Yet another hideously insecure system, of which the only real purpose seems to be another way of blaming the customer for any fraud, as they must have allowed their password to become known.
Much was made of how easy it was for a hacker to reset Sarah Palin's webmail account password and gain illicit access to emails, but resetting passwords for Verified by Visa - which supposedly makes online transactions more secure - is arguably even easier. To reset Palin's email account a hacker needed to know the Republican …
Mint would not allow me to use symbols in my password, hence stopping me using any of my normal ones, and blocks the last 15 from re-use.
However, it did allow a completely trivial password where a single letter was replaced by a digit and is utterly insecure. As far as Im concerned that qualifies as BROKE.
Anonymous, cos I dont want anyone getting ideas...
HSBC at least you can skip nearly ALL verification steps in the enrollment altogether because it STORES THE STATE IN THE CLIENT BROWSER. When I tried to get to their security to report it, they offloaded me to the monkeys in the call center which did not have a scriipt to handle ANY coding security bugs/problems in their portals and had no f*** idea on how to register it.
This is still an improvement over American Express from 5 years back which performed a mandatory sign-up to marketing indoctrination when I tried to report a similar idiocy in their Internet banking registration.
All of them have no clue and that is all that needs to be said about it (out of all I deal with, Nationwide is the sole significant exemption of having at least some residual clue - they know how to use PGP).
1. No security contacts
2. No bug reporting contacts
3. Unable to use PGP or any other form of encrypted communication. All answers are given via printed matter which contains mostly "Dear Luser, do not worry about it, these are not the problems you've been looking for".
Just moved. House has had the same name for over 160 years but depsite telling the bank the correct spelling they used a corrupt Postcode Address File and changed one letter in the house name. Result - payments refused as stated address did not match registered address of card. Same corrupt PAF in use by DVLA - though not by Royal Mail oddly
Very few people use Royal Mails PAF, as it is such a bloody mess, though as you've discovered mostly accurate. Also the charges for using it are ridiculous. Most companies get their PAF (cheaper) through third party software, which inevitably involves a degree reformatting of the data. Also, there is (usually) nothing in the file which will force the user to update on even a semi-irregular basis, so the file they are using may have been there for years.
The PAF is produced by Royal Mail and is an extract of their master address database. It is sold to the likes of your bank or the DVLA through 3rd parties. Updates are sent to customers on a regular basis. So, if the information was once corrupted and subsequently updated (your postman may have noticed the problem and got it corrected), Royal Mail would have the latest version whereas other companies may still run on a old version of the data. Once they receive the latest update, they will have correct data.
When this happens the best thing to do is talk to your postman or someone at your post office and they can either get it sorted themselves or give you the details of the address management unit that you can call to rectify the problem. The data will eventually filter down to Royal Mail customers. It may take some time to filter down to all the companies you deal with but at least you can be sure that the master data is correct.
Because the VbV page is a frame, the browser can't report, either by the colour of the URL bar, or by dinky icons in the status area, the verification results for the VbV page. A scammy retailer is thus free to invent their own page, stealing your VbV password. Or you could be redirected by DNS poisoning or crapware on your PC.
Oh, and you can't opt out. Most cards will stop authorising transactions after a certain number of "declines".
not because of the password, which i can never remember, but because it doesn't work on a secure pc!
I have to allow a website i've never heard of to run scripts and then ignore a warning of a potential cross site scripting attack. not to mention most merchants load this page into a frame so it could be coming from anywhere.
About a year ago I was online shopping and the MC equiv to VbV screen came up, and I thought "oh shit, I forgot my password" (I had used it once before to "set" the password in the distant past). I remember fretting that resetting the password might involve a call to card services and a bunch of verification but was surprised/shocked the process was so damn easy (like the article said just some CC details, the same details someone would have if they stole your CC creds). And since then I have completely forgotten about it, until now. Thanks for publicizing this Reg.
