a pizza delivery firm so he obviously wasn't much of a techie and didn't realise that it wasn't my bank that was declining payments.

    I phoned up Mastercard and found out that they had got my old address and were checking the post code I was giving against that. At no point have I been informed that they would be keeping my address on file or that I would need to update it. When I asked the cretin in the call centre if I could be removed, she told me that there was no option whatsoever for not using the system or for being removed from it.

    So I changed my address and password on their website and then noticed the button that removes you from the service - something they claimed was impossible. What really pissed me off was when she tried to end the call with a violence-inducingly cheerful, "I hope that solved your query".

    Needless to say, that resulted in her getting berated again for not knowing the difference between a demand and a query or the difference between answering a query and telling your customer to get fucked.

  46. Anonymous Coward
    Anonymous Coward

    Egg do allow opt-out

    After exchanging some messages with Egg about 3DSecure I was told to phone up and ask for the SecureCode department to opt-out. I've done this and have been told that transactions should go through without my having to use SecureCode, but haven't yet tried it.

  47. Anonymous Coward
    Anonymous Coward

    @Credit cards! P.I.T.A.!

    Just using debit will work great until you want to buy a £25/mo mobile phone contract and they refuse you because of absolutely no recent credit history despite 5 figures of cash in the bank. Or, y'know, apply for loans and mortgages and so on.

    (True story, lesson learnt, credit score increasing...)

  48. Chris

    Depends on the banks implementation....

    I just think VbV and SecureCode need standardizing across all banks. The main problems I have encountered are having 2 Barclaycards of my own but being unable to register both under the same username; and having to share passwords with an additional cardholder because both cards are issued with the same number.

  49. J-Wick
    Thumb Up

    Steve - keep at it!

    To AC #1 & John Doe - it's his choice whether he does it or not, and he may (together with the help of others & El Reg) be able to force a change. Personally, I think VbV is just a way for credit card companies to get out of refunding fraudulent charges. It's another step for me, supposedly another layer of protection, but also another point of potential weakness in the chain for phishers & scammers.

    OK, so I see an unverified charge on my card. I want to be able to be able to call up my bank, prove that the charge is a fraud (e.g. at a gas station in Florida, when there ae two charges before and after, that same hour, in DC), and have them refund my money by the next day (or least agree to once I sign some forms).

    Would VbV do that for me? Of course not. Would it actually help me when fraud occurs? Doubt it. Why bother with it then? I wouldn't want it forced on me, either...

  50. Owen Williams
    Thumb Down

    Smile are on the bandwagon

    I asked to opt out of Smile's scheme and was told I can't.

    I took the opportunity to get another card. One where I get 1% cash back on purchases and 3% on fuel at a certain garage. That certain garage is doing the online banking, which is worrying but they may be behind in this latest 'service' to customers technology.

  51. Anonymous Coward
    Anonymous Coward

    Why the resistance?

    What's supposed to happen is that a merchant can only get the 3DSecure liability shift if they're not on the Visa/Mastercard "chargeback monitoring" list. This means they're less of a "risk" as far as the card issuers are concerned and as such get a lower "cost-per-transaction" rate.

    The merchants are happy because they get a lower card processing fees and liability shifts to the card issuing bank for fraudulent transactions (although not for "goods not received" chargebacks).

    The acquiring (merchant) banks get a reduction in certain transaction rates and the issuing banks, well, they're bound by the industry code they're in - but I guess they're hoping for improved "trust" in online shopping and therefore an increase in online transactions.

    3DSecure is an improvement - but it's not ideal... better would involve a physical card reader (generating some sort of per-transaction hash value) combined with online login and punters would never enter [full] card details on any website ever again.

    It's an attempt at nice fluffy web of trust as it stands... however the only drawback is how that trust can be broken.

    The preferred method of embedding the 3DSecure login in an iFrame means that the user can't see where that login page actually comes from. If I wanted to set up a scam website I could just as easily set up a scam 3DSecure login page and capture those details as well.

    Alternatively, If it IS possible to poison the DNS system (as has been recently highlighted) a sophisticated attack _might_ be able to inject it's own fake 3DS login page into that iFrame and capture the details (highly unlikely though, there are easier ways).

    Once the bad guys have got your 3DSecure login the whole "trust" thing starts to crumble.

    ----

    As an aside - I'm not quite sure how this will affect reliability... data gets bounced around a lot. Card details go from the merchant to the payment gateway and then a load of transaction id's and hash values are thrown around in a big loop. Something like:

    merchant -> payment gateway -> merchant -> 3DS bank page -> merchant -> payment gateway -> merchant.

    If simplicity is the key to robustness I can see this falling over occasionally; you've introduced a third point of failure into the system. Without 3DS it's a much more pleasant:

    merchant -> payment gateway -> merchant.

    --

    posted AC as I'm in the middle of implementing it

  52. Clive Page

    Prevents international use

    One of the worst side-effects is that Verified by Visa makes international use of credit cards much harder. A relative of mine in the US tried to buy a train ticket in Peru - the company handling this turned out to be based in the UK, and required Verified by Visa. His US Visa card would not work. In the end we bought him the ticket, and he paid us back.

    A little later I tried to buy an airline ticket from a US website, but they would only accept credit cards from the US, Canada, Australia, and the Phillipines. Apparently our cards are so much less secure than from these other countries. Once upon a time a Visa or Mastercard would work almost anywhere - but the system is breaking apart rapidly.

  53. Anonymous Coward
    Thumb Down

    Re: A Merchant's View

    I concur. We were basically told by RBOS we had to implement SecureCode for Maestro cards by last June or we couldn't support the card type (or rather, there would be financial penalties if we didn't). Having been through two implementations with two different payment gateways now, I think its a complete pile of shit, and easily spoofed. We've actually only implemented it on Maestro and are putting off other cards until we absolutely have to because so many people don't like, understand or trust it (despite us implementing a LOT of handholding), and its hurt sales conversion on debit cards quite badly. Interestingly, the daddy of E-Commerce sites isn't supporting 3DS/VbV at all; and they don't worry overmuch about CVV either...

  54. Anonymous Coward
    Stop

    The problem

    is that there's no way you can tell whether the initial sign-up page is genuine.

    All you see is a crappy-looking (unexpected) pop-up box asking for credit card details that you already entered.

    It's almost as if they are /trying/ to make it look like a phishing attempt!

