The pointlessness of Verified by Visa
Posted on 9 Apr 2010 at 11:29
Mark Newton wonders why online security hasn't progressed any further than Verified by Visa
Indulge me while I make an observation about the “Verified by Visa” authentication system. That’s the credit card security trick whereby you enter your credit card information to a shopping site – or to its internet payment provider – and another window pops up from Visa or MasterCard that asks you for a username and password before payment is authorised.
The weakness of this system, as I see it, comes should you forget your password, because it shows only an option to change it, rather than one to have a password reminder emailed directly to you.
The screen that enables you to set a new password asks several security questions, all but one of which can be answered if you have the card details (details that you must certainly know to have got this far on the vendor’s site).
The final question is your date of birth, but a quick peek at a site such as Facebook or one of many family tree websites (where some helpful member of your family may have entered your date of birth for completeness) will often reveal this. It makes you wonder who comes up with these “security” measures, and whether they’ve ever actually used the internet.
It makes you wonder who comes up with these security measures, and whether they’ve ever actually used the internet
The more usual system of email validation at least means there’s a good chance the person requesting the change of password is the person who originally registered the card with Verified by Visa. The alternative trick of asking for a user-defined secret question and answer, which should be known only by the card-holder, is also much stronger.
I know that credit card companies are currently working on smart cards that generate a one-time passkey on a display built into the card, much like the calculator-style devices that some banks issue to provide extra security for their online banking system.
I remember writing many years ago in PC Pro about Amex’s trial of credit card swipe readers, but nothing came of that. Apart from the extra three numbers on the back of your credit card and look-up of the card-holder’s address, very little has changed in the security of our online transactions since and we’re still awaiting a better solution.
To me there's something fundamentally incorrect about the whole VbV system: a third party is asking you to enter information about your bank, because what you've seen on a screen has your bank's logo on it. Is there really such a broad line between that and phishing? To align this with what Mark's said, not only is it possible to trace much of the information through Facebook, family tree sites etc, but also that this way it's possible to get ever more information from an unsuspecting user.
It all adds up to this: why should I trust VbV?
By stu531 on 9 Apr 2010
Actually it's your bank that prompts you for your password through the merchant website and not a 3rd party.
I've never had a problem with it. I did reset my password once and I was prompted with a security question that I set up when I signed up, so it's something only I would know. So it most likely comes down to your bank and how they offer it. I have another card that's enrolled in VbV and I get texted a one time password when I get prompted with the screen during checkout.
By pcguy on 9 Apr 2010
The third party is the online store. Point being, how do you know that, if you were being asked for your DoB or password, that it's a genuine bank? I get asked for my password, not a security question I devised - so I never really know.
By stu531 on 9 Apr 2010
I originally looked into this and the merchant has no visibility into what's occurring between you and your bank much in the same way you can use your PayPal account with merchants online. They're redirecting you to your bank in the same way they'd redirect you to PayPal/Google Checkout etc.
And I know that it's my bank I'm dealing with because when I'm putting in my password i see the personal message i created when i signed up.
I was only prompted with my security question when i tried to reset my password. so it doesn't happen every time i go through the program.
By pcguy on 9 Apr 2010
The solution is simple - as soon as a vendor requires me to Verify my Visa or its Mastercard equivilant I stop and give up and find another vendor that accepts PayPal/Google
By snellgrc on 9 Apr 2010
family tree sites
I believe that in general, family tree web site obscure personal details of people likely to still be alive, unless you have permission of the tree owner to veiw them.
By Sarcen on 9 Apr 2010
Family tree programs and 'mothers maiden name'
The 7 family tree programs I know about do give the option of hiding the personal details of the living but it has to be selected and often is deliberately not selected.
As to that 'mothers maiden name' question - who said you had to provide an answer to your bank which is the truth?
By Jaydax on 12 Apr 2010
Everytime the popup windoe appears from VbV it has teh details already filled in for me, as my browser has so kindly remembered them for me, so a simple click on next and away we go, even my 10 year old daughter can buy things with my credit card, it sooo easy :)
By baileytech on 12 Apr 2010
I agree with the suggestion that it would be very easy to spoof VbV screens, there appears to be no standard delivery of the content, and I'm not even sure they always show their own Padlock and SSL certificates? Very weak.
On the plus side for VbV I know for sure one of my Card companies uses the VbV system to put time locks and trader locks on certain transactions.
I noticed this a few times because I like to shop online for electronics late at night and found that my Card comapny was blocking this behaviour with particular websites due to high volumes of Late night, or presumably out of GMT timezone requests.
I was promted using the VbV page to call customer service to confirm further details before completing the transaction, thus the card issuer could verify me by phone and remove the block interavctively.
*one last thought. How many of us when telephoned by Banks reverse the banks Data protection procedures and actually interogate the bank to let them prove who they are? Afterall it could be anyone calling you from that anonymous call centre somewhere on planet Earth.
By Gindylow on 13 Apr 2010
Gindylow: Tried that one: The man at the other end said that was fine and gave me a phone number to call him on.
At least it got rid of them trying to sell me insurance.
By bubbles16 on 13 Apr 2010
What's a Victorial railway? If Victorian, how do you work from it? Some sort of train? Do you hand over your copy at stations or is some of that new-fangled wireless telegraphy involved? I can't believe no one's spotted that one so far.
I'm not too concerned about VbV. It seems better than the old system without it. I've been waiting for these cards with RSA-type number displays to arrive for some time now.
There are at least five other people with my real name on LinkedIn, none of whom are me, most of whom look like richer "marks" than me, and I have a local doppelganger with a much higher public profile than me. Good luck in trying to find my DOB when I don't use Facebook or any genealogy sites.
(thinks, how many websites do I give my DOB to in order to gain a user ID, such as for example, PCPro? How secure is this? Where does the paranoia stop?)
By christ1an on 14 Apr 2010
As a merchant the biggest problem with VbV is people forgetting yet another password!
VbV does give chargeback protection to merchants - so very important to me as a merchant.
I think its a good idea if they could improve the password reminder/changing side of it.
By cyberindie on 4 May 2010
How you know it's NOT phishing
When you set up VbV, you're asked to give the account a unique name, which appears on the VbV security window, so you KNOW it's come directly from your bank, and not a phishing site which would have the bank logo but not your account's unique name - if you're daft enough to call it 'Visa Card' though, it's not going to help much...
By stephenjfa on 14 May 2010
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- 1.6TB SSD: why would you need one?
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Nokia XL review: first look
- Samsung Galaxy S5 review: first look
- Nokia X review: first look
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware
- Office 365 gets two-factor authentication