OK so it's easy to reset your password. You need the card AND the card holder's DOB. However if you're using an ecommerce site that doesn't use VBV or similar then you generally only need the card in your hand. So which is more secure?
It's only one simple verification step, but I'd rather have that step than just details that are clearly printed on the card.
And I'll say it again. Make it easy to set up and simple to lock down.
If they want us to take the responsibility then give us the security. I'm happy to take responsibility for not forgetting my password as long as the system itself is secure and that means not having the ability to reset willy nilly with minimal info.
Once a VbyV password is set up it should then be impossible to alter without jumping through many time-consuming security hoops, with something in writing going from the bank to the customer at the end of the process to confirm it has all happened. Then see how many people forget their pasword more than once.
Multi-factor is just switching from one, really secure piece of information (which your password should be), to a whole bunch of very insecure information. Most of the questions they ask anyone who knew me as a child would know, and as for my grandmother's maiden name, I've no idea.
You think so?
Some one buys some junk online with your card and I call the bank...
Without VBV - You get your money back.
With VBV - You are told that it's your fault since VBV was used. It must have been you, or you gave away your password. No money for you!
I absolutely loath VbyV. Not because it's insecure but because it never works. Agree with the Rob, above, that it's saved me some money! It certainly does seem like a ruse to distance card companies from fraud responsibilities.
Anyway, after trying to pay my bill with a certain mobile provider for half an hour & with 3 different cards (including Mastercard's equally hopeless equivalent of VbyV) I was about to give up. Then I noticed, below the VbyV frame, a link that said "can't see this?". I clicked on it & was wonderfully whisked away from the VbyV nastiness to a screen that said "payment successful"! Unbelievable, eh? Not strictly Visa's fault but a damning indictment of their system by a huge corporate customer.
I never remember the password on either of my credit cards.
Both of the use the verified by scheme, I sometimes change the passwords 3 or 4 times a day.
It's far easier than remembering the password.
It makes my cards absolutely no more secure than they were before.
Paris because I've not seen any Paris stories on El Reg in a while.
PS can I go back to the old style of El Reg, given this one a go now for a while, and the old style... was well... it fitted El Reg nicely... this style... its too slick, it's not El Reg at all, I really dislike it.
Like some of the other comments VbyV has saved me loads of money, as I've given up many transactions when asked for the stupidly long and complicated password! I've had to take to writing it down now :s
Though to be fair, its not as annoying as the stupid Nationwide card reader system, where you have to have the main account card inserted into a reader to do anything!
My wife and I have a joint account, the web side is registered to the wife's card and as I do all the finance I pay all the bills. Now I cant even pay bills without physically having my wifes card!
If the battery runs out, then you are screwed (its not a normal easy to hand battery), if the reader breaks you are screwed as you cant pay any bills until you get a new one.
I cant register my card online, as the joint account is already registered for online access and there is no obvious menu inside the online bit to add a second card holder, or any reference to how to do it under their FAQ. So I'm affectively locked out!! No doubt I'll have to drive 15 miles to the nearest branch with 50 different IDs to get access or spend 2hrs on a phone to some clueless sword.
Total rubbish system, I've never had any online account breached so dont see any value in it whatsoever and currently trying to convince the wife to move accounts because of it!
Technology making life simpler???? geee
@ Steve "Very few people use Royal Mails PAF, as it is such a bloody mess"
It is indeed a bloody mess, but I totally disagree with your assertion that very few people use it.
In my experience not only does everyone use it, but they rarely have any facility to override any inaccuracies in it (because they all treat the PAF as if it were sacred). Instead they tell you that you don't know where you live, because the Post Office knows better than anyone what your address should be.
In reality, the fuckwits who designed the PAF did so in such a way that non-numeric characters were forbidden from being entered into the field for building number. This means that any premises that is spread over more than one building is effectively screwed as the PAF will not allow you to put 27-29 Acacia Avenue or 131-135 High Street etc..