  55. Andrew
    Unhappy

    Frown

    Compulsory with Smile - they didn't just offer me the chance to sign up, they actually signed up for me and used my answer to one of their existing security questions as the password. So now to every little site I buy anything from, I have to type in an important detail they could later use to impersonate me at my bank.

    Yeah, great way to increase security.

  56. BeachBoy
    Unhappy

    Retailers don't implement it properly

    I have no problem with Verified by Visa or any other such scheme, however I do have a problem with the script kiddies that attempt to implement it on retailers websites and don't do it properly (in my experience over 50% of the time).

    I'm lucky enough to be an Expat living in the sunshine, with a locally issued visa card. Sometimes I want to order stuff from the UK and thats where the problems start. The ordering process goes fine, the VbV goes fine and is passed, but then the site comes back with a declined message. This the upshot of which is the value of the now declined transaction is held as pending on my card (because Visa passed the transaction).

    Having spoken to support on a couple of sites its because though VbV comes back as ok things like the postcode/address don't because some foreign banks don't verify on things like postcode (which is part of a non VbV transaction). If your going to accept VbV on a site do so, and do it properly.

  57. Sean Ellis
    Go

    @AC 13:21

    "It's almost as if they are /trying/ to make it look like a phishing attempt!"

    Indeed. When I've had to use it, Mastercard's system triggers a XSS alert in Firefox3 with NoScript installed, which you then have to override manually.

    Oh, and my wife chose the secure ID password, so I can never remember the damn thing. But she did a pretty good job of choosing a secure one. I have taught her well.

    However, more security = better if it's done well enough, hence the GO icon.

  58. Steve Sutton

    There is another way

    My bank also made this mandatory - i.e. when I tried to pay with my card, there was no "no thanks" button. This combined with the fact that they won't give me full access to my on-line banking (i.e. making money transfers) without a card reader led me to discover that their slogan was indeed correct (although between them, my new bank, and my credit card company, they have screwed up at least one of my direct debits during the transfer to my new bank).

  59. Andy Taylor
    Unhappy

    I'm with Smile too

    Looking at their page on VbV, it seems that they have decided to automatically sign every customer up, but rather than have us all remember a new password, they have cleverly decided to use the "memorable name" from the existing security.

    Now this is great, I don't have to remember anything new, BUT given that most people will use their mother's maiden name as the memorable name, it is hardly worth bothering with, besides, using the same password for multiple things is bad practice.

    From the Smile website:

    "How to Cancel"

    Q: I don’t want to use Verified by Visa (VbV) how do I deactivate my account(s)?

    A: VbV protects your account(s) from unauthorised use. If a VbV password is registered by the Bank/smile, your card cannot be used at VbV subscribed merchants unless the password is entered for extra security. If a VbV password is not registered your card may still be used for online transactions. Therefore to protect our customers The Co-operative Bank/smile aim to register all of our card accounts for VbV.

    Q: I cannot use Verified by Visa, what alternatives are there for me?

    A: Simply contact customer services on the usual telephone number or e-mail address and we will be able to discuss alternatives with you."

  60. Anonymous Coward
    Anonymous Coward

    Why not use the card reader?

    I mean, if 3DSecure really is all about security, then surely this is the most secure way of doing it?

  61. Johan-Kristian Wold
    Go

    Other methods

    Norwegian banks have a common BankID scheme that's used for Verified by Visa.

    The confirmation page runs a Java applet that first requires you to enter you personal ID no. (Norwegian equivalent of social security no.), and the prompts you for a 6-digit code from an electronic code generator and a personal password.

    You use the same method to log on to your net bank, and requires another verification whenever you try to either pay something via the net bank or transfer money out of your account.

    With this scheme, for a transaction to be completed, you need:

    a) Your visa number.

    b) Your verification code.

    c) Your ID number.

    d) A one-time code that can only be had if you physically posess the key generator.

    e) Your personal password.

    It works pretty well, and even works on a mac...

  62. Anonymous Coward
    Boffin

    Verified by Visa & Mastercard Securecode

    Are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.

  63. Anonymous Coward
    Anonymous Coward

    I spent ages avoiding this

    Every time I canceled the transaction, MBNA blocked my card and then some drone would phone me and ask me to give identification. I explain that when someone calls me out of the blue I have no idea who they are, and if they ask for personal information, MBNA recommends that I dont give it. The last time they said that I was just being silly and the information was of no use to anyone. I explained that they themselves needed this information to allow someone access to my account so it most definately was of use to someone.

    Also, as I recall, the Ts and Cs used to say

    "You understand that you are financially responsible for all purchases made using 3D Secure" (which I complained about each time I had to unlock my account) but now says

    "You understand that you are financially responsible for all purchases made by you using 3D Secure"

    I'm seeing more and more this "if its complicated its secure" mentality.

  64. Steve Renouf
    Thumb Up

    Physical possession of the card does not mean ownership

    "The CCV (or CVV ?) code on the back of the card is to stop credit card fraud."

    Yes it was but, of course they soon discovered the fatal flaw in that - if someone has stolen your card, they can simply read the number off the back!! DUH!

    No system will completely stop fraud but at least this reduces it considerably by the user having to know some security information which is not obtainable by purely having possession of the card.

    The system is now mandatory for e-tailers (at least those on Streamline).

  65. Chris

    This isn't news...

    ...it's HISTORY!

    It's been going on for over a year now.

  66. Stevie
    Thumb Down

    Enrolled Vendor Alert

    Air Canada.

    Wife used my credit card to book flights. Air Canada insisted on an enrollment, which I assumed was some sort of Air Canada thing and, it being late at night and us needing to "get a life" back I said "Ok, use password blahblahblah, I'll remember it next time we use Air Canada, which will be in several years time". Next day I realised I would be stuck with this credential wherever I shop.

    Thank you Visa. If you wanted me to enroll in this thing I would have done so willingly since it absolves me of one more liability. All you had to do was *write* to me and explain the reason and method. This "web ambush ploy" device is only ever going to cause the sort of hostility that the commenters so readily report.

    You'd think that a company that had done business before teh interwebz would be unsusceptible to the terse rudeness that has supplanted Olde Worlde Biz Polite in the brave new world.

    Oh well.

  67. Anonymous Coward
    Paris Hilton

    It has been mentioned a few times in this thread, but...

