Feeds

Merchants and punters cry foul over Verified by Visa

Resistance is futile

Choosing a cloud hosting partner with confidence

The Verified by Visa system is becoming harder to avoid, even for those with real doubts about its effectiveness in combating fraud.

The experiences of Verified by Visa refusenik and Reg reader Steve reported in our earlier article on the system are being experienced by more and more Register readers.

Both Verified by Visa (VbyV) and MasterCard's equivalent SecureCode service are marketed as offering extra security checks to online purchases. Importantly, the schemes also transfer liability for bogus transactions away from merchants who use the system back towards banks (and perhaps ordinary e-commerce punters).

Online shoppers who buy goods and service with participating retailers are asked to submit a VbyV or SecureCode password to authorise transactions. These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank.

Punters aren't informed up front that a merchant has signed up to Verified by Visa. Sites used to authenticate a VbyV or SecureCode password routinely deliver a dialogue box using a pop-up window or inline frame, making it difficult to detect whether or not a site is genuine.

The appearance of phishing attacks hunting for Verified by Visa passwords are among the reasons some punters are wary of the technology.

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

Hole new dimension

The little-publicised mandatory use of the technology by some banks means that those with reservations have an uphill struggle to opt out of the scheme.

We say some banks because Verified by Visa and MasterCard SecureCode are considered to be competitive offerings. Different banks are taking a different approach to introducing and rolling out the technology, banking association APACS told us. That's in contrast to Chip and PIN, where it was clear up front that the technology would become compulsory with PIN codes replacing signatures as the main way of authorising purchases via plastic cards on the high street.

Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme. But unlike robust authentication techniques, hackers don't have a hardware token generating one-time passwords to worry about - it's just more of the same. And since card details + CVV number is no longer considered as secure enough then it's hard to see how card details + CVV number + VbyV login is any more robust.

An anonymous commenter to our original stories agrees:

Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.

Reg Reader Stef backs up these concerns.

They [banks] consider the Verified by Visa to be invulnerable, so any claims that you have been ripped off will fall on deaf ears.

Visa declined to respond to our requests for stats on what percentage of banks have made Verified by Visa compulsory for cardholders, or details of figures on take-up of the technology by merchants. But it did provide a statement summarising the perceived benefits of the technology.

Visa does always recommend best practice when shopping online, such as Verified by Visa, and that cardholders are vigilant when using their card whether it be in traditional or online retailers. Verified by Visa is easy and quick for consumers to sign up to, and we believe most consumers and merchants welcome extra security measures designed to prevent fraud.

According to the latest statistics from banking association APACS late last month, more than 25 million UK-issued credit and debit cards are registered with either Verified by Visa or MasterCard SecureCode, a seven-fold increase over the last two years. Merchants that have signed up for the programme account for one third of the volume of UK e-commerce transactions.

Those unconvinced by arguments are having a harder job making purchases online. Steve, our original source, had problems with MDNA and Egg. Other readers have subsequently reported problems with several other banks that have introduced the scheme as compulsory including Smile, Alliance and Leicester Nationwide (as confirmed here) and First Direct.

Links from the securesuite.co.uk payment processing service website provide a fuller list of users of the technology.

Comments of one anonymous respondent to our original story are typical of those opposed to the scheme...

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.