The pointlessness of Verified by Visa

9 Apr 2010
Online shopping

Mark Newton wonders why online security hasn't progressed any further than Verified by Visa

Indulge me while I make an observation about the “Verified by Visa” authentication system. That’s the credit card security trick whereby you enter your credit card information to a shopping site – or to its internet payment provider – and another window pops up from Visa or MasterCard that asks you for a username and password before payment is authorised.

The weakness of this system, as I see it, comes should you forget your password, because it shows only an option to change it, rather than one to have a password reminder emailed directly to you.

The screen that enables you to set a new password asks several security questions, all but one of which can be answered if you have the card details (details that you must certainly know to have got this far on the vendor’s site).

The final question is your date of birth, but a quick peek at a site such as Facebook or one of many family tree websites (where some helpful member of your family may have entered your date of birth for completeness) will often reveal this. It makes you wonder who comes up with these “security” measures, and whether they’ve ever actually used the internet.

It makes you wonder who comes up with these security measures, and whether they’ve ever actually used the internet

The more usual system of email validation at least means there’s a good chance the person requesting the change of password is the person who originally registered the card with Verified by Visa. The alternative trick of asking for a user-defined secret question and answer, which should be known only by the card-holder, is also much stronger.

I know that credit card companies are currently working on smart cards that generate a one-time passkey on a display built into the card, much like the calculator-style devices that some banks issue to provide extra security for their online banking system.

I remember writing many years ago in PC Pro about Amex’s trial of credit card swipe readers, but nothing came of that. Apart from the extra three numbers on the back of your credit card and look-up of the card-holder’s address, very little has changed in the security of our online transactions since and we’re still awaiting a better solution.