    ... it needs stating explicitly:

    IF THEY RING YOU, DON'T RESPOND TO THE "I'LL JUST TAKE YOU THROUGH SECURITY" QUESTIONS!!

    It's very simple... the questions are intended to check that anyone ringing the bank/card company knows things that should be known to the real cardholder... i.e. "verification" of the caller.

    So, if THEY ring YOU, you should ask THEM for information that they should have on file, so that YOU can verify THEM as a legitimate caller.

    It's very small-minded, and I should be ashamed of myself, but I just love it when this happens... they ring me up, and I ask them for verification. Of course, they usually reach "Data Protection Act" within the first 5 seconds, after which the time taken (for them to give up completely) varies from under a minute (bright employee who understands the logic of what I'm saying) to - in one case - 20 minutes of arguing, which was nice, because they had rung me on my 07092 personal number (50p per minute)... payback for all of those stupid 0870 numbers that they love to use...

    Paris, as she is expensive and charges by the minute as well...

  68. Anonymous Coward
    Flame

    it's not about security

    It's all about making sure it's really YOU that they're profiling so they can sell good data to every other bloody data-gatherer on the planet.

  69. Doug Glass
    Go

    So? What's your point?

    What in the world did we do before plastic. He who doesn't want to use the system, their system btw, can choose, well ... not to use their system. It is their ballgame after all and they set the rules.

    Maybe we all need to do ourselves a favor and just cut up all our cards and revert to personal responsibility. I know, not the real world, but my two cards will go when they get to be a problem.

    Oh frelling well.

  70. This post has been deleted by its author

  71. Anonymous Coward
    Paris Hilton

    One word.....Whiners!

    VbV and MS SC are in place to protect the Consumer (yes you idjits), the merchant and the bank. Believe it or not, your bank is not the bad guy in this.

    The card schemes developed 3D Secure in association with company I work with. Well, actually Visa did. It is secure, it does work. We even have technology in place beat ECI 5, 6 and 7 type fraud. This is too expensive for the banks mostly as they don't like to spend money making their customers money secure.......

    3D secure is most effective when used in conjunction with CAP/DPA or other OTP solutions similar to the system in Norway or with a risk assessment engine to determine the legitimacy of the transaction.

    Stop whinging. You'll be pissed when you order 26 plasma TV's and pay for shipping to Estonia whilst you were asleep and end up wishing you'd enrolled.

    Paris, as even she knows it ain't that bad.........

  72. pctechxp

    My bank do this

    Smile.co.uk (internet banking division of Co-op bank) have made VbV mandatory on my debit and credit card as have the issuers on several mastercards I had.

    While I do think Steve should get out more, 'tis true that the system is open to exploitation and something better has to be found (one time password generation etc)

    However, if you are a bsiness owner, surely you'd want to reduce your exposure to fraud and resulting chargebacks so I'm sure you'd be opting yourself in Steve.

    In the meantime Steve, you could always apply for an American Express card as they don't at presrnt have an equivalent system but are red hot on fraud monitoring which is no bad thing (had several calls asking me to verify transactions)

  73. obed

    It's your money.

    You decide how secure you want to be with it.

    As for the extra security no one wants to deal with....well guess what? Deal with it! It's not the bank's fault.

    Banks have to place these new features to comply with new US FEDERAL regulations. They are not going anywhere. It sucks you have to deal with the issues and banks try to make it painless but there is always pain with anything new.

  74. Steve Sutton
    Thumb Up

    @Steve Renouf

    "Yes it was but, of course they soon discovered the fatal flaw in that - if someone has stolen your card, they can simply read the number off the back!! DUH!"

    So, some sort of Personal Identification Number number is in order then?

    Srsly though, you could make a webserver secure, by not connecting it to the internet, you could prevent people dying in car crashes by banning all cars, and you could prevent credit card fraud, by not issuing credit cards.

    At the end of the day, if you prevent people from using such things, or make them inconvenient to use, you defeat the object of having them. You have to draw the line somewhere, and IMHO, this sort of thing is a step too far.

    At the end of the day, there will always be the kind of scum about who think it's okay for them to take other people's property, and they're really to blame. Whilst what they do is not acceptable, we have to accept that those people exist. As much as it is important to make it difficult or impossible for them to commit their crimes, it is as important to catch the bastards and lock them up (I know, I know, it's not an ideal world and we all have to lock our doors, but like I said above, you have to draw the line somewhere)

  75. Darren B

    @chip and pin NOT mandatory

    Someone tell M&S Money that, they rejected a credit card payment in Wagamama's due to lack of C'n'P machines. When they called later to check on the use of the card they confirmed that they reject all payments made through non-C'n'P payment machines in case of fraud.

  76. Anthony
    Thumb Down

    No additional security with Barclays VbV

    Barclays Verified by Visa allows anyone who has the credit card in their hands to set a new password for VbV with just the card details and the card owner's date of birth. Since the latter is trivial to discover for most people, this adds almost no additional security to the process.

    http://fonant.blogspot.com/2008/06/verified-by-visa-barclays-style-zero.html

    And, of course, the whole secure-page-in-an-iframe thing makes it pretty difficult to check that the form you're typing your card details into is legitimate.

  77. Anonymous Coward
    Anonymous Coward

    Challenge-Response / Card Reader thingies

    That must be the answer.

    Yes I know some people find them cumbersome, but unlike the VbV / SecureCore jokes, they can in principle be made genuinely secure.

    Does any bank use these for normal online card transactions (as opposed to home banking)? If so I'd like to change to that bank.

  78. RoboPope
    Unhappy

    menace

    From a traders perspective its a nightmare, it costs us sales and the iframe setup is fraught with potential security issues.

    we are fighting it but it is definitely not optional

  79. JT2008
    Paris Hilton

    Re: CVV

    "Yes it was but, of course they soon discovered the fatal flaw in that - if someone has stolen your card, they can simply read the number off the back!! DUH!"

    Worse still ...the kid at Kinko's with the large photocopier in the back can copy both sides of the card ...instead of just the front.

    Look ma ...I have a credit card!

    Paris, because she likes it kinkos ...or kink-ish ...whatever.

  80. Jeff Deacon
    Black Helicopters

    Obviously on an IT site ...

