Note to Steve...
Steve, get a life.
The Verified by Visa system may be marketed as an optional opt-in system for internet shoppers, but some banks are forcing users to enrol after only three attempts to avoid it. The unpleasant experiences of Verified by Visa refusenik and Reg reader Steve are likely to be faced by other cardholders, according to Andrew Goodwill …
Steve, get a life.
The mastercard 'securecode' service is just as horrible as Visa's. As noted in the article, the use of an iframe for verification is a terrible approach, making it essentially impossible for average user to know whether the site is genuine & secure, because the browser only gives you direct information about the containing page. The mastercard securecode website itself has less-than-stellar reliability - it often times out dealing with requests, requiring a re-submit (making you wonder if you're going to be charged multiple times), or fails completely for extended periods of time, forcing you to telephone the retailer to place the order instead, or simply abandon the order.
Having implemented 3DSecure for work, part of the api allows the merchant to decide if they want to continue the transaction if the customer has opted out of being verified. When we get the response back, it tells us if it succeeded, failed or they are not enrolled.
Simply put, if the customer has verified by Visa then the liability is on the bank, but if they are not enrolled and have opted out, the merchant may decide not to accept the liability for that transaction, and decline it themselves.
Nothing irritates me more than some bank 'phone bod asking me a whole string of stupid question, the answers to which I can never remember, and then telling me that it's for my security.
This sounds more of the same.
It's not for my security: I am nicely protected by various consumer and credit laws. It's for you protection you greedy, irritating, lying bastards.
The CCV (or CVV ?) code on the back of the card is to stop credit card fraud. Now I have to have that and a password ? What a bunch of complete w@nkers,er b@nkers.
My main problem with VbV and Securecode is that I don't purchase enough stuff to remember the secure password that I set. So either I have to store that password somewhere, which could be considered to be insecure, or I have to set a password that is very easy for me to remember (which will probably also be insecure).
I have found that even when there isn't a a "no thanks!" button with Natwest if you get past the first page of activation (before it asks you for a password) then on the second page there is a "cancel" link which has worked every time.
Paris because the system is retarded.
dude, you should stop being a anal retentive and just enrol. Resistance is futile!
From personal experience:
- Alliance+Leicester bullies you into signing up your debit card. You decline to three times and you are forced to next time.
- Egg Visa is optional, you decline three times and you should not be bothered again. Egg Money MasterCard is not confirmed.
- LloydsTSB is optional on the MasterCard.
There is no doubt that banks are trying to shift away responsibility from themselves to the consumer, all the while claiming that it's for your protection. After all, VbyV and SecureCode mean that YOU are the one holding the credentials, not them. It's Chip-and-Pin for e-Tailers. And we all know how secure Chip-and-Pin is, especially when administered by APACS.
Nationwide sent out new terms and conditions, making it compulsory. I don't want to use it either, since it pushes the liability towards me and makes it harder to prove fraud, but have no choice.
However changing banks (again) over this - I am not so sure...
It is extremely irritating to use as well, especially if you don't use it often. There are sooo many sodding systems that require passwords now, and not just any password, you usually have to make it super long and with numbers in it to make it "unique". All that does is make it longer to type in and means I end up using the same password for multiple systems in a bid to try and remember it!
Bloody Sarb-Ox regulations!
There is no way to bypass it anymore (and the last time I did my card was stopped until I had a phone call from the bank)
Except that the MBNA call centre droid told me that it's being made mandatory soon for all credit cards. Which I very strongly suspect to be a lie.
What I know about Verified by Visa (aka 3DSecure, and probably some other names too) comes from having read the manual to support it in a webstore. It appears to me to be a move to a three-factor authentication scheme, where the third factor adds no strength because it is likely to be stolen or leaked or compromised by all the same means a black hat would use to get at the first two. Since the shopper's 'secret' will have been presented, under the terms and conditions, the shopper has no right to repudiate the transaction. Or put another way, this is a way of shifting credit card fraud losses from the banks to the shoppers, and the shoppers get no benefit from this that I can see.
