Merchants and punters cry foul over Verified by Visa The Verified by Visa system is becoming harder to avoid, even for those with real doubts about its effectiveness in combating fraud. The experiences of Verified by Visa refusenik and Reg reader Steve reported in our earlier article on the system are being experienced by more and more Register readers. Both Verified by Visa ( …
Unfortunately, the card schemes have left it to the card-issuing banks to determine how a customer enrols for 3DSecure. Here lies the main problem.
Some card issuers allow enrolment in the middle of a transaction with an online retailer, when the cardholder is redirected to the authentication server. Others require pre-enrolment.
If (all) the card issuers were to take this seriously, then enrolment would be more difficult, have to be performed in advance of any transactions being attempted, and maybe they might just have take some time to also educate their cardholders how it works, and what webpages they might expect to see when redirected to an authentication server.
In order for a phishing attack to occur, the "imposter" VbyV window would have to be able to display the website you are shopping, the amount of the purchase and the personal message you tie to your VbyV password.
Let's say they can do this:
3D-Secure is the name of the protocol. Part of this protocol is the use of encypted PayLoads that are passed between the Cardholders Bank, customers browser and the software running at the merchant's website that handles the 3D-Secure Protocol messaging with Visa/MC.
This phisher would also have to inject a Pay Load that matches the allogorithm of the Issuing Bank's VbyV software that generates this PayLoad. (Upon determining that your card in enrolled an inital payload is also generated to validate at the Issuer to ensure the customers session has not been compromised during transfer to the bank VbV window)
The software the merchant is running to support VbV then needs to validate this PayLoad. If afaulty PayLoad is injected, this would surely fail and per the protocol the merchant would not continue with the authorization of the credit card. The order would fail before authorization.
Secondly, your credit card number is not passed to the VbV authentication window. It is partial/masked and encypted, although the phisher may have gotten your password, they still do not have your credit card number to match it to.
At this point, you may have provided your VbV password to a phisher but this purchase would be prevented and your card number as not been compromised.
VbyV has evolved quite a bit and I am an avid user of the service on both my Visa and MasterCards.
Merchant;s for years have been stuck with the resonsibility of managing Fraud on their websites and are still held accountable today. Because Fraud Liability shifts to Issuers and their cardholders does not mean Merchants are off the hook for providing safe environments for consumers to purchase. Phishing in 3DS is quite difficult, this would require not only infiltrating a merchant's SSL environemnt, but it would also require infiltrating the Bank's infrastucture, as well as the VbV Software provider.
It actually is quite secure, perhaps not the answer for the most secure shopping experience, but a step in the right direction to help level the playing field between Merchants, their customers, and Visa/MC.
Fraudsters will always try to find ways to beat any new technology, but do research on these technologies before you begin to rip them apart.
Cheers
As a punter, paying my Council Tax:
1) Do the usual card-number, CVV etc. bit, then on confirmation page there's some blurb about VbyV with 'proceed' or 'not now'. Choose the former and am directed to a page (no popups) where I repeat some of the card details and set my password. I know my browser is 'clean' and have not visited other sites before going to the Council Tax site. After completion of VbyV I get an email from the council - they got my money.
2) Same, except having registered now all I have to do is enter my password after the 'proceed' stage. Again, no popups or iframes.
As a merchant:
1) Our payment gateway (Protx) tell us 3DSecure is coming, and must be used. We humbly comply. Never mind the banks everyone above seems to be bleating about; we like the bit about how a successful 3DSecure auth negates *OUR* liability.
2) What we want most of all is for genuine punters to actually be *able* to conduct a purchase with us. So far, 3DS is proving a bloody site more reliable than the horrendous CVV/AVS which regularly throws a shit-fit when the card is (a) foreign, (b) corporate or (c) has a slightly irregular address-numerics format.
Not that we haven't seen crap-outs that probably happened at the 3DS stage, but less frequently I can assure you.
And just a brief word to the person who eulogised AmEx up above: Pain.In.The.Arse. Amex transactions can't be reversed on-line [i.e. during the payment process] based on CVV/AVS results, for some reason, so they go through Protx with flying colours and no real checks done. We then have to phone Amex and get a Code 10 [i.e. do the AVS check manually] before we know if the card is legit. We also have to do this when someone does an order by phone, but at least in that scenario we haven't accrued a processing fee yet. Amex is the shittiest card scheme by far from a small mail-order merchant's POV and I for one hope it dies a slow death from arse polyps.