    Obviously on an IT site, most of the issues raised have been about the various IT (in)security issues. But the WHY behind it has not had too much of an airing. Given the similarity with Chip & Pin, it is quite clear that the banks are, yet again, absolving themselves of any liability. When signatures were used for verification, then the person who accepted the fraudulent signature was liable for the loss, as set out by law (in the UK anyway). Now that PIN is the verification, that law no longer applies, and the cardholder is completely at the mercy of the issuing bank. How on earth can you PROVE that you have not inadvertently let slip your PIN? To the kangaroo court that is the bank's security department. Bank fraud is not a police issue any more.

    This trick is so similar to Chip & Spin that it is unbelievable! How can those who were automatically signed up by the Co-op/smile prove that they did not tell anyone else their mother's maiden name? It just takes a couple of enquiries to Somerset House to find that out! As Ross Anderson's crew at Cambridge keep pointing out:- Until the banks are financially responsible for the consequences of their poor security, there will continue to be poor bank security. Just for background reading try:

    http://www.chipandspin.co.uk/

    http://www.lightbluetouchpaper.org/2008/08/05/card-wars-the-phantom-menace/

    http://www.phantomwithdrawals.com/

    Of course the banks are doing their best to eliminate cheques. For the person who enquired above about arrangements before plastic, we used cheques and cash. So cash will have a resurgence for a while. How long before it is forbidden and then TIA/Matrix will have all the transaction information in the Government's hands?

  81. Claire Rand

    iframe? anti-phish?

    so on my machine, which has iframes blocked, and most javascript blocked, and popups blocked... and isn't running MSIE, and isn't a windows machine this works how?

    btw, I assume this sort of stuff *fully* complies with the disability discrimination act as applied to websites. e.g. works with screen readers etc?

    had this with the only attempt I made to use a crapital one card on line, had never heard of it so naturally closed the window, and decided to phone the bank to report the phishing, not that I figured they'd care much (they didn't the fraud people won't talk to customers.. wtf?) they told me this was for *my* benefit, I did ask if they thought it would have been a good idea to ooohhh you know *tell me about this* that drew a blank.

    not used that card on line since, I just phone the retailer and do the transaction by phone. more of a pain, but it generally works.

    retailers that I can't contact are getting zip from me anyway.

    told crapital one to disable my card and account from being used online, apparently thats "not possible", so much for consumer protection.

    plus the last phishing attempt I saw looked vastly more professional than these amateur efforts. least they make the effort.

  82. blackworx

    It just needs one single change

    I had a shitty time setting myself up with VbyV, including going through about a dozen registrations because I kept forgetting my password, via the already-mentioned, woefully inadequate method of confirming my DoB. But now that I'm using it regularly I can remember my fairly strong password.

    All the system needs is the ability to lock down your password and prevent further resets without manual verification of your identity (by visiting your branch in person) and then ideally a follow-up phone call and letter to confirm everything and notify you that your VbyV registration will be reactivated in x days, giving you a fighting chance should someone somehow game the system.

    I have no problem with retards who write down their passwords getting their accounts emptied, but If the banks are going to pass responsibility for fraudulent net transactions on to their customers, they should at least be providing proper security first. Those bastards.

  83. LaeMi Qian
    Black Helicopters

    opt out with scissors

    snip snip.

    Do it in front of the bank manager for best effect.

    With a local news crew filming for bonus points.

  84. Salary cap..... humbug!

    Why not use pin sentry..........

    For accessing on-line banking facilities Barclays issue account holders with a hand held device like a small calculator that you put your chip & pin card into and then type your pin into it. It will then give tou a one time use only, 8-digit pin number to access your account with - a bit like the RSA card type of login for corporate networks. I'm sure something like this could be easily adapted to on-line visa purchases.

  85. Anonymous Coward
    Anonymous Coward

    "I hope that solved your query"

    I love this one.. and variations of it. My usual answer, if the outcome is not satisfactory, is "uh, no."

    Followed by insisting, "we can't help you now; but we sure will do so at some hither-to-unknown time in the future", or something similar I dunno it all sounds the same after awhile.

    My own bank had the gall to say "we were the first to offer the service several years ago" when I complained about the approvals process. Yeah, and you haven't done any improvements since I guess..

  86. Anonymous Coward
    Thumb Down

    I've set my Securecard code up

    24 times now. Twenty four seperate times.

    Every single time it's failed. Every single time it says "okay" and then next time I try to use my card the password doesn't work and I have to ring up and reset it.

    Every. Single. Time.

    It's a fucking shambles.

  87. John F***ing Stepp

    Being a confirmed follower of Ned Lud. . .

    I do not have a credit card.

    And if you don't have a real physical address, then you don't really exist do you?

    So, okay then what pig in the poke are we buying again?

  88. Daniel B.

    Re: Challenge-Response / Card Reader thingies

    All Mexican banks are required, by law, to use OTP's since March 2007. However, it seems the banks failed to extend this scheme to the Securecode / VbV apps.

    And the whole scheme seems to be discriminating against banks that *haven't* jumped in: one of my MasterCard CC is always declined in 3DSecure-enabled merchant sites. Oh well...

  89. Scott
    Thumb Down

    Glad I'm not the only who doesn't like it.....

    I first ran into this "SecureCode" at two computer websites I buy from. At first I would just click or close the window and still buy my stuff, now it's mandatory and worse it's showing up everywhere.

    I couldn't enter a code I'd never signed up for, and when I asked my bank what was going on, it was the little scrolling marquee at the bottom of the website that was supposed to tell me about it. No e-mail, no letter, that's it.

    So I sign up for this "SecureCode," which apparently is easy enough to do and to change, which makes me question the whole point to it. If someone steals my identity or swipes my card number, it's easier to change the SecureCode than to know the three letter CID number, as the CID requires actually having the card in hand.

    So to buy online now I need a minimum of my card number, expiration date, CID number, and now this SecureCode. If they're real uptight I'll need my phone number and address, and if they're real snots or governmental my mother's maiden name and the last four digits of my social security number.

    Anyone remember the good old days of cash?

  90. Anonymous Coward
    Anonymous Coward

    I Guess I am Lucky...

    I have 3 separate Visa credit cards and only one is registered for online purchases/transactions via Verified by VISA (VbV). I never ran into any problems with VbV. I did make my VbV password extremely strong and takes time to look it up in order to enter it, but I have not encountered any problems.

  91. Foo Bar

    And some banks enrol without making it available to all their customers

    ANZ bank enrolled, except they did it only for their Australian customers, not their New Zealand customers. But Visa doesn't know that, so whenever I (as a kiwi customer) try to make a purchase, I get a 'Verified by..." dialog that I cannot fill out, because as one of their kiwi customers I cannot sign up for it.

