back to article Mastercard and Visa to ERADICATE password authentication

Mastercard and Visa are removing the need for users to enter their passwords for identity confirmation as part of a revamp of the existing (oft-criticised) 3-D Secure scheme. The arrival of 3D Secure 2.0 next year will see the credit card giants moving away from the existing system of secondary static passwords to authorise …

  1. dogged

    Dubious, philosophically speaking

    "We want to identify people for who they are, not what they remember"

    riiiiiiiiight

    1. NumptyScrub

      Re: Dubious, philosophically speaking

      Looks like some people believe that it is nature, rather than nurture, that defines us. ^^;

      I agree that I am the sum of my experiences, however :)

  2. DrStrangeLug

    Biometrics

    Seriously people, stop thinking biometrics are secure.

    I've seen fingerprint authentication fooled for the cost of a camera and an inkject printer.

    1. Anonymous Coward
      Go

      Re: Biometrics

      That would be the most basic ones on the planet...half decent ones look for a pulse and blood vessels

      1. A Known Coward

        Re: Biometrics

        "half decent ones look for a pulse and blood vessels"

        Which I've seen defeated countless times by simply placing your finger behind the photocopy of a fingerprint (or a latex print created by the same).

      2. Carpetsmoker

        Re: Biometrics

        Indeed. This is truly impossible to fake...

        </sarcasm>

      3. DragonLord

        Re: Biometrics

        The most recent one that I've seen going into general use eschews fingerprints for scanning the pattern of the blood vessels in your finger.

        1. Khaptain Silver badge
          Pint

          Re: Biometrics

          The most recent one that I have seen captures your DNA and Blood, sends a sample to a local Vogon spaceship, anaylses the results for any traces of Pan-Galactic Gargle Blaster, calls up Zaphod directly, asks he was drinking with you lately and if not zaps you into oblivion.

          Why the importance of this diatribs, simples, it's great to have highly advanced techniques but they MUST BE AVAILABLE before anyone can use them and this takes bloody years......

          meanwhile as I reach for a bottle of good Ol' Janx Spirit.... ------>>> Yes it's Friday

        2. AndrueC Silver badge
          Coat

          Re: Biometrics

          Covered by a very early Mythbusters episode. Also of note - the manufacturer offered some kind of guarantee that it couldn't be beaten. So that's two lessons in one ;)

          Mine's the one with the hands in the pockets to stop someone cutting them off and using the fingerprints.

      4. Cynic_999 Silver badge

        Re: Biometrics

        I work with many different fingerprint scanning systems, but so far have not come across a scanner that detects either blood vessels or a pulse. I'm not sure how well either of those things would be detected in a cold environment either.

    2. Nigel 11

      Re: Biometrics

      I've seen fingerprint authentication fooled for the cost of a camera and an inkject printer.

      Or for the cost of a piece of sellotape (to lift a fingerprint), a small piece of photo-resist-coated PCB material, standard etchant, and a blob of silicone rubber. Which method has the advantage that it does not need any connivance from its victim. It's just a slight modification of the long-known method for putting a random fingerprint on an incriminating object. (Pray you have a good alibi if it's your print they lift )

      Or for no cost at all. A brutal criminal will just cut off your finger(s) and leave you tied up while he empties your bank account. Mercedes used to sell cars that used the owners finger instead of a key. Until South African carjackers started cutting drivers' fingers off. Mind you, that was better than being shot dead and then having your fingers hacked off. Or vice versa. No way I'd drive any car except a rust-bucket in a country like that. Safer still to not go there at all.

      No way am I ever going to carry a financial instrument that uses part of my body as a key.

      1. Anonymous Coward
        Anonymous Coward

        Re: No way am I ever going to carry a financial instrument that uses part of my body as a key.

        I also leave my brain at home when going to the atm :-)

        1. Gene Cash Silver badge

          Re: No way am I ever going to carry a financial instrument that uses part of my body as a key.

          Most people apparently do.

          This morning I wondered if the woman in front of me was attempting to negotiate a hostile takeover of the bank via the ATM. LADY! YOU DON'T NEED TO QUERY YOUR BALANCE THREE TIMES IN A ROW! IT WON'T MAGICALLY HAVE MORE MONEY!

          1. Mark Cathcart

            Re: No way am I ever going to carry a financial instrument that uses part of my body as a key.

            Really, why not? I transfer money to my kids, it shows up within 15-mins...

      2. Daniel B.
        Boffin

        Re: Biometrics

        No way am I ever going to carry a financial instrument that uses part of my body as a key.

        OH SO VERY AGREED. Anyone who has watched either The 6th Day or Demolition Man already knows exactly why biometrics for security are a very bad idea. Sure, high-end biometric scanners will usually check if the body part is still attached to its rightful owner, but the common criminals won't necessarily know this before hacking off your finger or plucking out your eye. And they might still do it out of spite anyway.

        Stop this biometric madness. If you want better security, go down either 2FA, PKI, or some combination of these. Biometrics are going to be painful.

    3. Jin

      Re: Biometrics

      There is another issue to look at.

      Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

      Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

      What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.

      As such, it is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

  3. Carpetsmoker

    So how secure are 'biometrics'?

    I don't understand the focus on 'biometrics'.