This has caused us untold grief, because in our particular situation, the work-around that was used was to put our building number into another field (for which it was not designed) and then jiggling about the remaining address elements to make space for this wrongly positioned building number (which results in our address being a total dog's breakfast and most of our mail going missing).
Attempts over 3 years to get this problem looked into basically elicited a "computer says no" response from Royal Mail.
It is virtually impossible for anyone of the 20 flats in our block to make online purchases because our address is so totally fucked up in the PAF that when we enter it correctly it's not recognised when matched against the PAF. We also can't enter it incorrectly (the way the PAF does) because the web page itself complains that you've put invalid entries into certain address fields.
The PAF is a disaster and yet companies insist on using it with no provision whatsoever for any manual override.
it sucks because a few times now the VbyV server that handles the validation would time out - I lost my shopping basket and was also flagged up as a fraudster.... quick phone call to Barlcaycard and they claimed it was my connection... which is odd since music I was streaming didn't time out, video I was downloading didn't stop, and the shop pages displaying errors normally pop up quite happily after the timeout occured.
Hate VbyV, but have no other choice at the minute as Egg, Barclaycard and Abbey all use Visa. :(
Some bugger got hold of my card details, reset my VbV password several times in order to steal €700 from my account. They didn't even have my frigging password!
Thankfully the bank refunded every transaction I hadn't approved, but this system is, as everyone here has stated, FUBAR.
As you lot seem to know a lot....
Is the reset being referred to here where you enter a new password or a new one gets sent?
Does anyone know of a straight forward password policy with a 'lost password' option that is reasonably secure but not a pain in the arse for users?
You are missing the point - that line of thought would stop only the dumbest of crims, getting a DOB is ridiculously easy, however over and above that the system introduces many more way for users to be attacked as stated above, i.e. usually hosted in an iframe giving xss vulns and making it easy to lul users into a false sense of security. It does seem like chip&pin al over where companies reduce their liability not by increasing security but by blame shifting to the user. It is a complete and utter f@cking joke and abuse of the public. Incidnetly I wonder if there is any legal comeback for anyone who the CC companies refuse to refund after being defrauded, especially now there is evidence (such as this article/research required going into it) of them being notified?
I stumbled across VbyV when trying to buy a camera. I didnt have time or inclination to read the T&Cs so phoned the number provided and said 'I dont really want to sign up for this service until I've read more about it, will it affect my account if I just cancel?'
I was told it was fine to cancel and bought the camera elsewhere -- next thing I'm in the supermarket buying something for a few quid and my card's blocked -- I eventually found out it was because I declined VbyV.
I complained to the financial ombudsman about it all as I thought it was wrong that there was no way of knowing if a website used VbyV and then declining the T&Cs blocked your card.
I then had a call from my bank but it was obvious they weren't going to change their system so I took the 50 quid they offered me for my trouble! Still a crap system though...
I since found out that as long as you put your birth date and card number in you can cancel the password and the transaction still goes through -- no need to remember another pass....
VbV may be insecure, but Amazon is even worse. All they require for payment is card number, name and expiry. Not even the CVV digits on the back are required!
It's no wonder fraudsters use Amazon to spend their stolen card details (have been hit by this myself).
Is there any point to all this fraud security if one of the biggest retailers in the world doesn't even bother with basics?
I've just logged onto El Reg after having to reset mine so I could pay my Amex off online (I normally call them, but today used online instead). Couldn't remember even registering for VBV first time around, and just had the same "you've used this password before" message. I thought how ridiculous it was and then saw this as the banner headline!
Thankfully I hardly ever use my Visa online, and doubt I ever will again if this is the norm.
There are two reasons why this is worse than TFA suggests.
(1) it means that random arbitrary sites are proxying "security questions" for your bank. Those are the bits of info needed to take control of the account ("Hello, is that National Midlays Bank? Yes I've moved house and lost my CCs and chequebook, could you resend them? Password - oh, I forget it as well, but I can tell you my DoB / mother's maiden name / blahblah..."
