* Posts by Crispin Edwards

1 publicly visible post • joined 23 Oct 2008

Merchants and punters cry foul over Verified by Visa

Crispin Edwards
Unhappy

Disappointing Article

I don't often read the register but this seems a particularly poorly researched article with just the kind of biased negative view that proliferates through the online industry giving credence to the e-comm sites that refuse to implement. Clearly John Leyden doesn't know his 3D-Secure from his elbow making statements like, "Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme." as detailed in feedback below.

Other 'bloopers' include:

"These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank"

If in an iFrame, the user can't see the URL the content has come from plus what is your banks own logo if not a connection, not to mention the website's name and the PAM? I'm interested in the claim to be able to reproduce the PAM in a phishing site, but not surprised- no matter how secure the solution, e-commerce still requires the user to have some sense not to buy from a phishing site.

"Punters aren't informed up front that a merchant has signed up to Verified by Visa."

Yes they are. It is a requirement of 3D-Secure that the site displays logos prior to the checkout page.

"sites... routinely deliver a dialogue box using a pop-up window"

Pop-ups have been outlawed for years in VbyV implementations.

"it's hard to see how card details + CVV number + VbyV login is any more robust."

In the same light, if card and signature was no longer considered secure I suppose it is hard to see how card and PIN is any more secure? Illogical.