Verified by Visa is one* of the reasons I no longer use Barclaycard. Pretty much every time I had to use it the password was not recognised and I had to "reset it", which just meant entering my DOB and a new password, hardly very secure.
* The other reasons are the hair-trigger on their online fraud prevention system, which seems to block every transaction until I spend 10 minutes on the phone to them, and the con-trick they've pulled with the online payments where you're fooled into paying more than you need to if you elect to pay "balance in full" (they include recent transactions not shown on your statement and not required to be paid until the following month).
No such problems with Mastercard (yet...)
My main on-line purchase used to be pizza for the development team. It's now impossible to order a pizza on-line without registering for verified by somebody. The outcome of this is that my development team now get bacon butties from the local truck stop instead of pizza if we pull a late nighter.
On a more serious note (although not much is more serious than lack of pizza) I think any on-line shop that takes your credit card details is suspect. I far prefer to be redirected to a real bank site that I trust and recognise to do this. The same applies to verified by... I really don't want to enter my card details, security code and extra security password into a web page that is under the Domino's pizza domain.
Chip and PIN made my Barclaycard unusable in real life (nowhere local to change the PIN to something memorable). Verified by means I can't use it on-line either.
Having been ripped off 3 times by on-line fraud I applaud the verified by Visa process - in fact I pestered my bank to introduce it. Anything that makes it safer to buy online must be a bonus. And site owners want it to protect themselves as they have had to carry the cost of fraud and hence had to reflect that cost in their prices.
I haven't seen any adverse security issues with the scheme anywhere. Why the resistance?
...after running out of 'not at this time', but through a quirk of the system I now have 2 VbyV accounts for the same card - that means I have to look very carefully at the 'security' page so that I enter the right characters from the right password.....ho hum.
Frankly I'm not impressed with the system, it seems clunky and adds yet another step in an online ordering transaction which is probably already teeming with 'security' features.
And as for the 'it's to make your transactions more secure' excuse - I think it's got much more to do with shifting liability onto the consumer for fraudulent use,
after all "...that huge overseas bound order *must* have been you because it was handled by VbyV and nobody would know your details unless you've given them away (which is your fault stuid!)....".
I don't know what the answer is, but this kludge isn't it.
I've not had any issues using it. Yeah, it is another layer of hassle but it does have a purpose.
I understand that remembering the password could be an issue for people who only buy something every 6 months or so, but what is Steve's excuse?
He must be living an idyllic life if this is worth getting all upset about.
Had an e-mail this morning from my bank (smile) that they're enrolling in VbV and that one of the security questions asked as part of the bank logon is now our VbV password - not sure if this is a good thing or not yet
Because of the password strength for the verified by visa scheme forcing you to use 2 digits I of course had forgotten it.
Imagine my suprise then when I found out I could click on the enrollment link and resignup. Now I got to the point where I could enter a password and got the error back saying "Must include 2 digits". This acted as a remindar to what my password was so I tried that - after which I got "You've already used that password" - so I gave up renrollment at that point.
However it seems that it's completly unsecure if at any point you can enroll in the scheme and create a new password!
Anonymous Coward, get a life!
The problem is that it doesn't make it any more secure, it just shifts liability from the merchant to the bank.
I'd actually argue that for the majority of users it makes things less secure. You're now training people that it's normal for a website to ask for your card details twice - once on the main site, and another in a box that looks nothing like the site, but has some 'Verified by Visa' or other crap written somewhere.
This scheme is a godsend for phishsers. The banks have just undone all their good work telling people to watch out for phishing attacks by implementing something that the average punter can't distinguish from even a very crude attack.
Nationwide now require me to use their card reader. One problem -- I don't have any cards! I don't use them so why would I want them, I certainly don't want them for the sole purpose of using a card reader.
When I was offered to create a username and password for my credit card, my first impression was 'Ok, I will.' But after my password being rejected I was very confused. There was a bizarre stipulation in it that meant the password cannot be more than 8 letters in length and can't contain special chatacters (so [A-Z, a-z, 0-9])
WTF?! You have to create a secure username and password that is less secure than the account I am using to purchase the item in the first place.