    Given that it's not that difficult to fake a fingerprint, this means we will all have to wear gloves? Because otherwise anyone could swipe my fingerprints, and have my "secret" code (ie. my fingerprint).

    Even if through some technological breakthrough somehow a brand new 'biometric' system will spring to life, it's not at all inconceivable someone will find a way to fake this in such a way that will fool the detectors.

    This is a problem with *all* biometric authorisation (iris scans, etc.) ...

    Passwords, on the other hand, are something only *I* know, and reading my thoughts is not only impossible today, it's quite possibly not even physically possible.

    There are also more practical concerns, how will this work? Will I need a fingerprint reader? Will that work with my BSD system? Or do I need a smartphone? What if I don't have a smartphone? Will this system even be secure? History has thought us that these sort of systems often contain flaws (sometimes quite serious ones). At least the current systems are well understood (flaws and all).

    The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox.

    In any case, I don't see how 'biometric authorisation' will make matters better, especially if this means it *replaces* passwords (rather than supplement them).

    1. DragonLord

      Re: So how secure are 'biometrics'?

      Why does everyone automatically jump to fingerprints as soon as anyone mentions biometrics. Of the entire set of things that you could use on the human body (non-invasively) for biometric checks, the fingerprint is just a fairly small subset.

      1. Anonymous Coward
        Anonymous Coward

        Re: So how secure are 'biometrics'?

        "Why does everyone automatically jump to fingerprints as soon as anyone mentions biometrics. Of the entire set of things that you could use on the human body (non-invasively) for biometric checks, the fingerprint is just a fairly small subset."

        It's just the simplest representation to present in an argument, but the argument can be made for any and every biometric. Quite simply, just about anything man can create, man can either re-create or subvert. How do biometrics stop a Man in the Middle, for example, like a tampered entry point, which is physically proven to be impossible to completely secure simply because anyone can find and subvert a point outside a chain of trust and disguise it as a trusted point beyond the point of everyday detectability?

        1. djack

          Re: So how secure are 'biometrics'?

          Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..

          During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)

          During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.

          The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.

          That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.

          In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.

    2. Charles 9 Silver badge

      Re: So how secure are 'biometrics'?

      "The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox."

      Then someone breaks your master password. Or your memory's so bad you can't even remember that password. And the moment someone says, "Tough!", that someone loses at least one customer. So what are you going to do? Customers are demanding turnkey solutions that don't rely on memory and won't take no for an answer.

      1. Anonymous Coward
        Anonymous Coward

        Re: So how secure are 'biometrics'?

        I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).

        My UK bank account is particularly unusable since it prevents me from using a password manager by asking for random characters from my password.

        Having said which - the visa and mastercard verification MITM popups are the most half-assed and broken web abortions I have ever seen. They look exactly like a phishing MITM attack, they fail to work on some browsers, etc etc. Glad to see them go.

        1. Trainee grumpy old ****
          Trollface

          Re: So how secure are 'biometrics'?

          >> particularly unusable since it prevents me from using a password manager by asking for random characters from my password.

          Get a better password manager? One that lets you select specific characters / substrings from your password.

        2. djack

          Re: So how secure are 'biometrics'?

          "I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."

          Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).

        3. Daniel B.
          Boffin

          Re: So how secure are 'biometrics'?

          I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor).

          See, sometimes forcible regulation brings good things. All Mexican banks offer 2FA, because they are mandated by law to do so. Pretty much every bank implemented some form of 2FA since 2007, and the last one that still used the corny "card number matrix" switched to physical real tokens sometime around 2011.

          Meanwhile in the US, 2FA is nowhere to be found.

        4. jonathanb Silver badge

          Re: So how secure are 'biometrics'?

          Some of my UK bank accounts have two factor authentication.

          RBS/Natwest, Barclays and Nationwide have a card reader, so I have to put my card in it, enter a PIN and get a code which I enter into the website.

          HSBC has a code generator which gives me a number to enter into the website.

          Halifax and Santander send a code by SMS to my phone which I have to enter into the website.

    3. Anonymous Coward
      Anonymous Coward

      Re: So how secure are 'biometrics'?

      > The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords

      Even without a password manager. I have about two dozen passwords or so, and remember them all (most of the time!). It's not that I have great memory or anything

      What was I saying?

      Ah yes, not great memory, but I just learn to associate the passwords with the object/site/system I am trying to access, so that for example The Register becomes "8fLpow35" or whatever. Compared to the number of nouns one regularly uses in everyday language, a couple dozen passwords do not seem much. Of course it does require a little intellectual effort--not something I ever see as a bad thing, mind.

      Not advocating this system, just presenting another possible approach to the too many passwords problem.

  4. Kevin Johnston Silver badge

    W00h00

    I cried when I read this...

    and it took ages before I could stop laughing/cheering long enough to start typing.

    From it's very first day I could never see this as anything other than an MitM vector waiting to be re-purposed

    1. Ian 62

      Re: W00h00

      First time I encountered VbyV (many years ago) I called the card issuer and said "What is this?".

      The call centre replied with, "We've never heard of it, so we've locked your card".

      Frankly, its been downhill ever since.

      Can't remember your password?