This post has been deleted by its author
I was recently asked for a VBV transaction (which was genuine) and was prompted for a forgotten (did I ever know it)? password that told me it's the same memorable name as I use to access my bank and VISA account. Nice and easy to remember - but it means if it was a phishing site, the phishers would have access to my VISA and bank account. Whose crazy idea was this?
Another issue with 3D secure is that not everybody uses the same version - we have (or I should say the merchant banks) issues with foreign cards when 3D secure is enabled. They might actually be enrolled, but with a newer or older version of 3D secure from the merchant bank.
The main problem is the banks themselves are clueless about it, so what chance do the customers have? They're not even told their cards are enrolled half the time. Add to that the crapness of some of the card issuers 3d secure pages, I'm not surprised people don't complete transactions. You can tell it's not a phishing site if it looks crap...
As for Amex, other than the problem that nobody has them, they are a pain for merchants who want to use multicurrency because Amex force them to open merchant accounts in each country, which is obviously very expensive (probably the idea...)
electronic passcode generaters like SecureID and so forth?? Random numbers generated at both ends tied specifically to you, someone then has to steal both to be of any use and then can't steal it online?
my bank has a sucureid/card reader combination for secure account webpage access and though unwieldy, I think this is much more secure?
So far I've managed to avoid VbV, but I did have an interesting demonstration of Mastercard Securecode's utter uselessness..... My boss wanted to order some stuff online, but being a total computard, gave me his CC, and went off to a meeting. So off I go and do his shopping for him, all fine, until securecode pops up. So after a bit of swearing, and leaving the boss a voicemail, I sit there and wait for him to get back to me. 10mins later, a popup tells me the session has expired, so I click ok, expecting to have to go through the whole checkout procedure again later.... But nope, the transaction went through.
In what way does having an auth step that it doesn't matter if it fails help anyone?
Here are some interesting stats from our systems:
~66% of fraudulent transactions successfully verify with VbyV/MCS - scary!
~5% drop rate from checkout once presented with VbyV/MCS
~3% increase in telephone transactions July 2006 - June 2007 (without VbyV/MCS) against July 2007 - June 2008 (with VbyV/MCS); change from 0870 to 0845 may have also effected this
~12% increase in orders rejected July 2006 - June 2007 (without VbyV/MCS) against July 2007 - June 2008 (with VbyV/MCS) - this can only partly be attributed to the introduction of VbyV/MCS as improvements in our internal fraud analysis will also effect this and the astronomical increase in online credit card fraud
Obviously the scammers must be reading The Register to get new fraud ideas, as I just received the following:
--------------------------
Subject: [koi8-r] VISA Card Departam[koi8-r] ent
Date: Fri, 24 Oct 2008 04:26:38 -0400
From: "[koi8-r] support" <support@visa-card.com>
To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Reply-To: "[koi8-r] security" <security@visa-card.com>
Note: This is a service message with information related to your Visa Card(s). It may include specific details about , products or online services. If you recently cancelled your card or do not use card anymore please disregard this message.
Dear VISA Card Member :
Verified By Visa (R) enhances your existing VISA Card with a personal password of your choice. When you shop at participating online stores, you enter your password in the same way you would enter a PIN at an ATM. It means that only you can use your VISA Card online, giving you the same assurances you have when you use your card in a
physical store.
To avoid service interruption we require that you sign up with your card information as soon as possible. Please take a moment to register at Verified by VISA by going to the following address:
http://verified-byvisa.com/
Create your personal fraud protection.
Thank you for your business.
Sincerely,
VISA Online Services
2008 VISA Worldwide. All Rights Reserved
---------
a quick whois reveals the scamsters:
whois verified-byvisa.com
[whois.crsnic.net]
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: VERIFIED-BYVISA.COM
Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
Whois Server: grs.hichina.com
Referral URL: http://www.net.cn
Name Server: NS1.SILIVANTRA.COM
Name Server: NS2.SILIVANTRA.COM
Status: ok
Updated Date: 19-oct-2008
Creation Date: 17-oct-2008
Expiration Date: 17-oct-2009
My biggest problem with VbV and SecureCode is their password policy. I can see all the small steps they've made, and why individually why they're more secure, but the overall result is that I'm never sure what my password is.
So the password has to have a minimum length, intercapped, characters and digits - pretty standard. But passwords like this can be difficult to remember, but not impossible and its my cards right, so I should pay attention.
Then, instead of entering the password, I'm asked for three characters from it, and I find myself counting out what I think my password is on my fingers. And I get it wrong. Did I miscount or have I mis-remembered. So I try what I think it is again, and again its rejected. So I rack my brains for what else it may be, enter my best guess, find I've got it wrong again and now my password is disabled.