So I promptly skipped the page. I realised though, using something physical in your hand (your card) and something in your head (user&pass) is better than just your card. So it is better, sort of.
Sorry to hear you've been ripped off online (has not happened to me yet, and I do virtually all my shopping online except for suits and shirts).
Did you get the credit card company to refund you when you were ripped off? If the answer is yes, then you can kiss that goodbye if you happen to get ripped off in the future. They consider the Verified by Visa to be invulnerable, so any claims that you have been ripped off will fall on deaf ears.
As a previous implementer, I've found that many banks returned that people were enrolled in the system, even when they were not, and the page the card issuer returned, where usually it would be an entry form, were advertising material for the scheme. At least one company I implemented this for chose to bypass 3dsecure for mastercard and visa.
Thats not even getting into the issues I had implementing the first version of the api I was given, which required that I store credit card details between payment stages, including ccv. All because the payment processor didn't store any stateful information. This may have been payment provider specific however. And was already corrected before I was pushed to implement it.
Makes you wonder what sites out there are storing details using archaic versions of the api however.
After many failed attempts to use it I found that Mastercard SecureCrap is only supported on Windows + mac.
Since I would never enter any financial info into a Windows PC and I don't own a mac I sent my Mastercard back.
Perhaps if they'd hired some developers to produce it instead of a beancounter it would work properly?
Paris. Just because.
... I am reverting to keeping a box of used tenners under the bed.
Paris, because her box has been on a few beds.
Simple way around the VbyV screen is to type in the first page of details then click the sign up button, then on the next page where you should enter a password simply click the really small cancel button at the bottom of the page and your purchase will be accepted, works for me anyway!!!
give it a go, these two systems are total crap!
I dumped all but one of my credit cards, last one has a £250 limit, too much bloody trouble! The bank keeps bullying me by upping it and I ring up at least every 2 months to get it back down, they always ask why and I tell them, "Because you lot are a bunch of useless scumbags who couldn't be trusted to look after a fecking goldfish, I am not trusting my financial security with you lot more than I have to, put the limit back down or close the account, your choice.". I have to tolerate debit cards if I want to shop anywhere, once again active account has a limit on it.
It just seems everywhere you go these days, these corps are simply looking to shift their responsibilities the poor sod who had the misfortune to sign up with them!
Currently Nationwide's card reader is only for transfers on their own on-line banking site. But it works very well and requires the person using the account to have the card, pin and the card reader.
Personally I dont mind VBV as the hassle of having your card used for a fraudulant transaction is a PITA. I know, it has happend more than once with both of my cards, the common denominator for the off-line card use being a local petrol station.....
I use it frequently, it takes less than 30 seconds and I have not had any problems.
Steve really should find something better to do.
Paris, because it's so simple even she can manage to use it.
…I can safely say that it's the most cack-handedly-implemented specification I've ever had the misfortune to deal with, and anybody who's done a lot of work with payment gateways will know that's not a statement which can be made lightly.
The whole thing is massively prone phishing scams—a dodgy retailer can trivially determine the type of card (MasterCard or Visa) from the BIN ranges and present a form to harvest credentials which looks no less legitimate than the official bank-provided ones.
What's worse is that many UK banks don't even host their 3-D Secure verification pages within their own domain; outsourcing the code I can understand, but having it sat under RSA's “securesuite.co.uk/<bankname>”? Ludicrous. Consumers have no way whatsoever of knowing whether a given 3-D Secure verification page is legitimate or not, and thanks to the liability shift which occurs will be _worse_ off than before if fraud does occur.
What they SHOULD have done if they wanted security is to embed a one-time-password display into the cards (think RSA SecureID) and had customers enter the OTP along with their card details/CV2 to verify that they were actually holding the card—only the issuer and the person physically holding the card would know what the OTP actually was at any given point in time and it could be safely entered on payment pages and passed to the issuer via the acquiring bank and payment gateway with ease. This would also cut telephone-based card fraud down to approximately zero, except in the cases of actually stolen cards (as opposed to card details).
Of course, there are probably logistical problems with fitting an LCD display into something that thin, but when fraud losses are the sorts of numbers banks talk about, you have to wonder if it wouldn't be worth it.