      Re-set immediately just by using the details on the card and the date of birth.

      Its not like my DOB is very secret.

      1. Nick Ryan Silver badge

        Re: W00h00

        I don't think I've ever, once, entered my a password on the entirely pointless and annoying Verified by Visa "service". Every time, it's "forgotten password", followed by a few basic details that I can remember and yet another relatively random slew of numbers and letters for the new password.

        Are there any details on how the delusional, control-freak muppets are planning the next ludicrous "security theatre" of authentication?

        1. fruitoftheloon

          @Nick Ryan Re: W00h00

          Nick,

          me too, I have always reset notVerifiedbyVisa with the same password EVERY F'ING TIME it comes up, I have no idea why, but until the last few months it never seemed to remem my password.

          So a bit chocolate teapot really...

          Ymmv.

          J

      2. Charles 9 Silver badge

        Re: W00h00

        "Can't remember your password?

        Re-set immediately just by using the details on the card and the date of birth.

        Its not like my DOB is very secret."

        So how do you tell the difference between a real customer with a bad memory and an intruder who did the research?

        1. John Miles

          Re: Its not like my DOB is very secret.

          Mine is if your website is called something like Facebook (I had to create facebook account but fortunately for an organization page not myself) or I don't think you need to know it at which point I take days, months, years and/or decades off my age

        2. Cynic_999 Silver badge

          Re: W00h00

          The usual way IME is apart from the usual DOB and "memorable question", my bank asks questions regarding recent and/or regular transactions. "Which supermarkets do you usually shop at?" "When did you last withdraw cash from an ATM?" "Have you bought a lottery ticket online over the past week?" etc. Of course it is possible that the fraudster has a copy of my bank statement that is less than a week old, but far less likely than knowing my DOB or family details.

    2. Anonymous Coward
      Anonymous Coward

      Re: W00h00

      Not just that but from a retailer point of view it was a pain.

      If you have an ecommerce site and spend a lot of effort with UX on your payment funnel then you capture the customer (who wishes to purchase), great!, however that pass over to 3DSecure and bam, forget their password, or the bank decides to reject the payment, etc.

      Not so bad to have extra security when you are delivering physical goods to a new customer, but if you aren't then a third party is deciding whether a customer can shop with you or not and there is absolutely no way of finding out why they couldn't complete. There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: W00h00

        > There was articles mentioning a 9% drop in conversion with 3Dsecure. Very few retailers can see that as a positive thing.

        Which is probably the reason why they're scratching it (i.e., sod all to do with the customer's convenience or security).

        Indeed, at one time one of my cards had that stupid system. There were some very unfortunate merchants in France who had this system forced upon them by their bank (providing the checkout). Much as I liked them, I had no choice but to forego their services until, a few months latter, they wrote to tell me they were now accepting AMEX for those of us who could not / would not use that piece of shit of a "verification" system. I felt sorry for them since AMEX's merchant fees are double everyone else's, but...

        At the same time, my bank was claiming that this was enforced from the receiving end and there was nothing they could do. I closed my accounts on that bank so I don't know what the latest status is, but none of the banks that I do business with nowadays seem to implement that sorry thing, thankfully.

      2. Equitas

        Re: W00h00

        Apparently the credit card companies charge retailers considerably more if they don't use 3Dsecure. On the other hand, the customer is more likely to avoid a retailer who does put the customer through the nuisance value of those bizarre credit card "security" setups. I still think that a pass number being sent by SMS each transaction is a far better way of doing things.

        1. Anonymous Coward
          Anonymous Coward

          Re: W00h00

          They don't charge more than if you are using CVV, however they will absorb responsibility for fraudulent transactions (i.e. no chargebacks for stolen cards or unauthorised purchases).

  5. Anonymous Coward
    Anonymous Coward

    Stop with the mobile requirement already

    I don't want stuff via mobile, you need a sim and signal; a Three PAYG sim was a rip-off and a contract would be a complete waste money for me!

    1. A Known Coward

      Re: Stop with the mobile requirement already

      How is a free PAYG sim from Three a 'rip-off'?

      Moreover how are calls charges of 3p a minute, texts at 2p and data at 1p/MB a rip-off either? Assuming you ever use the thing? I put £10 on mine months ago and despite periodically checking my emails via 4G and making the odd call I've still got over £7 on there.

      1. Dave Pickles

        Re: Stop with the mobile requirement already

        It's a problem if you're in $FOREIGN_COUNTRY facing enormous roaming charges to receive calls and texts, with no way to top-up a PAYG account. Any way some of us just don't want a mobile phone.

        1. A Known Coward

          Re: Stop with the mobile requirement already

          Forgive me, but if you're in $FOREIGN_COUNTRY you're not going to be shopping online much are you? Services are a bit different, but it still seems like you're being a bit pedantic.

          I'm not really in favour of using phones for 2FA either, but the original posters comment about a PAYG sim being a 'rip off' just seems like complete rubbish. It's only expensive if you use it a lot, but the original poster clearly wouldn't use it very much since they manage to get by without a phone at all.

          1. Cliff

            Re: Stop with the mobile requirement already

            AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection. And seeing as three and other networks are currently rolling out in-package calls for more and more roaming countries, that gets less of a deal.