(2) It habituates people to NOT have wailing sirens go off in their heads when organisations other than their banks (ie the ecommerce sites using VbV) request such info.
As they'd say on the wonderful RISKS Digest, "the RISKS are obvious".
and actually I'd love to see a Schneier analysis of all the ways this is teh failxx0r.
Incidentally my own bank (the Co-Op) gets a DOUBLE fail, because the flame I sent to firstname.lastname@example.org when I was first presented with this abortion of a security system bounced with "no such mailbox"...
Disclosure, I'm a professional infosec geek.
The Mastercard "SecureCode", as others have pointed out, is totally pointless. I have to reset it every time I use my credit card because it's far easier than remembering it.
I also don't see how redirecting you to a page that pretends, but from which you can never actually be sure, to be your bank and entering a lot of personal information is in any way secure...
Things were far easier and more secure before they bothered with it.
The solution to accessing joint accounts is to have your own card for the account. The set up your own on-line account, using your card number. Now you will have access to the joint account with the card with your name on it.
Actually (Ts&Cs, etc) you shouldn't be logging in using your wife's details. Probably identity fraud or something.
I mean, if it would lock out a legitimate user, obviously it'll get all the fraudsters!
I still haven't figured out what the hell was going on last weekend, but as I was thinking of cancelling the card anyway, it doesn't matter. Apparently I can't remember my own birthday...
Another reason why the banks need to publicise this - misinformation.
The whole idea of 3d secure, and why it's infinitley better than CVV, is you talk to your bank, not the e-commerce site, all the retailer does is get a link from visa, which they load into an i-frame (popups used to be common, but these days everything blocks them).
You then talk to your bank, nobody else, and when they're finished they bounce you back to a page on the retailers site.
This is why the little form you get from your bank (usually) has a greeting, something you've set before so that you know it's your bank your talking to and not a con.
Also, all banks implement their own (most UK ones seem to be through secure suite though), so Irish banks may well have better implementations - this lack of standardisation though is just another nail in the coffin.
"This is why the little form you get from your bank (usually) has a greeting, something you've set before so that you know it's your bank your talking to and not a con."
You mean it knows your name? ...which you've already typed into the ecommerce site you're trying to buy from? What could possibly go wrong with that... (hint, how do you authenticate where the iframe's served from?)
I buy stuff from the vendor, I go to checkout and enter my card details. The card goes to verification and passes back a java applet which is delivered by a centralised multi-bank verification organisation. Into the form in the applet I have to type in an 8 digit number which is generated by my activID card which produces this number using a unique algorithm after typing in a 4 digit PIN. In addition there is a second field where I type in a reasonable strength password.
Sounds complicated but all I need to remember is my password (which is as secure as you can get without it being too compex to remember) and a 4 digit PIN. The ActivID is small enough to carry around, although I tend not to keep it with my credit card! It's not perfect but it sounds about 10 years better than where VbyV is at..
And yes it's not quick and easy if I lose the ActivID, but guess what? I can still actually physically pick up the phone and speak to a person at my bank who knows me personally, and they will send me a new card in a day or two.
... are a really great combination. Actually, this happens for me with both VbV and SecureCode.
Go shopping, input credit card details, click "buy" and get directed to VbV website. Enter VbV password, click submit. Web browser then reports that it's blocked an XSS-style request and wags its electronic tail. Online merchant then reports the transaction failed.
Doesn't stop the buggers billing my card, though. Cue time wasted on the phone to a call centre trying to get my money back.
The solution is, of course, to disable XSS-protection when shopping online, or to put exceptions in for that site. For every shopping site. Which kinda defeats the point of browser security, no?
Actually VbV knows more than just your name, which you rightly say you've just entered into the website .. it actually presents you with your unique VbV id, generally 8 characters or so which does contain, or at least part of, your surname but also some information you haven't entered - a random character and a few numbers normally.
OK - it's another thing you have to remember if you want to use this as a marker for a genuine request but if your bank just uses your surname then they have implemented VbV badly.