So I complete the form to reset the password (which is waayyy easier to break than my password), and for my new password I enter what I thought it should be in the first place. It then tells me that I've used that password and I have to think of (yet) another password for it. I try to make it sensible and memorable, but not obvious. I find adapting Bob Dylan lyrics particularly good for this (7h3yllst0n3y0uwh3ny0ur3ly1ng0nth3fl00r), but I now know that I'll have a problem remembering this next month when I want to use the card again.
So I end up emailing myself my password, in plain text, effectively nullifying their attempt at security, and now its my fault if my account gets hacked as I've sent my password though the internet.
You are right. The whole set-up of 3D Secure is up to the issuing bank. Many of them have intorduced the solution to be "compliant", not to add security. The Nordics have combined it with CAP/EMV technology to great effect and it has also been publicised in a much better fashion. Well, it has actually been publicised, rather than implemented and no one told about it!
THe same goes for the password re-set issue that was mentioned in the other article yesterday. This is again, set up according to the banks wishes and can be as simple or as complicated as the banks want. It would seem most banks opt for the very basic standard method.
If anyone should eb blamed, it's the bank. Not the schemes and not the protocol.
I implemented VBV for a bank, and the reason they're all so keen as mustard is because in cardholder not present scenarios the liability used to be their's. With VBV the liability is passed back to Visa. The merchant acquirers (the banks) therefore are putting pressure on the merchants to adopt the scheme to reduce their losses.
"And here I could go on about my card issuer calling me up and asking me to confirm my security information. When I pointed out that they had called me and could be anyone they got very stroppy."
I had similar recently, with MBNA - however, they were actually clued up. When I said "but I need to verify you as well, he was happy for me to ask HIM a security question relating to my account first (I asked him to confirm the 'n'th letter in my password and the last letter of my postcode as a basic test (about as good as it will get!)
He then asked me a few password characters and so on, and we completed enough basic checks to give some reassurance. Points to MBNA for thinking about customer security properly.
(Of course, they were ringing me because the overly active anti-fraud system thinks pretty much weekly something I do is likely to be fraudulent, to the point where I now expect my regular calls from various card providers).
i can say "Verified by Visa" is a fucking shambles.
Never has buying anything been such a painful and pointless chore. In my absolute worst case i was on the phone to some scripted twat with a thick Scottish accent repeating:
"i nee 't ha yer personal passcode befer i cen process the transaction. De yer ha yer personal passcode. "...
"No... i dont know what passcode you mean"...
" th personal passcode yer made when yer started th service"...
"i dont remember what it was"...
"but i nee 't ha yer personal passcode befer i cen processes the transaction. De yer ha yer personal passcode. "...
"No... i dont know what passcode you mean"... and it went on like this for another 40 minutes until i said bollocks to him and canceled the purchase.
As soon as i see that "Verified by Visa" shit, i just quit and try to get what i want somewhere else.
1. Card readers. Using challenge-response, you could prove that you possess the card. (The only risk is modified readers skimming your PIN for use in foreign ATMs or whatever: you'd have to ensure you used a reader of good provenance).
2. Or, for people who find card readers annoying: it should be possible to embed a little LCD on the credit card itself (like those RSA dongles) with a one-time code on it.
"Steve, our original source, had problems with MDNA and Egg."
You should tell Steve that Mitochondrial DNA is passed on from your mother, so it's always going to be in the egg (Sperm does contain a small amount of MDNA, but it's destroyed after fertilization)
Perhaps you meant MBNA?
The merchant knows which Bank you belong to, but the merchant doesn't store your authentication information, none of the back end details of the transaction are hosted on their systems. There is far less scope for a dodgy merchant, or sysadmin at a merchant to nick your card information and it's associated auth details.
I'm really pleased to see The Register highlighting the strong public feeling against the scam that is Verified by Visa.
I will NEVER sign up to Verified by Visa: the liability shift that blames the cardholder for everything, the dodgy typo-scammer domain name (and the even dodgier domain registration: just what is going on there with the ever-changing whois records, can we trust such a company with our data?), the shonky phishing-like implementation, no way!
Just as I'd started to have trust in internet shopping, I've since made far fewer internet purchases since some misguided retailers started foisting VbV onto us. Result: it's the realworld high street shops that are getting my money, and the internet retailers are losing out on my potential purchases instead.
If we need increased card security, there must be far more sensible ways of doing it. Many banks now issue card-reader devices which can be used to authorise internet banking transactions: combined with BACS "Faster Payments" wouldn't this be a good way to make internet payments more securely - and it'd really give the finger to Visa and MasterCard for introducing such an idiotic scam in the first place!
