The pointlessness of Verified by Visa
Posted on 9 Apr 2010 at 11:29
Mark Newton wonders why online security hasn't progressed any further than Verified by Visa
Indulge me while I make an observation about the “Verified by Visa” authentication system. That’s the credit card security trick whereby you enter your credit card information to a shopping site – or to its internet payment provider – and another window pops up from Visa or MasterCard that asks you for a username and password before payment is authorised.
The weakness of this system, as I see it, comes should you forget your password, because it shows only an option to change it, rather than one to have a password reminder emailed directly to you.
The screen that enables you to set a new password asks several security questions, all but one of which can be answered if you have the card details (details that you must certainly know to have got this far on the vendor’s site).
The final question is your date of birth, but a quick peek at a site such as Facebook or one of many family tree websites (where some helpful member of your family may have entered your date of birth for completeness) will often reveal this. It makes you wonder who comes up with these “security” measures, and whether they’ve ever actually used the internet.
It makes you wonder who comes up with these security measures, and whether they’ve ever actually used the internet
The more usual system of email validation at least means there’s a good chance the person requesting the change of password is the person who originally registered the card with Verified by Visa. The alternative trick of asking for a user-defined secret question and answer, which should be known only by the card-holder, is also much stronger.
I know that credit card companies are currently working on smart cards that generate a one-time passkey on a display built into the card, much like the calculator-style devices that some banks issue to provide extra security for their online banking system.
I remember writing many years ago in PC Pro about Amex’s trial of credit card swipe readers, but nothing came of that. Apart from the extra three numbers on the back of your credit card and look-up of the card-holder’s address, very little has changed in the security of our online transactions since and we’re still awaiting a better solution.
To me there's something fundamentally incorrect about the whole VbV system: a third party is asking you to enter information about your bank, because what you've seen on a screen has your bank's logo on it. Is there really such a broad line between that and phishing? To align this with what Mark's said, not only is it possible to trace much of the information through Facebook, family tree sites etc, but also that this way it's possible to get ever more information from an unsuspecting user.
It all adds up to this: why should I trust VbV?
By stu531 on 9 Apr 2010
Actually it's your bank that prompts you for your password through the merchant website and not a 3rd party.
I've never had a problem with it. I did reset my password once and I was prompted with a security question that I set up when I signed up, so it's something only I would know. So it most likely comes down to your bank and how they offer it. I have another card that's enrolled in VbV and I get texted a one time password when I get prompted with the screen during checkout.
By pcguy on 9 Apr 2010
The third party is the online store. Point being, how do you know that, if you were being asked for your DoB or password, that it's a genuine bank? I get asked for my password, not a security question I devised - so I never really know.
By stu531 on 9 Apr 2010
I originally looked into this and the merchant has no visibility into what's occurring between you and your bank much in the same way you can use your PayPal account with merchants online. They're redirecting you to your bank in the same way they'd redirect you to PayPal/Google Checkout etc.
And I know that it's my bank I'm dealing with because when I'm putting in my password i see the personal message i created when i signed up.
I was only prompted with my security question when i tried to reset my password. so it doesn't happen every time i go through the program.
By pcguy on 9 Apr 2010
The solution is simple - as soon as a vendor requires me to Verify my Visa or its Mastercard equivilant I stop and give up and find another vendor that accepts PayPal/Google
By snellgrc on 9 Apr 2010
family tree sites
I believe that in general, family tree web site obscure personal details of people likely to still be alive, unless you have permission of the tree owner to veiw them.
By Sarcen on 9 Apr 2010
Family tree programs and 'mothers maiden name'
The 7 family tree programs I know about do give the option of hiding the personal details of the living but it has to be selected and often is deliberately not selected.
As to that 'mothers maiden name' question - who said you had to provide an answer to your bank which is the truth?
By Jaydax on 12 Apr 2010
Everytime the popup windoe appears from VbV it has teh details already filled in for me, as my browser has so kindly remembered them for me, so a simple click on next and away we go, even my 10 year old daughter can buy things with my credit card, it sooo easy :)
By baileytech on 12 Apr 2010
I agree with the suggestion that it would be very easy to spoof VbV screens, there appears to be no standard delivery of the content, and I'm not even sure they always show their own Padlock and SSL certificates? Very weak.
On the plus side for VbV I know for sure one of my Card companies uses the VbV system to put time locks and trader locks on certain transactions.
I noticed this a few times because I like to shop online for electronics late at night and found that my Card comapny was blocking this behaviour with particular websites due to high volumes of Late night, or presumably out of GMT timezone requests.
I was promted using the VbV page to call customer service to confirm further details before completing the transaction, thus the card issuer could verify me by phone and remove the block interavctively.
*one last thought. How many of us when telephoned by Banks reverse the banks Data protection procedures and actually interogate the bank to let them prove who they are? Afterall it could be anyone calling you from that anonymous call centre somewhere on planet Earth.
By Gindylow on 13 Apr 2010
Gindylow: Tried that one: The man at the other end said that was fine and gave me a phone number to call him on.
At least it got rid of them trying to sell me insurance.
By bubbles16 on 13 Apr 2010
What's a Victorial railway? If Victorian, how do you work from it? Some sort of train? Do you hand over your copy at stations or is some of that new-fangled wireless telegraphy involved? I can't believe no one's spotted that one so far.
I'm not too concerned about VbV. It seems better than the old system without it. I've been waiting for these cards with RSA-type number displays to arrive for some time now.
There are at least five other people with my real name on LinkedIn, none of whom are me, most of whom look like richer "marks" than me, and I have a local doppelganger with a much higher public profile than me. Good luck in trying to find my DOB when I don't use Facebook or any genealogy sites.
(thinks, how many websites do I give my DOB to in order to gain a user ID, such as for example, PCPro? How secure is this? Where does the paranoia stop?)
By christ1an on 14 Apr 2010
As a merchant the biggest problem with VbV is people forgetting yet another password!
VbV does give chargeback protection to merchants - so very important to me as a merchant.
I think its a good idea if they could improve the password reminder/changing side of it.
By cyberindie on 4 May 2010
How you know it's NOT phishing
When you set up VbV, you're asked to give the account a unique name, which appears on the VbV security window, so you KNOW it's come directly from your bank, and not a phishing site which would have the bank logo but not your account's unique name - if you're daft enough to call it 'Visa Card' though, it's not going to help much...
By stephenjfa on 14 May 2010
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?
- The best Android antivirus apps for 2014
- Headings vs headers: how to use both in Word
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Cut out the broadband jargon? What jargon?
- Microsoft slashes custom XP support price
- Ubuntu LTS Server 14.04 extends cloud support
- Intel: PC sales are "encouraging"
- Google to rank encrypted pages higher
- Heartbleed: the race to reissue security certificates
- Dropbox boosts app line-up with Carousel and Mailbox for Android
- BlackBerry CEO says not selling off phones "any time soon"
- Microsoft halts business downloads of Windows 8.1 Update
- Raspberry Pi targets business with Compute Module
- Microsoft releases final patches for Windows XP