    It's completely screwed up and annoying. I wrote about this madness here ( http://www.geekzone.co.nz/foobar/5256 ) and here ( http://www.geekzone.co.nz/foobar/5294 )

  92. Anonymous Coward
    Anonymous Coward

    VbyV is c**p

    VbyV is a load of b**cks. It prompts you for the same information you just entered on the ordering page of the website! Ah, it does ask you for your date of birth and VbV have the wrong DoB set for me and I've been refused permission to make the purchase! I rang up VbyV and we clarified this, but alas, the DoB didn't get changed.

    I've given up with the muppets. So whenever I make a purchase and I have to use VbV I have to remember to enter the wrong date.

  93. Anonymous Coward
    Anonymous Coward

    RSA Secure Remote

    Some people are applauding the introduction of these schemes as an effective way to prevent fraud.

    If you want to really prevent fraud, give the customer a RSA SecureRemote Key Fob token, where the integer on the display changes every 1 minute.

    I'd happy pay an extra £10 or even £20 to prevent fraud on my account.

    This will be a far more effective way to increase security. It will probably virtually wipe out credit card fraud overnight if the CC card companies introduced it. But they won't.

  94. Dan White

    @Ross Ryles

    S'funny, my Barclays "pocket Crypto Calculator" seems to always start with a four. I suspect there are different flavours of crypto function going on in different batches of devices.

  95. Anonymous Coward
    Flame

    Re: One word.....Whiners!

    Yes, we are whining about it. And do you know why? Because it is an exceedingly crap way of preventing fraud, and a highly irritating system to use. The fraudsters know that 3D Secure verified transactions sail through fraud profiling, and make use of that by also collecting the details required to reset the password.

    The Cyota implementation is absolutely appalling, the emails it generates look exactly like phishing emails (even down to the masked URL). The registration details for securesuite.co.uk look very dodgy. I could continue, but you get the gist.

    Given that you work for a company who designed the system, you can hardly be objective about it.

    And no, I wouldn't be that pissed off about 26 TVs being ordered on my card, because I don't bear the cost of that fraud, the merchant does!

  96. Wayland Sothcott

    Carrot and Stick

    Notice how the carrot is that the merchant is less liable for loss since that's accepted by the bank if you use this. So it's the merchants who push this on the buyers, very smart. The stick is that buyers will have their card blocked if they refuse. At the same time it does not really cut down on fraud, just introduces a new weakness. This can mean that there are a lot of calls to have cards unblocked and new passwords issued. And the phishing site mimic of the varification screen.

  97. Anonymous Coward
    Anonymous Coward

    ID details

    In my office, we have to input the numerics from the postcode where statements for the card go, and the numerics from the address, as well as the usual card number, cvv and expiry date, for any cardholder-not-present transactions. This is supposed to help with (combatting) fraud (someone can have all the details, but is presumed not to know where the card "lives").

  98. Anonymous Coward
    Anonymous Coward

    VBV

    the thing i dont understand is how easy it is to make a new password, anyone with your DOB and card could easily just do it themselves anyway, i have made a new password about 10 times as I can never remember it,

    to be honest, given that its so easy to do it, this 'steve' isn't proving anything to anyone by not just enrolling, he's just caused himself a load of hassle by making himself look dodgy (as is the point of the system, im actually somewhat encouraged that this thing seemingly would do something if someone had actually acquired /some/ of my details) and not bought a load of things he would've liked to, well done!

  99. Anonymous Coward
    Thumb Down

    It's taken a while...

    ...but good to see El Reg finally covering this. About a year ago I got plssed off with being forced to partake of the 'optional' Verified by Visa plan. I very nearly left my bank as a result, but then just used a different card for all online purchases. Now I'm being told that I have to use Mastercard's 'SecureCode' for that card.

    I tried to explain to the bank that I'm not a technophobe; I know what precautions to take in order that my cards don't get ripped off online, and that the CCV, cardholder name and address are all supposed to stop card fraud. One simple password (probably the same as my other passwords so I can remember it) isn't really going to make a huge amount of difference. But as usual, they just parrot the party line about it being for security. Numbnuts

  100. Mark

    Silly me

    I thought this was about people being bullied to use *Vista* (Verified by Vista).

    D'oh!

    PS I've had a cold call from my bank and they wanted security questions answered and I asked what it was about to see if they needed to know this. Unfortunately, knowing the answer to what they wanted to talk to me about was insecure (unlike me giving them my mothers maiden name, which is of no use to scammers...).

  101. ShaggyDoggy

    MBNA = idiots

    I used to have an MBNA card.

    When rung up by them (and this happened many times) it went like this

    (beyond belief but believe me this is verbatim)

    MBNA: This is MBNA here what's your first line of address ?

    Me: <tells them number and street>

    MBNA: What's your password ?

    Me: If someone rang you up out of the blue and asked you for your address then password, would you give it to them ?

    MBNA: I need your password to continue this conversation

    Me: You're not going to get it, please tell me this was recorded and then ask your supervisor to play it back.

    MBNA: Are you not going to tell me the password then ?

    Me: No

    MBNA: I can only continue after you tell me your password. It's for your own security.

  102. Anonymous Coward
    Thumb Down

    @Egg

    >I have Egg Visa and Mastercard, and both signup routes failed at the same >point: they denied that my card number existed. That was some weeks back. >Egg have yet to come back with an explanation.

    Egg are a joke - apart from the cancellation of customer cards that don't make them any money, they are a nightmare to deal with.

    Last year I was trying to check into a hotel in LA but my Egg Visa card was declined, when I rang them they told me that fraudulent use had been detected, the card was cancelled automatically and replacement would arrive [back in the UK] within 72 hours - the fraud their system had detected was 'someone' trying to use my Egg card in LA.

  103. James Prior
    Go

    Is fraid that hard to spot?

    All it takes is a right click on the iframe to check it features SSL.

    And a fake site is going to ask me for the whole password, not the standard 3 digits of said password. If you don't realise that then you deserve to have your details stolen.

  104. Jon

    remember remember

    Rembering passwords is now outdated. You have to make it non word, somtimes with Capitals, somtimes with numbers and somtimes with a symbol, somtimes no more than 8 letters. Different for every site and then perhaps only use it evrey 1-2 months. This leads needing a password repositry. Now a chain is only as strong as its weekest link so if evreyone started using repositries they would become number one target for attacks.

