Feeds

Merchants and punters cry foul over Verified by Visa

Resistance is futile

Securing Web Applications Made Simple and Scalable

There is no doubt that banks are trying to shift away responsibility from themselves to the consumer, all the while claiming that it's for your protection. After all, VbyV and SecureCode mean that YOU are the one holding the credentials, not them. It's Chip-and-Pin for e-Tailers. And we all know how secure Chip-and-Pin is, especially when administered by APACS.

Reg reader Lee Harvey Osmond, who has practical experience in applying the technology, is also critical.

What I know about Verified by Visa (aka 3DSecure, and probably some other names too) comes from having read the manual to support it in a webstore. It appears to me to be a move to a three-factor authentication scheme, where the third factor adds no strength because it is likely to be stolen or leaked or compromised by all the same means a black hat would use to get at the first two. Since the shopper's 'secret' will have been presented, under the terms and conditions, the shopper has no right to repudiate the transaction. Or put another way, this is a way of shifting credit card fraud losses from the banks to the shoppers, and the shoppers get no benefit from this that I can see.

Reg poster Peter Mount explained the merchants have a choice whether or not to allow transactions without additional security checks regardless of how banks have applied the technology.

Having implemented 3DSecure for work, part of the API allows the merchant to decide if they want to continue the transaction if the customer has opted out of being verified. When we get the response back, it tells us if it succeeded, failed or they are not enrolled.

Simply put, if the customer has verified by Visa then the liability is on the bank, but if they are not enrolled and have opted out, the merchant may decide not to accept the liability for that transaction, and decline it themselves.

Some online merchants, such as Reg commenter RoboPope, are opposed to the mandatory introduction of the technology.

From a traders perspective its a nightmare, it costs us sales and the iframe setup is fraught with potential security issues.

we are fighting it but it is definitely not optional.

Fraud victim John Loader is among the minority of correspondents who reckon Verified by Visa and similar scheme will help prevent fraud.

Having been ripped off 3 times by on-line fraud I applaud the verified by Visa process - in fact I pestered my bank to introduce it. Anything that makes it safer to buy online must be a bonus. And site owners want it to protect themselves as they have had to carry the cost of fraud and hence had to reflect that cost in their prices.

I haven't seen any adverse security issues with the scheme anywhere. Why the resistance?

However, one anonymous correspondent claims to have become a victim of fraud after responding to a request to enroll onto MasterCard's SecureCode scheme. It seems likely that our source was either duped by a phishing scam or redirected to a fake site by some other form of hacker trickery, such as poisoned DNS caches or Trojan contamination.

I have been "directed" to Securecode once in making a standing purchase on-line at a site I knew well. I duly entered the required details. Two hours later HSBC were ringing me up asking if I was using my card to withdraw cash in Thailand.

Do I think this is a secure method? I rang them up and canceled my Securecode and password entry.

UK security firm GrIDsure is working on a more secure alternative to 3DSecure, its chairman Jonathan Craymer reports.

One of the main problems with 3D-Secure seems to be that there's only a fixed password used, albeit sometimes displayed incrementally (3rd, 5th and 78th letter for instance). We have been working on a 3D-Secure Plus system, using one-time codes created by our GrIDsure technology.

The user sets up a new-style 'secret' held on a remote database in place of a password. This 'secret' consists of a number of squares chosen on a grid. At authentication time, the grid fills up with random numbers, and the user simply has to 'read off' the random numbers in his/her chosen squares to create a new, one-time code. Far more secure, easier to use (no fixed string or recall, so far harder to phish - though phishing will never be completely defeated). However one other major benefit is that the same challenge-response could also reside on the card's chip - meaning that ONE system could serve in all purchasing scenarios, and Chip & PIN would no longer be necessary. The user would do a 3D-Secure Plus authentication over the counter (from the chip) and would use the remote database for online or phone/mail order.

Loius blames Visa and Mastercard - rather than banks - for pushing the introduction of the technology.

The reason VbV is being increasingly foisted upon the public in a mandatory way is because the banks have targets to meet which they're forced to comply with.

It's not necessarily something the banks want to implement, and doesn't necessarily offer them any benefits, but Visa and Mastercard have decided what they want to do, and the banks have to jump...

Smaller merchants are able to get away with not implementing VbV because they fall under the banks transaction-volume radar. Larger merchants with larger transaction volumes will be pressured into implementing VbV.

As time passes, no doubt all merchants will be cajoled into implementing VbV as the banks' targets are increased.

James Pickett compares Verified by Visa to Microsoft's anti-piracy technology.

Sounds like the banks' version of WGA, i.e. ostensibly of benefit to you (dear valued customer) to really only of benefit to them, so they can wriggle out of claims for fraud. Which isn't possible now, of course.

Both Microsoft's Windows Genuine Advantage and schemes for more secure online transactions, such as Verified by Visa, are touted as offering benefits for legitimate punters. The merits of both are debatable - meanwhile, they are becoming harder to avoid. ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.