            1. David Roberts Silver badge

              Re: Stop with the mobile requirement already

              When I go abroad to visit family I go for a while.

              When in country I expect to be able to shop on line even when I have popped a PAYG SIM in my phone.

              I could be booking hotels, motels, camp sites, ferries, flights using the new SIM either directfly on my phone or tethered to laptop or tablet.

              I may even want to click and collect at stores.

              For this to work in the age of the global traveller you would need to be able to switch phone numbers quickly, easily, and repeatedly from abroad.

              Given that proviso it doesn't seem quite as secure.

            2. Charles 9 Silver badge

              Re: Stop with the mobile requirement already

              "AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection."

              Even in the US, it's pretty easy to pick a plan that has generous texting allowances if not unlimited texting, meaning even if they charge for receiving, it becomes just a drop in the ocean.

          2. Anonymous Coward
            Anonymous Coward

            Re: Stop with the mobile requirement already

            > Forgive me, but if you're in $FOREIGN_COUNTRY you're not going to be shopping online much are you?

            Could you expand on that please?

            1. Anonymous Coward
              Anonymous Coward

              Re: Stop with the mobile requirement already

              >Could you expand on that please?

              What needs to be explained? How many people shop on-line while abroad as much as they do at home? How many people do it at all? Hands up please.

              First off it's assumed $FOREIGN_COUNTRY is the country in which you do not live for most of the year, because then it's no longer foreign. $FOREIGN_COUNTRY is somewhere you are visiting for a business trip or holiday, not the house you own in France and live in for months each summer.

              Many stores won't ship to a different street address than the one which appears on your bank statement, almost none will ship when the country is different, it's an anti-fraud measure. So immediately shopping on-line when abroad becomes more difficult.

              Then there's the cost of shipping abroad, assuming you're buying from the country in which you normally reside, this isn't something you'd make a habit unless it was vital - e.g. arrived at your destination and realised you've forgotten something that can't be purchased locally. In these circumstances why would you not also be prepared to turn your phone on (or swap sims) to receive a text message?

      2. qwertyuiop
        Joke

        Re: Stop with the mobile requirement already

        Yeah, but those of us who have friends tend to have far higher usage and therefore it's more expensive!

    2. Charles 9 Silver badge

      Re: Stop with the mobile requirement already

      Well, for many, their mobile is the only second factor available to them, so if you want 2FA, it's mobile or bust. If you declare 2FA bust, then you now have to figure out how to build a security system that's tamper-proof, turnkey simple, and doesn't require a second factor? Last time I checked, that means the general public is not accepting anything less than the impossible.

    3. fruitoftheloon

      Re: Stop with the mobile requirement already

      Ac,

      not necessarily, Google Authenticator (I think that is what it is called) on my android generates pseudo-random sequence to be entered into web pages etc, and does not to be connect to the interwebs at the time.

      Works quite well, especially here in the countryside, where SMS 2fa is a pain in the derriere due to having ropey mobile reception...

      J

      1. Charles 9 Silver badge

        Re: Stop with the mobile requirement already

        Chicken and egg question. Why do you need an authenticator that doesn't require a Web connection for a service that basically requires you to connect to the Web?

      2. Credas Silver badge

        Re: Stop with the mobile requirement already

        There are also 2FA apps (like Authy) that have a browser-based interface as well - so removing the need for a mobile.

    4. Dave Bell

      Re: Stop with the mobile requirement already

      Yeah, if they start depending on mobile phones, there;s a chunk of rural England (never mind the more remote parts of Scotland and Wales) which is locked out of buying over the Internet. Maybe depends on having a smartphone too,

    5. Stu J

      Re: Stop with the mobile requirement already

      Agreed. It's bad enough that my bank occasionally needs to text me if I try to access online banking from a new laptop; moreso because I have barely any mobile phone signal at home unless I stand on one leg in the corner of my bathroom.

      If I had to do that for every online transaction - well, fuck that...

    6. MarkTheMorose
      Unhappy

      Re: Stop with the mobile requirement already

      +1. I don't have a mobile phone, so I can't use online banking with one of my accounts for anything useful, like transferring to another account. All I can do is check the balance.

      However, as with all things these days, it's not going to be changed by us moaning about this or that security scheme, it's just going to be forced on us no matter its shortcomings.

  6. Richy Freeway

    I never understood that extra verification step. I did it once for each card I have used online and have never been asked for the password again. I don't think I could even tell you what passwords I used now it was so long ago.

    When a transaction goes through now, the verification window pops up, whirls around a bit then returns to the merchant and the sale is complete.

    Am I missing something?

    1. John Miles

      Re: Am I missing something?

      This last week when I payed by a Barclays' Visa card it just come up and disappeared (but I am not sure I ever set anything up on that card), but when I used a HSBC Mastercard it came up and asked me for 3 letters of the password.

    2. Jamie Jones Silver badge
      Facepalm

      For the last few months, every transaction I've made which uses VbV has also been accepted without a password.. Maybe this is part of their phasing out?

      Ahhhhh, loading your banks website in an iframe... What could possibly go wrong?!

      1. Richy Freeway

        I'm not talking a few months, this is going back about 4 years maybe. New cards have been issued during that period and since that first time of setting it up I've never once been asked to enter my password again.