    I think for now the most secure we have is the chip and pin, One time pass system and this only requires memory of a four digit number and having a card present.

    [sarcastic] at least with VbV you only really need to "remember" your date of birth as this is all the forgot password box needs to let it sail through (why cant i just make that 8 digit number my password)

  105. Nick H
    Stop

    This is why I don't shop online without my Amex

    I despise Visa. The fact that a) they are managed by different banks and b) said bank can sell it to another bank just SUCKS. I had my SunTrust Visa, which was managed by MBNA sold to Bank of America. We all know how much ass BOA sucks. Well they promptly switched me to a no grace period card, since I never carry a balance (on any of my cards). So I TRIED to cancel - talk about rude account reps. Took me two calls to cancel.

    I NEVER have this trouble with Amex..why? because Amex controls Amex. Are they perfect? Hell no. Are they 5000x better than Visa? Yep.

  106. Nealle Page
    Coat

    what a prat

    What is it with the British and the dogged avoidance of things related to security?

    I worked on deploying a 3d Secure system 3 years ago and while it may not be ultra secure and open to potential attacks it is still better than nothing.

    Sometimes you just have to do it. By the way it was never intended by Vis or MasterCard that it stay opt-in. it was just until people got used to the idea.

    Steve complain about something else, and Reg editors stop given screen space to whiners. i come here for a sceptical look at real news.

    Mine's the one with the ID card in it, (since I am an immigrant I should be getting mine in November along with the airport workers)

  107. James Grinter

    Cyota/securesuite.

    Cyota/securesuite has been mentioned before in Register stories and in comments: I agree with Mo, and others - it's wrong for banks to be encouraging their customers to type in personal financial details to a website of an unknown company.

    About the suggestion of OTP SecurID-like tokens on credit cards - ironically RSA have announced such a product (see http://www.securityinfowatch.com/online/Financial/RSA-puts-SecurID-into-card-form-factor/16047SIW339 - and i'm sure other companies are working on it too). But I suspect the cost would be too high for banks to consider buying and distributing them - it seems they'd rather take the loss on fraud instead, or pass it onto their customers, instead.

  108. Hugo
    Unhappy

    Smile: "A really secure e-mail"

    I'm not sure I like having to enter my Smile password on other shopping websites. How do I know they're not phishing for it? That compromises my normal Smile logon.

    Here's the email I got from Smile on the 3rd June that I've only just bothered to read. That third paragraph says they've automatically registered your cards with VbV and "If you do not use the service, we may not authorise further internet transactions with participating retailers and suppliers." and they've already changed (or "varied" in newspeak) their terms and conditions for me.

    =================

    There are some shady types out there on the interweb, just dying to get their grubby little hands on your debit and credit card numbers. That's why we're introducing a service called Verified by Visa, which lets us work with Visa to make sure your online transactions are more secure than ever.

    How? To take security up to the next level, the memorable name you've chosen for your internet banking access is now also your Verified by Visa password which you'll be asked to confirm every time you shop online at participating retailers. This adds a whole extra layer of security to your online shopping. And because you haven't written this down anywhere - you haven't, have you? - only you know it, so it's much harder for anyone else to use your card details without your knowledge.

    Your smile card(s) and any personal cards you hold with The Co-operative Bank will be automatically registered for Verified by Visa in about 30 days. Then, if you pay for goods or services ordered on the internet using your card and the retailer or supplier participates in Verified by Visa you will need to use the service. If you do not use the service, we may not authorise further internet transactions with participating retailers and suppliers. If you have a current account with us, your terms and conditions have already been varied to include this condition, please refer to condition 9.8. Credit Card Accounts with an authorised card will not yet be registered for Verified by Visa.

    Forgotten your password? Not to worry. Just choose another one and either call us on 0870 843 2265 to tell us or go online to register it. This way, your transactions will be safer - meaning there'll be one less thing in life to worry about (you're on your own with that decision to paint the bedroom lime green).

    Thanks

    smile

    =================

    Oh, and in other news they've also asked me to always login and send them a secure message whenever I go abroad so they know not to automatically bar it and then make me spend lots of time and money on my roaming mobile to re-activate it. I used to like Smile, but now they're turning into Frown.

  109. Anonymous Coward
    Unhappy

    @Stuart

    That Co-op card won't be any good to you for much longer. They are enrolling everyone in VbV. I got my letter yesterday.

  110. Anonymous Coward
    Stop

    Re: Is fraid that hard to spot?

    "All it takes is a right click on the iframe to check it features SSL"

    Yep, and you'll find that this unexpected IFRAME is for some bizarro domain in Brazil.

    And you *willingly* re-entered your credit card number and details into this box??

    Tell you what, I have a bridge I'd like to sell you.

    Criminals have SSL certs too, you know. SSL != "secure"

  111. Anonymous Coward
    Anonymous Coward

    banks are not the same as payment agencies

    There seems to be some confusion here, banks are not the same as the payment agencies. Visa, Mastercard, AMEX et al mandate to banks how they should operate. The security required by the payment agencies is constantly improving hence you see change in what is required.

    There is not some conspiracy to make customers responsible for fraud. The requirements are to make fraud less likely to occur, hence why the transactions are being pulled back into the bank's datacentres, rather than the merchants. This removes (or will do when it is fully complete) the merchant as a potential weak point in the security chain. It should also be remembered that if customers of banks do become the victims of fraud, it is the customers as a whole who loose out, the money that the bank uses to refund them is ultimately contributed by the other customers.

    The CCV number is only designed to prevent someone taking an impression of the card, it means that you can't use one of the old-style swipey card and carbon paper thingums or take a single sided photocopy of a card and be able to use it online/on the phone. That is all it does, it is a small security feature.

    SecureID tokens would be great for each customer of a bank, but they are _very_ expensive. Typically you are looking at £50 a pop, obviously this would come down drastically in the kind of bulk that a bank would use, but they do break and they do expire, they are vastly more expensive than a card and one of the readers that are currently being used.

    As another point, if the merchants can pass off the authentication to the banks and have no need to have the kind of systems security mandated by the payment agencies, this will be good for the customers, as you don't have to fund the extra infrastructure involved.

