Feeds

Merchants and punters cry foul over Verified by Visa

Resistance is futile

SANS - Survey on application security programs

There is no doubt that banks are trying to shift away responsibility from themselves to the consumer, all the while claiming that it's for your protection. After all, VbyV and SecureCode mean that YOU are the one holding the credentials, not them. It's Chip-and-Pin for e-Tailers. And we all know how secure Chip-and-Pin is, especially when administered by APACS.

Reg reader Lee Harvey Osmond, who has practical experience in applying the technology, is also critical.

What I know about Verified by Visa (aka 3DSecure, and probably some other names too) comes from having read the manual to support it in a webstore. It appears to me to be a move to a three-factor authentication scheme, where the third factor adds no strength because it is likely to be stolen or leaked or compromised by all the same means a black hat would use to get at the first two. Since the shopper's 'secret' will have been presented, under the terms and conditions, the shopper has no right to repudiate the transaction. Or put another way, this is a way of shifting credit card fraud losses from the banks to the shoppers, and the shoppers get no benefit from this that I can see.

Reg poster Peter Mount explained the merchants have a choice whether or not to allow transactions without additional security checks regardless of how banks have applied the technology.

Having implemented 3DSecure for work, part of the API allows the merchant to decide if they want to continue the transaction if the customer has opted out of being verified. When we get the response back, it tells us if it succeeded, failed or they are not enrolled.

Simply put, if the customer has verified by Visa then the liability is on the bank, but if they are not enrolled and have opted out, the merchant may decide not to accept the liability for that transaction, and decline it themselves.

Some online merchants, such as Reg commenter RoboPope, are opposed to the mandatory introduction of the technology.

From a traders perspective its a nightmare, it costs us sales and the iframe setup is fraught with potential security issues.

we are fighting it but it is definitely not optional.

Fraud victim John Loader is among the minority of correspondents who reckon Verified by Visa and similar scheme will help prevent fraud.

Having been ripped off 3 times by on-line fraud I applaud the verified by Visa process - in fact I pestered my bank to introduce it. Anything that makes it safer to buy online must be a bonus. And site owners want it to protect themselves as they have had to carry the cost of fraud and hence had to reflect that cost in their prices.

I haven't seen any adverse security issues with the scheme anywhere. Why the resistance?

However, one anonymous correspondent claims to have become a victim of fraud after responding to a request to enroll onto MasterCard's SecureCode scheme. It seems likely that our source was either duped by a phishing scam or redirected to a fake site by some other form of hacker trickery, such as poisoned DNS caches or Trojan contamination.

I have been "directed" to Securecode once in making a standing purchase on-line at a site I knew well. I duly entered the required details. Two hours later HSBC were ringing me up asking if I was using my card to withdraw cash in Thailand.

Do I think this is a secure method? I rang them up and canceled my Securecode and password entry.

UK security firm GrIDsure is working on a more secure alternative to 3DSecure, its chairman Jonathan Craymer reports.

One of the main problems with 3D-Secure seems to be that there's only a fixed password used, albeit sometimes displayed incrementally (3rd, 5th and 78th letter for instance). We have been working on a 3D-Secure Plus system, using one-time codes created by our GrIDsure technology.

The user sets up a new-style 'secret' held on a remote database in place of a password. This 'secret' consists of a number of squares chosen on a grid. At authentication time, the grid fills up with random numbers, and the user simply has to 'read off' the random numbers in his/her chosen squares to create a new, one-time code. Far more secure, easier to use (no fixed string or recall, so far harder to phish - though phishing will never be completely defeated). However one other major benefit is that the same challenge-response could also reside on the card's chip - meaning that ONE system could serve in all purchasing scenarios, and Chip & PIN would no longer be necessary. The user would do a 3D-Secure Plus authentication over the counter (from the chip) and would use the remote database for online or phone/mail order.

Loius blames Visa and Mastercard - rather than banks - for pushing the introduction of the technology.

The reason VbV is being increasingly foisted upon the public in a mandatory way is because the banks have targets to meet which they're forced to comply with.

It's not necessarily something the banks want to implement, and doesn't necessarily offer them any benefits, but Visa and Mastercard have decided what they want to do, and the banks have to jump...

Smaller merchants are able to get away with not implementing VbV because they fall under the banks transaction-volume radar. Larger merchants with larger transaction volumes will be pressured into implementing VbV.

As time passes, no doubt all merchants will be cajoled into implementing VbV as the banks' targets are increased.

James Pickett compares Verified by Visa to Microsoft's anti-piracy technology.

Sounds like the banks' version of WGA, i.e. ostensibly of benefit to you (dear valued customer) to really only of benefit to them, so they can wriggle out of claims for fraud. Which isn't possible now, of course.

Both Microsoft's Windows Genuine Advantage and schemes for more secure online transactions, such as Verified by Visa, are touted as offering benefits for legitimate punters. The merits of both are debatable - meanwhile, they are becoming harder to avoid. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.