This would have one unintended side effect, though: I wouldn't be able to use my wife's card to buy stuff without her being on the end of the phone. Frankly, though, that'd only be a minor inconvenience.
I've used VbyV often and it's only a minute extra and with the added layer of security I don't mind. If someone did fraudently use my CC number then it's going to be a real hassle...so it's worth it in my mind.
But, it'll change I believe as my bank Barclays has Pinsentry, which I've never used and think that'll be a real hassle as I've used tokens before to log onto systems and those damn things have crap LCD numbers!
C'n'P isn't mandatory at all.
Go ask your bank.
Several times. Probably try a few different people.
It might help if you pretend to be old.
Eventually you'll find they do 'chip and signature' cards - http://www.rnib.org.uk/xpedio/groups/public/documents/PublicWebsite/public_chipandpin.hcsp
Ever run out of credit on 3's broadband service? Easy, you can top up online (yes on a Welsh hillside on a Sunday evening).
Everything goes fine till 3's system calls for VoV and then blocks it! So you can't Top-up with my NatWest Visa card. Screwed me till I remembered I have a Co-operative Bank Visa card that trusts me.
Reminds me of when i used to play sharedealing in the office. My friend banked with NatWest and had to send faxes and stuff to confirm a share purchase. I just called a nice lady at my Brum branch. "No problem luv" and that was it. Done on trust (as in knowing your customers). Cheaper & faster. Remind me which bank loses most customer's money?
I have been "directed" to Securecode once in making a standing purchase on-line at a site I knew well. I duely entered the required details. Two hours later HSBC were ringing me up asking if I was using my card to withdraw cash in Thailand.
Do I think this is a secure method? I rang them up and cancelled my Securecode and password entry.
I'm with IF, and it's compulsory with them, too. I've tried complaining but I always seem to get a munchkin on the other end who doesn't know what I'm talking about.
What's more, resetting the password is trivially easy and doesn't even require email confirmation, so I'm not sure what it's actually for...
The temporary "generated" card system we used to have (Orbis). That the design was a bit faulty should have been resolved instead of this crudpile we now have (some services do a double-dip to ensure you're valid; this does not work as the number is singe-use).
Heck, even paypal is better than the current system.
The main issue I have is the number of accounts that get created. Somehow I've managed to get two cards by different issuers under the same account but others automatically get a new account created and it just invents a user name.
Remembering passwords is going to be worse though. I have a hard enough time as it is with the hundreds of passwords I need to surf the web anyway.
Of course I could use the same password everywhere, but then I may as well give my front door keys to Mr Burglar and say "help yourself", as it's about the same level of security.
I have a barclays one, or rather I have 2 one at home one at work. And I use it so infrequently I've currently forgot the pin and locked the card anyway. No interbank compatability is a pain would I have to have one for each card?
Still got a few free watch cells out of them.
- and failed. I have Egg Visa and Mastercard, and both signup routes failed at the same point: they denied that my card number existed.
That was some weeks back. Egg have yet to come back with an explanation.
I await with interest the first time my card gets blocked--.
Sounds like the banks' version of WGA, i.e. ostensibly of benefit to you (dear valued customer) to really only of benefit to them, so they can wriggle out of claims for fraud. Which isn't possible now, of course...
I tried resistance but was forced to sign up when trying to buy a gift. However when I tried to sign up I was told my details were incorrect! I checked them all carefully which wasn't difficult as the only thing required that wasn't printed on the card was my date of birth. I think I know my date of birth. Apparently not. After several phone calls I was told that I had been born on 11th November 2011! At least it was obviously wrong and so I could get it corrected. Unfortunately the correction would take 2 working days to complete. By that time, the gift would have been too late. I'm Vexed by Visa.
In their defense, there is a feeble attempt to reassure users that the VbV page is authentic. You can set a custom greeting message that is displayed on the first page. At least that is the case with Barclays VbV. I also approve of the idea of card readers that produce a one time pass code. The implementation of it however doesn't fill me with trust. The first digit it returns is always 3 and I can usually guess the second digit! Cryptographically secure??? I think not.