        Same with our cards at work, mixture of Visa and Mastercard, never asks for the password.

      2. Vic

        Ahhhhh, loading your banks website in an iframe... What could possibly go wrong?!

        VnV is even worse than that - it's loading an iframe that is most definitely not your bank's website, which then asks you for information...

        Whoever thought that up must have had a really bad hangover an hour or two later...

        Vic.

  7. wyatt

    Verified by Visa is shit3, I hate it and have to reset my password each time. I think if you block it's connection then the sale will go through without using it! I doubt however the next method will be any better..

    1. Detective Emil
      FAIL

      I picked an appropriate and memorable password: it's something similar to smoke&mirrors.

  8. Justin Case

    Marta Janus

    Any relation of the late lamented Hugh, by any chance?

    1. Scott Broukell

      Re: Marta Janus

      Hugh Janus is not dead. He just smells funny.

      1. Sir Runcible Spoon Silver badge
        Coat

        Re: Marta Janus

        I thought he'd gone one a tour of the outer planets.

  9. msknight Silver badge
    FAIL

    Great...

    I live in a village. Mobile signal? Don't make me laugh.

    Utter fail and no messing.

    1. Nick Ryan Silver badge

      Re: Great...

      I don't live in a village. But I can get a mobile network if I'm either:

      a) standing, absolutely still, at the end of my garden with phone in the air.

      b) standing by a window on the upstairs rear of the house. And feeling lucky.

      Other than this, texts usually get through but can take up to three hours to arrive.

      I really should change network, but I can't find one that does work here. AIUI there were some planning NIMBY issues a few years ago and as a result no signal. Which will be even more entertaining when they build another few hundred houses nearby as they'll have no signal either.

      1. Ken Hagan Gold badge

        Re: Great...

        Nick, since you appear to living in my house (if not my body, which my wife thinks is rather rude), can I suggest that you place the phone underneath the radiator in the back bedroom rather than by the window? For some reason it makes a difference.

  10. Weeble

    Expense...

    So, now I have to go and buy an iPhone* (+contract) just to authorise my credit cards ????

    I'm not sad to see VbV abolished, but maybe this is too high a price.

    (*Other mobile phones may be available in your market).

  11. BlartVersenwaldIII

    Start with the basics

    "It’s pretty well known that passwords are severely flawed: weak ones are easy to remember and easy to guess; strong ones are hard to guess, but hard to remember,"

    Is this the same "verified by visa" that limits you to a ten character password that won't let you use special characters, and can be reset just by having the card details, address and DoB of the owner?

    And there's no way in hell I want to be tied to a bloody mobile to be able to make payments with my card. Mobiles lose signal, lose battery, get turned off, get lost, get left at home for quiet weekends away. If they're really going to insist on 2FA why aren't they rolling out hardware tokens?

    1. Nick Ryan Silver badge

      Re: Start with the basics

      If they're really going to insist on 2FA why aren't they rolling out hardware tokens?

      Don't... please don't... they'll start to insist that we use the stupid (calculator size) chip and pin devices for every purchase. Annoying enough to have to use one every damn time I go to the online banking for one of my accounts, would just give up if I had to use the thing for every purchase online.

      1. sabroni Silver badge

        Re: stupid (calculator size) chip and pin devices for every purchase

        stupid how? Because it actually manages to provide a little security?

        I think 'generate a token on the fly that's good for 15 seconds" is an excellent method, you have to be quick to steal that password and use it.

        Got any suggestions for a better mechanism?

        1. Keith Langmead

          Re: stupid (calculator size) chip and pin devices for every purchase

          "stupid how? Because it actually manages to provide a little security?"

          They're fine if you only ever doing online ordering at home, but it gets annoying when you've got the availability of internet connections at work and on the move, but you can't place an order because the damn fob is on your desk at home. I wouldn't mind as much if they let you have more than one of them, either the fobs or the little card readers, at least then you could keep one at home and one at work (or other second location of choice) but last I heard none of the banks will let you.

          1. fruitoftheloon

            @Keith Re: stupid (calculator size) chip and pin devices for every purchase

            Keith,

            my token thingy (for HSBC) is actually small enough to reside in my wallet, quite a good design actually.

            J

            1. Anonymous Coward
              Anonymous Coward

              Re: @Keith stupid (calculator size) chip and pin devices for every purchase

              Is the token thingy in the same wallet as the credit/debit card?

              1. djack

                Re: @Keith stupid (calculator size) chip and pin devices for every purchase

                "Is the token thingy in the same wallet as the credit/debit card?"

                Probably, but that isn't an issue as you need to input your card PIN each time you use it (like you do in a physical shop).

            2. djack

              Re: @Keith stupid (calculator size) chip and pin devices for every purchase

              AFAIK, all those calculator things use the standard EMV (Euro?? Mastercard Visa) authentication package that is embedded in the chip on your bank card. As such they are pretty interchangeable - at the ery least I can log into my Barclays account using a NatWest device.

              It's not too difficult to get a couple of the things (hint: most banks will send you a new one if it gets lost or breaks) and at work, all you need is to get one to share between a small group of trusted people.

