The pointlessness of Verified by Visa

To me there's something fundamentally incorrect about the whole VbV system: a third party is asking you to enter information about your bank, because what you've seen on a screen has your bank's logo on it. Is there really such a broad line between that and phishing? To align this with what Mark's said, not only is it possible to trace much of the information through Facebook, family tree sites etc, but also that this way it's possible to get ever more information from an unsuspecting user.

It all adds up to this: why should I trust VbV?

By stu531 on 9 Apr 2010

Actually it's your bank that prompts you for your password through the merchant website and not a 3rd party.

I've never had a problem with it. I did reset my password once and I was prompted with a security question that I set up when I signed up, so it's something only I would know. So it most likely comes down to your bank and how they offer it. I have another card that's enrolled in VbV and I get texted a one time password when I get prompted with the screen during checkout.

By pcguy on 9 Apr 2010

The third party is the online store. Point being, how do you know that, if you were being asked for your DoB or password, that it's a genuine bank? I get asked for my password, not a security question I devised - so I never really know.

By stu531 on 9 Apr 2010

I originally looked into this and the merchant has no visibility into what's occurring between you and your bank much in the same way you can use your PayPal account with merchants online. They're redirecting you to your bank in the same way they'd redirect you to PayPal/Google Checkout etc.

And I know that it's my bank I'm dealing with because when I'm putting in my password i see the personal message i created when i signed up.

I was only prompted with my security question when i tried to reset my password. so it doesn't happen every time i go through the program.

By pcguy on 9 Apr 2010

The solution is simple - as soon as a vendor requires me to Verify my Visa or its Mastercard equivilant I stop and give up and find another vendor that accepts PayPal/Google

By snellgrc on 9 Apr 2010

family tree sites

I believe that in general, family tree web site obscure personal details of people likely to still be alive, unless you have permission of the tree owner to veiw them.

By Sarcen on 9 Apr 2010

Family tree programs and 'mothers maiden name'

The 7 family tree programs I know about do give the option of hiding the personal details of the living but it has to be selected and often is deliberately not selected.

As to that 'mothers maiden name' question - who said you had to provide an answer to your bank which is the truth?

By Jaydax on 12 Apr 2010

Everytime the popup windoe appears from VbV it has teh details already filled in for me, as my browser has so kindly remembered them for me, so a simple click on next and away we go, even my 10 year old daughter can buy things with my credit card, it sooo easy :)

By baileytech on 12 Apr 2010

Thoughts

I agree with the suggestion that it would be very easy to spoof VbV screens, there appears to be no standard delivery of the content, and I'm not even sure they always show their own Padlock and SSL certificates? Very weak.

On the plus side for VbV I know for sure one of my Card companies uses the VbV system to put time locks and trader locks on certain transactions.

I noticed this a few times because I like to shop online for electronics late at night and found that my Card comapny was blocking this behaviour with particular websites due to high volumes of Late night, or presumably out of GMT timezone requests.

I was promted using the VbV page to call customer service to confirm further details before completing the transaction, thus the card issuer could verify me by phone and remove the block interavctively.

*one last thought. How many of us when telephoned by Banks reverse the banks Data protection procedures and actually interogate the bank to let them prove who they are? Afterall it could be anyone calling you from that anonymous call centre somewhere on planet Earth.

By Gindylow on 13 Apr 2010

Gindylow: Tried that one: The man at the other end said that was fine and gave me a phone number to call him on.

At least it got rid of them trying to sell me insurance.

By bubbles16 on 13 Apr 2010

Genealogy?

What's a Victorial railway? If Victorian, how do you work from it? Some sort of train? Do you hand over your copy at stations or is some of that new-fangled wireless telegraphy involved? I can't believe no one's spotted that one so far.

I'm not too concerned about VbV. It seems better than the old system without it. I've been waiting for these cards with RSA-type number displays to arrive for some time now.

There are at least five other people with my real name on LinkedIn, none of whom are me, most of whom look like richer "marks" than me, and I have a local doppelganger with a much higher public profile than me. Good luck in trying to find my DOB when I don't use Facebook or any genealogy sites.

(thinks, how many websites do I give my DOB to in order to gain a user ID, such as for example, PCPro? How secure is this? Where does the paranoia stop?)

By christ1an on 14 Apr 2010

As a merchant the biggest problem with VbV is people forgetting yet another password!

VbV does give chargeback protection to merchants - so very important to me as a merchant.

I think its a good idea if they could improve the password reminder/changing side of it.

By cyberindie on 4 May 2010

How you know it's NOT phishing

When you set up VbV, you're asked to give the account a unique name, which appears on the VbV security window, so you KNOW it's come directly from your bank, and not a phishing site which would have the bank logo but not your account's unique name - if you're daft enough to call it 'Visa Card' though, it's not going to help much...

By stephenjfa on 14 May 2010