Skip to navigation
Real World Computing
Online shopping

The pointlessness of Verified by Visa

Posted on 9 Apr 2010 at 11:29

Mark Newton wonders why online security hasn't progressed any further than Verified by Visa

Indulge me while I make an observation about the “Verified by Visa” authentication system. That’s the credit card security trick whereby you enter your credit card information to a shopping site – or to its internet payment provider – and another window pops up from Visa or MasterCard that asks you for a username and password before payment is authorised.

The weakness of this system, as I see it, comes should you forget your password, because it shows only an option to change it, rather than one to have a password reminder emailed directly to you.

The screen that enables you to set a new password asks several security questions, all but one of which can be answered if you have the card details (details that you must certainly know to have got this far on the vendor’s site).

The final question is your date of birth, but a quick peek at a site such as Facebook or one of many family tree websites (where some helpful member of your family may have entered your date of birth for completeness) will often reveal this. It makes you wonder who comes up with these “security” measures, and whether they’ve ever actually used the internet.

It makes you wonder who comes up with these security measures, and whether they’ve ever actually used the internet

The more usual system of email validation at least means there’s a good chance the person requesting the change of password is the person who originally registered the card with Verified by Visa. The alternative trick of asking for a user-defined secret question and answer, which should be known only by the card-holder, is also much stronger.

I know that credit card companies are currently working on smart cards that generate a one-time passkey on a display built into the card, much like the calculator-style devices that some banks issue to provide extra security for their online banking system.

I remember writing many years ago in PC Pro about Amex’s trial of credit card swipe readers, but nothing came of that. Apart from the extra three numbers on the back of your credit card and look-up of the card-holder’s address, very little has changed in the security of our online transactions since and we’re still awaiting a better solution.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

To me there's something fundamentally incorrect about the whole VbV system: a third party is asking you to enter information about your bank, because what you've seen on a screen has your bank's logo on it. Is there really such a broad line between that and phishing? To align this with what Mark's said, not only is it possible to trace much of the information through Facebook, family tree sites etc, but also that this way it's possible to get ever more information from an unsuspecting user.

It all adds up to this: why should I trust VbV?

By stu531 on 9 Apr 2010

Actually it's your bank that prompts you for your password through the merchant website and not a 3rd party.

I've never had a problem with it. I did reset my password once and I was prompted with a security question that I set up when I signed up, so it's something only I would know. So it most likely comes down to your bank and how they offer it. I have another card that's enrolled in VbV and I get texted a one time password when I get prompted with the screen during checkout.

By pcguy on 9 Apr 2010

The third party is the online store. Point being, how do you know that, if you were being asked for your DoB or password, that it's a genuine bank? I get asked for my password, not a security question I devised - so I never really know.

By stu531 on 9 Apr 2010

I originally looked into this and the merchant has no visibility into what's occurring between you and your bank much in the same way you can use your PayPal account with merchants online. They're redirecting you to your bank in the same way they'd redirect you to PayPal/Google Checkout etc.

And I know that it's my bank I'm dealing with because when I'm putting in my password i see the personal message i created when i signed up.

I was only prompted with my security question when i tried to reset my password. so it doesn't happen every time i go through the program.

By pcguy on 9 Apr 2010

The solution is simple - as soon as a vendor requires me to Verify my Visa or its Mastercard equivilant I stop and give up and find another vendor that accepts PayPal/Google

By snellgrc on 9 Apr 2010

family tree sites

I believe that in general, family tree web site obscure personal details of people likely to still be alive, unless you have permission of the tree owner to veiw them.

By Sarcen on 9 Apr 2010

Family tree programs and 'mothers maiden name'

The 7 family tree programs I know about do give the option of hiding the personal details of the living but it has to be selected and often is deliberately not selected.

As to that 'mothers maiden name' question - who said you had to provide an answer to your bank which is the truth?

By Jaydax on 12 Apr 2010

Everytime the popup windoe appears from VbV it has teh details already filled in for me, as my browser has so kindly remembered them for me, so a simple click on next and away we go, even my 10 year old daughter can buy things with my credit card, it sooo easy :)

By baileytech on 12 Apr 2010

Thoughts

I agree with the suggestion that it would be very easy to spoof VbV screens, there appears to be no standard delivery of the content, and I'm not even sure they always show their own Padlock and SSL certificates? Very weak.

On the plus side for VbV I know for sure one of my Card companies uses the VbV system to put time locks and trader locks on certain transactions.

I noticed this a few times because I like to shop online for electronics late at night and found that my Card comapny was blocking this behaviour with particular websites due to high volumes of Late night, or presumably out of GMT timezone requests.

I was promted using the VbV page to call customer service to confirm further details before completing the transaction, thus the card issuer could verify me by phone and remove the block interavctively.

*one last thought. How many of us when telephoned by Banks reverse the banks Data protection procedures and actually interogate the bank to let them prove who they are? Afterall it could be anyone calling you from that anonymous call centre somewhere on planet Earth.

By Gindylow on 13 Apr 2010

Gindylow: Tried that one: The man at the other end said that was fine and gave me a phone number to call him on.

At least it got rid of them trying to sell me insurance.

By bubbles16 on 13 Apr 2010

Genealogy?

What's a Victorial railway? If Victorian, how do you work from it? Some sort of train? Do you hand over your copy at stations or is some of that new-fangled wireless telegraphy involved? I can't believe no one's spotted that one so far.

I'm not too concerned about VbV. It seems better than the old system without it. I've been waiting for these cards with RSA-type number displays to arrive for some time now.

There are at least five other people with my real name on LinkedIn, none of whom are me, most of whom look like richer "marks" than me, and I have a local doppelganger with a much higher public profile than me. Good luck in trying to find my DOB when I don't use Facebook or any genealogy sites.

(thinks, how many websites do I give my DOB to in order to gain a user ID, such as for example, PCPro? How secure is this? Where does the paranoia stop?)

By christ1an on 14 Apr 2010

As a merchant the biggest problem with VbV is people forgetting yet another password!

VbV does give chargeback protection to merchants - so very important to me as a merchant.

I think its a good idea if they could improve the password reminder/changing side of it.

By cyberindie on 4 May 2010

How you know it's NOT phishing

When you set up VbV, you're asked to give the account a unique name, which appears on the VbV security window, so you KNOW it's come directly from your bank, and not a phishing site which would have the bank logo but not your account's unique name - if you're daft enough to call it 'Visa Card' though, it's not going to help much...

By stephenjfa on 14 May 2010

Leave a comment

You need to Login or Register to comment.

(optional)

Mark Newton

Mark Newton

Mark is a contributing editor to PC Pro and managing director of the internet company ECats Ltd (Electronic CATalogueS). He specialises in internet-based solutions, often working with design houses. He works from a Victorial railway in deepest Suffolk.

Read more More by Mark Newton

advertisement

Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.