              It can be made relatively painless really easily too, perhaps you force authentication one (a year?) for each individual combination of retailer and delivery address.

        2. Anonymous Coward
          Anonymous Coward

          Re: stupid (calculator size) chip and pin devices for every purchase

          "I think 'generate a token on the fly that's good for 15 seconds" is an excellent method,"

          As far as I can tell - the same authentication code is given at the same time every day. You would have thought they would have used a 365 day calendar rather than a 24 hour clock.

      2. BlartVersenwaldIII

        Re: Start with the basics

        Not sure what you mean by "calculator sized" - are they already rolling out hardware tokens? Don't use online banking myself as 2FA wasn't on the cards when they asked if I wanted it.

        My RSA token easily fits on a key fob - it's just an LCD screen with six characters on it - and if the banks were to use something similar its ~3yr battery life would tie up nicely with the expiration of the cards they give you. Do the ones the banks hand out actually include a calculator or something?!

        1. Stacy

          Re: Start with the basics

          We use internet banking with two Dutch banks. One has the calculator thing and the other has phone text two factor authentication. Both work fine, though the phone is just so much easier that it gets used far more often. Both are so much superior to the stupid MasterCard site where I just reset my password everytime I buy something online with it!

        2. Dave Lawton
          FAIL

          Re: Start with the basics

          HSBC retired the RSA tokens, and replaced them by a device the size of a small calculator which you have to use the keys to enter a PIN, before it will generate the 'random' number to enter into the form on the website.

          I have to have 2 because they couldn't make two different accounts work with the same device.

    2. Keith Langmead

      Re: Start with the basics

      "Is this the same "verified by visa" that limits you to a ten character password that won't let you use special characters"

      That's the one, though I thought it was an eight character limit. When I had to setup my mastercard one I came up with a completely random 20+ password that was fine, I couldn't believe it sometime later when I had to create my Visa one, when I tried to doing the same (different password obviously) and got an error telling it was too many characters!

      1. Vic

        Re: Start with the basics

        That's the one, though I thought it was an eight character limit

        My password has >10 characters in it.

        Still a crap system, though - the choice of characters is very limited, and the whole system is trivially walked around (as mentioned elsewhere).

        Vic.

  12. Zippy's Sausage Factory
    Thumb Down

    The key quote about VbV:

    "the scheme's only benefit is allowing banks to shift liability in the case of fraudulent payments"

    That's 100% of the reason for moving to biometrics, right there. Remember how they originally put that into chip & pin before people moaned and they had to take it out?

    1. Nigel Whitfield.

      Yes, precisely. The card companies are always looking for ways to shift responsibility, whether on to the user ("oh, our systems never fail, you must have shared your PIN, so tough luck") or to the retailer ("you didn't use 3D Secure? The fraud's your problem")

      I suspect they have been trying to do this ever since credit really started to boom in the 80s, and I doubt they've never liked the joint liability the UK's Consumer Credit Act imposed upon them back in the 70s.

      I recall in the recession of the 90s, when I was working on Computer Buyer, and a reader had lost money when a mail order PC firm collapsed. When we spoke to their card company, they were trying hard to argue that things like lots of people ordering PCs by mail order were completely unforseen by the people who drafted the 1974 Act, and so they really didn't have an obligation to pay out.

      In my view, they have been wriggling for years, and this is just the latest in a long line of attempts to ditch some of their obligations.

  13. Anonymous Coward
    Anonymous Coward

    What password ?

    When I buy something on-line I get to see some VbyV image/... and just wait a few seconds and it goes away. I have never been asked to enter a password!

    Posting A/C in case someone could rip-off my CC card somehow.

    Anyway: I have a card that I only use for on-line purchases, it has a lowish limit to reduce possible damage - people at the bank who I have spoken to seem to think that it is a good idea.

  14. RainbowTrout

    Yay!

    Glad its gone as I have only ever had VbyV work correctly once........

  15. Anonymous Coward
    Anonymous Coward

    Old school ?

    Why does it seem to me the goal is 0% fraud ? When did that suddenly become the aim ?

    Back in the pre-internet days (yes, there really was such a time), it was more credit than debit card fraud (since we used to use cheques*) banks tolerated a certain amount of fraud, for a certain amount of money spent on security. I suspect it's still the same.

    So rather than thrashing around for the "perfect" security (i.e.0% fraud), people should be thinking what can give me 1% fraud, for a reasonable (i.e. no damaging my profits too much) amount ?

    Before the internet, but after the click-clack machines, merchants would call up for purchases over the floor limit. Most of the time this would be invisible to the customer, but every once in a while, the card issuer would halt the transaction until the customers identity was confirmed. I know because this happened to me, when I tried buying a >£100 item in 1985. It was considered "unusual" given my spending profile (weekly grocery shops) so I had to speak to Barclaycard.

    Does it really matter if the odd £10 dodgy transaction gets passed, as long as you catch the unusual £5000 a stolen/cloned card would be used for ?

    *Ask your grandparents

    1. Charles 9 Silver badge

      Re: Old school ?

      "Why does it seem to me the goal is 0% fraud ? When did that suddenly become the aim ?"

      Because it's being demanded by the customers due to all the hype about card detail theft, and they won't settle for anything less.