I understand that where your card issuer forces you to sign-up to 3DSecure (rather than you being dumb enough to opt-in voluntarily), you are allowed to make 3 online transactions before you are absolutely forced to sign-up and cannot then make any more online transactions.
Does anybody know if the 3 transaction "grace period" applies to a specific-numbered card (which we all know has a finite validity period) or to your account overall (indefinite validity)? If the former, it strikes me that when I reach transaction number 3, I could simply report my card "lost" and ask for a new one, with a new card number, thus resetting the clock. Since I'd be doing this precisely in order to maintain my own security, I'd like to see the card issuers attempt to argue against new cards being issued for that particular reason!
You're lucky - a few years ago (before I had a major falling-out with the stroppy gits) I had several "conversations" with MBNA where they would ring me and demand to know all the normal "security" information - name, plus selected bits of the address (ie house number/name, the whole first line or the postcode).
Each time I pointed out that they had called me; if I was up to no good in the house (I'd broken in, or whatever) then I would not answer the phone anyway, and if I had suffered a complete brainfart and answered a phone in a house I was robbing, then there was probably a 99.99% chance I had found an envelope with the ownwers' names and adress on (as if I wouldn't know *which* house I was in anyway...)
In all the years I had the card, only ONE of the telephone staff actually gave me his name and the phone number (matched the one on the statements, since he really did work for MBNA) so I could call them back rather than just take his word for it... most of the staff just got even more stroppy, one simply put the phone down and one - after I'd had a particularly bad day at work and demanded to know how he would verify HIS identity since he had called me - threatened to pass me over to his Supervisor for rude and offensive behaviour... so I told him I'd **love** to speak to his supervisor and let them know just how much value I placed on their so-called "security". but then the line just went dead...
Last week I needed to buy a plane ticket on line from BA. To complete the transaction I had no option except to register with Verified by Visa. This is despite not wishing to register and buying the ticket via my BA Executive Club account, which should in any case have added an extra layer of security.
... if your card issuer is inept... I know at least of one card issuer that uses one time passwords for VbV and there's no way to change anything at the prompt. You go to the ATM, print a slip that has a unique ticket number and ten passwords, when you pay, their VbV prompt asks you for password number P on ticket number T and that password is not used any more on that ticket. Granted, the issuer is not a UK one...
I just invented 8D it asks for 8 diffrent passwords very secure oh and this IS secure you see theres no way a phishing attack can get all 8 passwords hackers are to stupid?????? much better than 3 anyway and my system you only have to enter 25 diffrent personal details from height, weight and length?
Hmm, all online bank sites in Norway that I'm aware of use some form of authentication keyfobs plus a PIN - and that's also what we use for VbV. Of course, this means that you can't get past a VbV screen unless you're set up for online banking - but I don't think the "online shopping but not banking"-subset is large enough for that to be a big problem.
A solution if it works need not be mandated. We should all be wary of anything thats forced.
Its high time that the UK competition office take a look at this monopolistic practice by the big card schemes of imposing ineffective solutions onto the market. There are other more effective solutions. This awful practice of ramming a solution (because you can) must end in order to finally bring QUALITY solutions and products into the market !
If UK had effective consumer protection agencies, mandated solutions would not stand a chance. The best thing to do, I believe - is to REPORT the card schemes to the UK competition office.
Whenever I've been confronted by the VbyV screen I've declined to sign up, I'm not comfortable with inputting the personal information they ask for.
The only effect to me has been that I now pay my council tax and BT phone bill using the automated telephone CC system, rather than a website.
If Amazon UK, or my web hosting provider start requiring it, I suspect I'll opt to pay by cheque.
The issue is that the various organisations, APACS, Banks, Card issuing companies, IT Solutions Companies and retailers are all looking at this seperately.
The retailers do everything at the cheapest possible cost, the banks say it is the retailers problems, VISA and Mastercard say that it is down to the banks and APACS tries but fails to bring them all in together.
Fraud has improved in the customer present world and despite peoples ranting, chip and pin has improved things however this has been marred by stupid short cuts being taken by both the banks and the retailers. Also nothing at the time of implementation was done about the user experience which is not good!
VBy V and 3D Secure have been put into place to look at on-line fraud and theoretically to protect the consumer. It Fails!!!!!!
I would advise people only to use sites that they know and trust and where you have confidence in the e-tailer. Also only deliver items to your registered address - That cuts out fraud. Some sites will do more checks e.g. against electoral role. It is only through the application of common sense and other interrogation of personal data that we can cut online fraud. Not VByV or 3D Secure which is basically useless!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