  112. Anonymous Coward
    Unhappy

    Re:Smile: "A really secure e-mail"

    Smile Visa have the *worst* online fraud department I've ever come accross.

    Within a few weeks of getting my card, some bozo accidentally (?) entered my card number when buying tickets on Ryanair.

    Despite the fact that his name, address and everything else didn't match, they still processed the payment. Then they took a whole month to respond to three secure messages and a phone call disputing the charge, before finally deciding (two days before I go on holiday) that they need to cancel the card and issue a new one "to protect you from fraud".

    Eventually they decide that the transaction was fraudulent, and issue a refund - to the cancelled card!!

    Idiots.

    Once I'd finally got my money back, I gladly cancelled the card (in writing). Even so, it still shows up as a live account when I log in to the website...

    No :-) for you.

  113. Anonymous Coward
    Anonymous Coward

    Security issues

    The issues I have with VbV are:

    1. In my experience if I have javascript disabled for the third-party VbV site which I've never heard of, I can enter my password and it's reported as wrong even when it's right. After 3 attempts the card is locked out. So in order to prevent this I have to enable javascript for the third-party VbV site.

    2. My bank enforces the password to be the same as one of the passwords I use to log into my online bank account. Before VbV that was known to me only and used to access one service. Now it's potentialy known to someone else and used to access more than one service. I want to have separate passwords, but the bank "recognises that people have difficulty with this and so have arranged for them to always be the same".

  114. steward
    Black Helicopters

    This is a wonderful business model

    That is, if Visa wants to promote use of American Express, which I've been using since I first hit a Verified by Visa screen!

  115. ElFatbob

    @ James Prior

    I would say a lot of people are not as technically aware as yourself.

    Why should they have to right click in an iframe when the point is that this is an inherently bad way of implementing 'security'.

    Your comment makes you sound like a pompous twat.

  116. Schultz
    Thumb Up

    Number, numbers, numbers...

    should make the number crunching cybergeeks happy. So what do you all complain about one more line of code in the matrix of personalIDentity?

  117. Solomon Grundy

    CCV/CCV2

    These things were supposed to prevent fraud too. Why aren't they working? Why is any system going to work better? There are inherent risks in dealing with any type of funds transfer be they cash, travelers checks, money cards, whatever. Theft is a part of money and everyone must accept the risks and go on about life. There is nothing that will prevent fraud 100%. Life would be better if people would accept this and move on.

  118. Richard Silver badge
    Stop

    Why VbV and Mastercard SecureCode are poor systems

    A) Most banks don't tell you the system exists until after you've been shown it.

    B) It requires that you re-enter your CC number and further details into an IFrame of obscure origin that you did not expect.

    C) If you do expect the IFrame, it's relatively difficult to check that the IFrame is really from your bank/card issuer/payment verification system.

    The reason for this is that you do not know WHO is supposed to be sending the IFrame (it's not necessarily your bank), and it's not even the same place each time, so if you check the certificate you don't know if it's the right one.

    The form and appearance of the IFrame is the same across the vast majority of users - there are basically two different ones. It's therefore incredibly easy to spoof.

    To top it off, all a black hat needs to do to learn all your security details is easy:

    1) Spoof an IFrame that looks correct when the user gets to the payment verification stage where it usually appears.

    2) Refuse your details, no matter what is entered.

    3) Offer the standard "Re-register" options.

    4) Harvest all details required to re-register.

    5) Pass back to merchant site. Doesn't really matter if they can make the merchant think it's OK or not.

    The black hat can now use your credit card any time they want, and you'll never realise it until you get the bill.

    Step 1 is the only technically difficult part, but it's only hard if the black hat doesn't have access to the merchant's servers.

    So if the black hat is the merchant, or has compromised the merchant's site in some way...

    The underlying concept of VbV and Securecode isn't fundamentally bad, but as seems to happen very often it's been incredibly badly implemented.

  119. Anonymous Coward
    Alert

    GIANT Phishing hole

    I can see the Phishers coming onto this in flocks! VERY BAD MOVE GREEDY BANKS!

    implement something sensible which is verifiable as genuine by the consumer, and more fraud proof. this is VERY alarming!

  120. Anonymous Coward
    Joke

    SecureCode is annoying

    All SecureCode does is add yet another password to the list of things I have to remember. A password that's just as easy to snoop as any other, and is easy to phish as Richard suggests above.

    SecureCode certainly didn't seem to be voluntary from my perspective as an end user, I couldn't work out any way to buy my goods until I'd enrolled.

    It's almost in the same league as the idiots at the bank that call me from an private number, and ask for proof that *I* am who I say I am. Not happening.

    That same bank that wants my email address so they can send me stuff, which could just as easily be spoofed.

    The very same bank that just has a password and a secret password for internet banking. :rollseyes:

    I posted this with the joke icon, because that's what I think their online security is ;)

  121. Alex
    Go

    Too stupid

    Perhaps it's some sort of test - if you're too stupid to remember an 8 char password you're too stupid to have a credit card. I have a system for passwords - the password for each site is different but I immediately know what the correct code is even if I haven't used that site for more than a day, or sometimes even 2 days!!!

    I mean what, exactly, is the problem? This system is trying to prevent fraud and most people seem to be saying, "NO! STOP! It's too hard - please allow criminals to rip me off cus I'm too stupid to remember a password."

    I've used both VbyV and SecureCode and it really isn't that hard.

  122. Dave Ingram
    Boffin

    Cardreader and VbV

    In the past I had an ANZ Visa (oz version) which was the first card in Oz to have a chip. A free USB card reader was provided (which work well for GPG now) so the card could be used for the 'new' verified by visa system.

    The idea was that once the card was registered, Visa would know it was a chip card and that for any VbV transactions the card would have to be placed in the card reader, proving that the person making the purchase had physical possession of the card. I think a PIN was needed too.

    Given how many Chip cards are around now, why isn't this adopted by the banks? Could it be that managing digital certificates is too hard for the average punter? The tax office has stopped requiring them here for online tax returns.

    I've only found one online IT retailer that requires VbV or Securecode and as my mastercard provider didn't offer Securecode I couldn't purchase from them. There response was to get a different card and my reply was that I'd order the gear from someone else.

    I have a new mastercard now, no chip in it and no securecode option. Hard to believe it's been issued by a bank owned by HBOS!

  123. spam
    Unhappy

    Hate it

    I guess I'm not the only one. It actually resulted in my receiving a double order (and double-bill) because it looked like my first order was declined... only it wasn't. Yech!