      "Back in the pre-internet days (yes, there really was such a time), it was more credit than debit card fraud (since we used to use cheques*) banks tolerated a certain amount of fraud, for a certain amount of money spent on security. I suspect it's still the same.

      So rather than thrashing around for the "perfect" security (i.e.0% fraud), people should be thinking what can give me 1% fraud, for a reasonable (i.e. no damaging my profits too much) amount ?"

      I suspect their margins are shrinking, lowering their tolerance levels. That and the investors are likely complaining about bleeding money.

      "Does it really matter if the odd £10 dodgy transaction gets passed, as long as you catch the unusual £5000 a stolen/cloned card would be used for ?"

      That was before fraudsters learned how to get around this by simply using quantity over quality. One £10 scam is tolerable but try a million of them. Savvy scammers have learned how to "smurf," or suck a card just enough to prevent it being flagged and then letting it sit. They're also tying geographic information to cards so thieves can perform transactions in the boob's hometown, making it harder to detect. In such an environment, the inch becomes the mile, drawing the fight into an all or nothing conflict.

  16. lee harvey osmond

    Key fob?

    I recall somebody managing to embed a security code key fob into a payment card. What happened to that? Admittedly it doesn't authenticate that you're you, only that the person attempting authentication has the card at hand; that would still be better than a constant password.

    1. Charles 9 Silver badge

      Re: Key fob?

      It defeated the purpose of the fob: it's meant to be kept separate from the card so the thief/mugger steals the card but doesn't realize it has a fob until it's too late to go back for a second mugging. Sure, if the perp knows about it, they'll go for the fob, too, but at that point you're already up Crap Creek.

  17. Anonymous Coward
    Anonymous Coward

    "VbyV" etc are only used when you are making online transactions. It's hard to see what biometrics device would be cheap enough for everyone to have one. Unless it is a test based on you having a webcam - or your reaction time on a keyboard or touch screen.

    The mobile as 2FA is a good idea - assuming the mobile wasn't stolen with your credit card. Even if it was locked that probably won't stop people unlocking it.

    What if criminals set up a spoofing mobile tower relay?

    The little 2FA gadget from Barclays could be good - if they used a 365 day calendar rather than a 24 hour clock. Currently you appear to get the same code at the same time every day.

  18. Silly Brit

    Codes to mobiles? Eeep!

    I just hope that when purchasing something that:-

    - your phone is not in the car

    - your phone is not located in one of the many mobile not-spots

    - you're not trying to buy something over one of the peak times (new year anyone) when it can take hours to receive a message

    - you don't have a flat battery

    I guess it's early days & the details will follow in time, with a suitable resolution

  19. timw

    so gone will be the ability of the person who's found my wallet to reset my password by entering the DOB as printed on my driving license and instead i'll have to carry a fingerprint reader with me at all times just in case i want to buy something online.

    Nice to see someone agrees with me that its only implemented to shift blame for fraud

  20. Anonymous Coward
    Anonymous Coward

    HORAY

    it was a load of shit. I had to change my password every. single. time

  21. Phil O'Sophical Silver badge

    Must be two VbyV schemes?

    When I see VbyV it's in the form of a screen on the browser payment confirmation asking me to type in the code that has just been sent to my phone by SMS, a useful 2-factor system. What's all this password stuff people are talking about??

    The SMS-to-phone is actually very useful. When my card was cloned a couple of years ago it was the flood of texts that alerted me to the fact, and allowed me to cancel the card before it was really hammered. The crooks still got 1600euros of stuff from sites that didn't use VbyV, but the bank reimbursed me for that.

    If you don't have a mobile it can work to a fixed line, as I discovered when I made an online purchase when on a US business trip. The bank had my home landline number, and sent the text to that, where it was read out by a text-to-speech system. Would have worked fine had I not been in a Californian hotel, but my wife was not so amused to be woken up by the phone at 3am. She forgave me, the purchase was for her birthday :) That's when I gave the bank my mobile number...

  22. The Grump
    Joke

    Just...use...CASH

    It's hacker proof, works well at both Target and Home Depot, and it very difficult for the gov'mint to track. Of course, keep wearing your foil-lined hats, and don't let strangers look you in the eyes and steal your thoughts (most of them are gov'mint agents anyway). Luck to you.

    1. Charles 9 Silver badge

      Re: Just...use...CASH

      Hacker-proof, but extremely vulnerable to muggers with absolutely no theft protection. Plus the difficult to track bit is being addressed. Query "Where's George?"

  23. Craig Vaughton

    In the meantime

    So until VbV goes, I'll have to keep turning Adbloc Plus off if I'm using Safari on my Mac or keep using Firefox.

    It was quite amusing when Safari wouldn't display the VbV screen when you're trying to pay for concert tickets and the timer on the main screen is counting down! Quickly re-enters all data into Firefox session, finally gets tickets paid confirmation, then spends an hour or so working out why Safari didn't work in the first place.

  24. Anonymous C0ward

    Because no thief ever takes

    your phone as well as your wallet.

  25. Anonymous Coward
    Anonymous Coward

    Why worry about authentication ...