"You mean it knows your name? ...which you've already typed into the ecommerce site you're trying to buy from? What could possibly go wrong with that... (hint, how do you authenticate where the iframe's served from?)"
It depends on the bank how that works. My bank allowed me to enter any greeting I wanted. I'm not giving away my real greeting here, but it's something like "Hey Idiot!" instead of my real name. I can rest assured now only HSBC has the guts to call me 'idiot'.....
This doesn't solve the no-fuss-one-step-reset-problem though.
I used to work for one of the major card companies mentioned, in a reasonably senior position. There was good evidence that VbV was killing internet spend because the combination of the technology and its implementation was so poor, and that doubtless exceeded any fraud savings. I tried to kick off an investigation (increasing internet spend was good for my targets) but it ran out of steam in the labyrinth of distributed responsibilities across the wider organisation. Remember, in big financial institutions common-sense doesn't often win out, and IT departments are run like it's the 1970s. When a business person with a bit of amateur tech-knowledge (like me) asks questions of IT, or points out that in other industries the same thing is done to a higher standard and a fraction of the price, there's a lot of sucking of teeth and phrases like "well...it's not done like that round here". Good news is, there's no malice involved - just good old-fashioned incompetence.
Banks have been doing online business of one sort or another for decades and you think by now they'd have the security angle down pat. Quite the contrary, they seem to be retrogressing and bringing in notably insecure systems like VbV.
Wha' hoppen? Did the stupid, lying marketing departments sink their fangs into system design and drag the dead body of security back to their loathesome lairs? Did the people who Knew Security all retire with no one troubling to ensure transfer of expertise? Did system design get off-shored to a cut-rate shop in Kathmandu?
Myself, I rather suspect that marketing departments have gotten involved in matters they wot not. Some years ago i got a gushing missive from my bank (Royal Bank of Canada) "oh, gee whiz, aren't we special! you can do online banking now, just do this, this, and this." I phone their help line and said "disable online banking on my account, it's not secure." (And running Win98 as I was at the time, that's an understatement.) "But sir, it's perfectly secure!" "No it isn't; some marketing wonk turned it on without my say-so." <silence>
Having online banking disabled has caused a minor problem or two, but I'd rather that than discover someone has cleaned out my hard earned retirement savings!
Where do the banks find these idiots? If they feel a marketing department is a sine qua non, why don't they at least follow standard security measures and keep the marketing wonks locked in cages in a sub-basement away from anything of importance?
I hated Verified by Visa the first time I tried to use it. Despite having my card details it insisted I was entering them incorrectly. I assumed that the birthdate it had recorded against my account must be wrong, but that wasn't it. The name printed on my card clearly had spaces between my first name and surname. The cardholder's name as held in the back-end database didn't, so it couldn't match what I was entering.
If VbV is used fraudulently but the bank refuses to reimburse the victim, I'd be interested to see it go to court. Since the system is inherently insecure I can't see the banks having a case.
It would be hard to sit down and come up with a more insecure and pointless system than 3DSecure. It's what happens when the marketroids get involved in technical stuff.
@ Daniel Haynes - the best lost-password policy I can think of is the tried-and-tested email to a pre-registered address. Simple to implement, simple to understand.
That'll be the irritating calculator sized thingy that my bank foisted on me. This means that in addition to a card, I now need to carry around a stupid bit of kit the size of a calculator on the off-chance that I need to pay for something over the Internet.
I just use a different card now.
...the banks issue a printed-grid keycard with 100-odd cells, each with a unique number, and every online transaction requires one of these values to be entered into the browser. When a cell's value is used, it expires, and this continues until all 100-odd cells have been used, at which point a new keycard is issued. As well as the key-card, it's also necessary to use one's customer login number and password.
Therefore, unless you have this particular printed keycard in your posession, it's not possible to use the VbV system (unless you get incredibly lucky entering random numbers!). And I keep my keycard in a very safe place, well away from my credit card.