    The worst part is it obviously doesn't make *me* the slightest bit safer.

  124. Andrew
    Stop

    @Alex Re: Too stupid

    Alex - Apparently *you're* the one who is too stupid. Nobody's saying they couldn't be bothered to remember another password - we're complaining that this scheme doesn't actually add any extra security, just the illusion of it, and in fact as it currently is implemented it may be making online fraud *easier* for the perpetrators. Worse still, it shifts the burden of proof away from the banks and merchants onto the consumer, who has been opted in against his better judgement into this so-called voluntary scheme. The whole thing stinks.

  125. Anonymous Coward
    Thumb Down

    Password....??

    I'm with First Direct, which since August 1st now uses VbyV for it's Credit Cards and Securecode for it's debit cards. So far I seem to have been lucky in that I haven't yet used a website which has signed up to either system - but I'm sure it's just a matter of time...

    First Direct seem to be making the VbyV and Securecode security system mandatory for their customers. You have 3 online opportunities to register - if you don't register, then your card is zapped...

    As a cut/paste from First Direct's website will confirm...

    ""From August/September 2008 when you place an order over the internet with organisations that participate in MasterCard SecureCode™ (for Maestro debit cards) or Verified by Visa™ (for Visa debit cards) (designed to prevent fraud) you will be invited to register for the service applicable to your debit card. If you do not do so, as part of our fraud prevention measures, we may not authorise the payment for your order and further internet transactions with participating organisations.""

    I'm concerned about the systems from the point of view of forgotten passwords. It seems incredible that you can steal a credit/debit card, and then with just the info on that card (plus the cardholder's DoB) you can create a new password and then start to make fraudulent online transactions. Madness. How is this an extra layer of security??

    I for one will not be registering with VbyV or Securecode. If this reduces the number of online sites I can use to make purchases, then so be it, but I'm not entering my details into a pop-up and laying myself open to possible online fraud. Fuck them.

  126. Anonymous Coward
    Anonymous Coward

    true.

    I hate this god damned thing and have been at the last stage of many purchases, when it decides to pop up and tell me I must sign up and remember BS security details. All times I have refused. One time I managed to get past it somehow. Another time I went to another website to buy the item and all the other times I just didn't buy what I planned to. Their loss.

    Here's what I find MOST annoying. Websites and services are constantly signing you up to extra things, making you choose a password and security questions. You must remember these 5000 answers and codes for each place you use, they must all be different and not easy to guess but you must also not write them down anywhere.

    If you forget or mistype/misguess your password 3 times you are locked out of using your card/account and must (probably wait until the next day) phone up, answer security questions over the phone (a different set!!) tell them everything you bought last and how much it cost (hopefully you remember that!) then you must wait for them to activate your card/account again.

    Oh, but not before you make another NEW password that you will remember this time.

    I am absolutely fuming at this Visa verifying scheme. It is nothing but inconveniencing customers and making THEIR lives easier. I also do not want to use it but as far as I know switching banks/cards is pointless as all plan to implement it.

    I do not want to have my card frozen or purchase cancelled/stalled all because I forgot or mistyped some random UNNEEDED password and answers to a mini-quiz.

    I am also not sure if the website you buy from gets this info. Does anyone know? I haven't been able to find out yet. All I get is their spin for the sheeple about how good and safe and secure and necessary it is. I don't want the email used for verification passed on to every company I buy from. I use throw-away email addresses to buy goods and do not plan on changing that.

  127. Anonymous Coward
    Thumb Down

    to Alex

    It looks like you are the stupid one. You have missed basic details about their supposed fraud protection for customers. Do yourself (and us) a favor and get over yourself quickly. Most of us here have read that password making method that you are so smugly trying to pass off as your own little genius idea, and as such, your password is not as secure as you think it is. Since most computer savvy people (and normal people too) are aware of many people using that type of password, you are definitely not as high and mighty as you think you are, and may even leave yourself MORE vulnerable.

    Also, since your passwords follow a pattern, and are actually very simple (by admission!), whereas most peoples (that you are criticizing) are the randomised, long, number + letter combination...It would actually MAKE YOU the stupid one (once again), since you employ an easy to remember, and easier to crack password system, and everyone else is memorizing about 20 individual combinations. How did you not get that?

    FYI people not agreeing with 'your' method does not make them stupid. Not taking the easy route does not make one stupid. Having a bad memory does not make someone stupid either. We are not talking about remembering ONE 8 character password here. Too bad. Good luck.

  128. tony benton

    Always think simply.

    I am not in banking and not a heavy card user but I think that I have a much simpler system and no third party interrogation. The question, is anybody interested? Banks like most large institutions create departments of wizards who never get it right but that doesn't seem to matter. In the meantime its the customer who looses out. If there is a bank that is interested I am here.

  129. Mohclips
    Pirate

    secure - well...

    http://www.google.co.uk/search?hl=en&q=site:securesuite.co.uk/

    pick a bank...

  130. Bob Arthur

    Anti-phishing

    What a lot of people bemoaning the phishing potential of the scheme are missing is that a properly written issuer system will present the user with a personalised message when asking for their password.

    If you don't see the message, it's not your issuer. VbV/SecureCode is a good system.

    Admittedly, some issuers don't implement the personalised message, or present a static one. This is poor practice, and I'd recommend complaining to your issuer or switching if this is the case.

    Bob.

  131. Anonymous Coward
    Thumb Down

    Re: Anti-phishing

    @Bob

    How on earth is the average punter supposed to realise that the absence of a "personalised message" means they are being phished? Especially when the personalised message is optional and most issuers don't bother with it anyway.

    And the IFRAME implementation means that even if you DO have the nous to check the certificate, you find it's registered to an untrusted third party in a foreign country.

    Good systems need to work in the real world.

    As implemented, VbV/SecureCode is not the good system that you claim it is.

  132. tony benton

    Anonymous card

    See my Sat 9th. Every card change brings inconvenience or another group of card-breakers. As Anonymous Coward says good systems need to work in the real world and the one I have in mind makes the card anonymous to all but the approving bank and only in a brief form to them. No passwords!!!

    IF IT WORKS it would be almost invisible. More importantly, considering how people hate change, it is virtually the same as prior to VbV for the user.

    Any suggestions on who to approach.

This topic is closed for new posts.

Other stories you might like