As a merchant (www.oxfordethical.co.uk) we weren't allowed to accept maestro cards until we enrolled in 3D secure with our provider (barclaycard business), which then rolls it out across all card types. I generally welcome it and think it can do for online sales what chip and pin did for card holder present sales i.e. generally reduce fraud without affecting sales levels (in some cases increasing them as chip and pin can be faster, which is why the likes of MacDonalds are now accepting cards).
However it needs to be implements fully, across all cards, and made mandatory.
- Without it at all, there is lots of fraud
- With it partially as it is now, there is some fraud reduction, some increase, and lots of customers put off
- With it rolled out fully, there will be lots of fraud reduction and customer familiarity will mean that they aren't put off (well, most of them).
The only downside in the way it is implemented now is that it is too easy for fraudsters to "copy". When I use my egg card which is enrolled, there is a "customer message" line which appears on the screen asking for my password. This should contain something such as phrase I have provided them in advance, so I know it is a genuine screen. However currently it just has a marketing or generic "this is all secure" type message. Make this work correctly, roll it out across all card types and banks, make it compulsory and fraud will drop dramatically.
Nothing is ever perfect or will stop fraud completely, but I think this is the best current bet. And for those saying the banks are only doing this to protect themselves, well, duh! But remember that being as they are, they would pass down the extra costs of fraud to customers or the merchants (who mostly add it to the price of their goods) anyway. They'll never let it touch their profits, but at least this way consumers don't end up paying for it.
After getting my card repeatedly declined while trying to order something over the phone because the "postcode didn't match" the guy taking the order let slip the word "securecode". He was only running a pizza delivery firm so he obviously wasn't much of a techie and didn't realise that it wasn't my bank that was declining payments.
I phoned up Mastercard and found out that they had got my old address and were checking the post code I was giving against that. At no point have I been informed that they would be keeping my address on file or that I would need to update it. When I asked the cretin in the call centre if I could be removed, she told me that there was no option whatsoever for not using the system or for being removed from it.
So I changed my address and password on their website and then noticed the button that removes you from the service - something they claimed was impossible. What really pissed me off was when she tried to end the call with a violence-inducingly cheerful, "I hope that solved your query".
Needless to say, that resulted in her getting berated again for not knowing the difference between a demand and a query or the difference between answering a query and telling your customer to get fucked.
After exchanging some messages with Egg about 3DSecure I was told to phone up and ask for the SecureCode department to opt-out. I've done this and have been told that transactions should go through without my having to use SecureCode, but haven't yet tried it.
Just using debit will work great until you want to buy a £25/mo mobile phone contract and they refuse you because of absolutely no recent credit history despite 5 figures of cash in the bank. Or, y'know, apply for loans and mortgages and so on.
(True story, lesson learnt, credit score increasing...)
I just think VbV and SecureCode need standardizing across all banks. The main problems I have encountered are having 2 Barclaycards of my own but being unable to register both under the same username; and having to share passwords with an additional cardholder because both cards are issued with the same number.
To AC #1 & John Doe - it's his choice whether he does it or not, and he may (together with the help of others & El Reg) be able to force a change. Personally, I think VbV is just a way for credit card companies to get out of refunding fraudulent charges. It's another step for me, supposedly another layer of protection, but also another point of potential weakness in the chain for phishers & scammers.
OK, so I see an unverified charge on my card. I want to be able to be able to call up my bank, prove that the charge is a fraud (e.g. at a gas station in Florida, when there ae two charges before and after, that same hour, in DC), and have them refund my money by the next day (or least agree to once I sign some forms).
Would VbV do that for me? Of course not. Would it actually help me when fraud occurs? Doubt it. Why bother with it then? I wouldn't want it forced on me, either...
I asked to opt out of Smile's scheme and was told I can't.
I took the opportunity to get another card. One where I get 1% cash back on purchases and 3% on fuel at a certain garage. That certain garage is doing the online banking, which is worrying but they may be behind in this latest 'service' to customers technology.
Biting the hand that feeds IT © 1998–2017