It's a system that is supremely secure, I think, especially seeing as if you lose the card or enter a number wrong 3 times (at which point the keycard is cancelled) you have to order a new one.
I'm very happy with it, anyway, and always feel completely secure shopping online using VbV.
In France, if you want a loyalty card for a certain supermarket you have to buy something first. I used my card as usual. You then fill in a form with Identity info (do you have your ID card Sir?)+ you have to give date of birth (twice on the form I filled in this week) or they will not accept the form.
They tell you to collect the card in a weeks time.
Meanwhile they have all the data they need to alter your Verified by Visa password!!!
The lack of security questions by VbyV is horrifying.
"We're at the early stages of this system so we need something that allows people to re-register easily. As people get more used to it customer authentication can be ramped up. Some banks are already introducing two-factor authentication for online transactions."
Imagine a car manufacturer saying:
"We're at the early stages of this car so we need something that allows people to drive it easily. As people get more used to it we'll add stuff like brakes, lights, seatbelts, bumpers, crumple zones, etc later..."
The rest of us out here in techie land have to get things right first time, we go through iterative testing, and beta and all that crap; we define a final goal and work towards that goal and don't release a product or a method until that goal has been achieved.
They're saying, "In the early days, thousands of people could be ripped off, but we'll make it more secure later, honest..."
What, using the same idiot-minds you're using now? What will it be, another layer of duct tape over the existing layer of duct tape?
Oh for a government that had any kind of corporate responsibility agenda in its back pocket.
Dave says: "You then talk to your bank, nobody else, and when they're finished they bounce you back to a page on the retailers site."
WRONG! The details are submitted to another party's website. Not the retailer. Not your bank. Not even Visa themselves... Someone like "arcot.com". Ever heard of them? No, me neither.
(The "arcot.com" example comes from the checkout at "dabs.com")
I closed my Smile account because of concerns about VbV, and would encourage others to do the same.
"Because the VbV page is a frame, the browser can't report, either by the colour of the URL bar, or by dinky icons in the status area, the verification results for the VbV page. A scammy retailer is thus free to invent their own page, stealing your VbV password. Or you could be redirected by DNS poisoning or crapware on your PC."
You could deliberately submit an incorrect value the first time. If it's accepted, it wasn't the real deal.
They're just lagging behind on testing the latest card technology that incorporates One-Time Password token technology into the card itself. OTP generators have already been proven in the corporate security world (RSA, Versign, Entrust, etc.) but the keychain form factor is too clunky for us to carry around. A few weeks ago, Bank of America launched "SafePass", a card token that is essentially a credit card sized OTP generator that displays a 6-digit OTP on the face of the card when the customer squeezes a button on the card. This is great for online banking account access and eventually will secure web and other card-not-present purchases when merchants realize that chargebacks could be eliminated by accepting an OTP card instead of a credit card number.
At POS, if Visa/MC would modify their security protocol for VbyV and SecureCode slightly, they could dramatically improve the security of credit card transactions online and at POS. For the online world, rather than use a static password that is too easily reset, if they prompt for a One-Time Password that can only be generated by the original card, they eliminate card duplication fraud and copied card numbers being used remotely. For the POS world, a program change that can be downloaded to the terminals would enable an "OTP" transaction type. So the cardholder has a choice: Credit, Debit or OTP. An OTP transaction at POS would prompt the cardholder to press the button on the card, enter the 6-digit OTP plus their PIN.
I shamelessly admit that I work for one of the OTP card makers but I have been following this "powered card" technology for over 12 years now and have a passion to help protect our identities. The technology exists and it's affordable. Barclay's is testing these cards now so you'll soon see the OTP card in the UK market. We need to stop fradulent transactions at the point of sale, online or otherewise, by using One-Time Passwords built-in to the debit/credit cards. Awareness is the first step toward better solutions. Check out InCard.
Biting the hand that feeds IT © 1998–2019