    When by next year we will all need Faraday cages for our cards because every other person on the tube is taking £20 out of my bank as they walk past me. Maybe we need less authentication and more authorisation control? Surely a second completely distinct authorisation mechanism that asks "Are you sure you want to spend this?" would be better than more levels of authentication on a single mechanism?

  26. tempemeaty
    Big Brother

    Do you smell what I smell?

    A large wave of retail point of sale security compromises this year right before a soon-to-be-coming preplanned roll out of a biometrics authentication system.

  27. ilmari

    For me, Verified by Visa asks me for user/pass (static), and a one time password (always different, pick up new list of 200 at bank when I run out), my bank's favoured authentication scheme. Occasionally I also need to enter a code sent via sms. That feature was opt-in though.

    For my friend who's with another bank, it asks for the digits displayed on some small plastic keyfob thing with the letters "RSA" on it. The digits seem to change every few minutes.

  28. Jin

    Ghosts cannot kill the password

    Many people shout that the password is dead or should be killed dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). Claiming that one of them can kill the password is like claiming to have found a substance that floats in the air and yet sinks in the water.

    What can be killed is the text password, not the password. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

  29. Anonymous Coward
    Anonymous Coward

    Yes!

    Thank christ for that. My BAU job is working for a company that sells a PCI compliant PAAS. Their 3d secure integration is a folly I currently have to maintain that has never really worked (much like a lot of other stuff in this platform). I'm looking forward to the day when I can hit permanent delete on this rubbish.

  30. bex

    sms authentication though not fool proof is far more secure

  31. Daniel B.
    Boffin

    2FA works, but it depends on what your bank thinks about "2FA"

    2FA as implemented by most banks is actually secure, which involves a physical token (RSA's SecureID, but there are others) which you will know if it is stolen or not. You really have to have the token in your hand at the moment you're doing a transaction, so physically having them will assure you nobody can do stuff with your account. It also assures you that you can do stuff anywhere you are, as the only thing needed is that token and nothing more.

    But I've seen that 2FA is increasingly being used to refer to something lazy. It is being referred to "we send your OTP via SMS", which adds stupidity to the formula. Instead of an actual token, it requires you to have 1) a cellphone number, 2) with coverage, 3) switched on during said transaction. Number 2 is an issue if you're travelling outside your country, but it can also be an issue in areas where you might have internet connectivity of some sorts, but no cell coverage. Why complicate stuff? There are even Virtual Token solutions (VASCO has one) where you can set up tokens on a smartphone if you don't want to spend that much on physical tokens. Hell, Blizzard has something like that for their Battle.net service!!!!

  32. Anonymous Coward
    Anonymous Coward

    There are no legal protections on bio data.

    So the crooks and governments will steal billions of fingerprint hashes, iris scans, dna tests, whatever. It's all passwords in the end, the only difference being the hapless target can't change any of it.

    Not only that, in the USA at least, passwords are protected from legal intrusions by the government, while biometric data can be easily obtained via a low level warrant. Yes, they can use your finger print to crack your phone and there is no redress.

    BTW, as I recall it took less than a day for hackers to crack the Apple finger print scanner.

    We really need to get back to cash on the barrel for all purchases and payments.

    1. Charles 9 Silver badge

      Re: There are no legal protections on bio data.

      "We really need to get back to cash on the barrel for all purchases and payments."

      I thought we were trying to go AWAY from cash on the barrel because it offered no guarantee in the case of mugging. At least a stolen card can be invalidated and the transactions usually traced and refunded. With cash, you're screwed. Plus the plods are developing ways to track cash by their serial numbers (that's how "Where's George?" works).

  33. bep

    "The move to abolish passwords will no doubt be welcomed by customers. Today we have so many passwords to remember. As a result, most of us suffer from 'password fatigue' where we use obvious or reused passwords often written down on Post-it notes or saved in Excel files on laptops," he added.

    Or kept in a password storing app if you've got half a brain. Instead I will now have to have a mobile phone that works everywhere if I want to make Visa purchases. This proved a little bit tricky for me when I was in Brazil recently. The current system works fine for me, and if Visa or anyone else thinks I'm going to give a private company any biometric information about me they are out of their minds.

  34. n8close

    Risk assessment then challenge

    The biggest issue about 3D Secure (VbV/SecureCode) has been that it has been a static password for 100% of the transactions - even for your low value transactions that you do every week. The consumer experience is terrible, merchants don't like it, and the card issuers are struggling to reduce fraud.

    The newer risk based challenge systems allow for a thorough risk assessment of the transaction, if its low risk then let the customer through with no challenge, for the very small percentage of transactions that are high risk then challenge the customer (SMS, token, biometric - whatever the customer and card issuer prefer).

  35. Graham Triggs

    NO NO NO!

    Come on, please. Do NOT do this.

    I absolutely do not want a system that depends on sending a text message to a mobile.

    1) What happens if I lose my mobile / it runs out of juice when I need to make a purchase? (Like, maybe, a replacement mobile)

    2) I do not get any mobile signal in my office. At all.

    3) What happens when we are mugged and the crooks take our card *and* phone?

    If they have a token generating app that can work offline (or just via a data connection), and/or multiple ways of validating, that may be ok. But sending to the registered mobile is a massive, massive no no.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019