Original URL: http://www.theregister.co.uk/2008/10/23/vbyv_analysis/

Merchants and punters cry foul over Verified by Visa

Resistance is futile

By John Leyden

Posted in Security, 23rd October 2008 13:06 GMT

The Verified by Visa system is becoming harder to avoid, even for those with real doubts about its effectiveness in combating fraud.

The experiences of Verified by Visa refusenik and Reg reader Steve reported in our earlier article on the system are being experienced by more and more Register readers.

Both Verified by Visa (VbyV) and MasterCard's equivalent SecureCode service are marketed as offering extra security checks to online purchases. Importantly, the schemes also transfer liability for bogus transactions away from merchants who use the system back towards banks (and perhaps ordinary e-commerce punters).

Online shoppers who buy goods and service with participating retailers are asked to submit a VbyV or SecureCode password to authorise transactions. These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank.

Punters aren't informed up front that a merchant has signed up to Verified by Visa. Sites used to authenticate a VbyV or SecureCode password routinely deliver a dialogue box using a pop-up window or inline frame, making it difficult to detect whether or not a site is genuine.

The appearance of phishing attacks hunting for Verified by Visa passwords are among the reasons some punters are wary of the technology.

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

Hole new dimension

The little-publicised mandatory use of the technology by some banks means that those with reservations have an uphill struggle to opt out of the scheme.

We say some banks because Verified by Visa and MasterCard SecureCode are considered to be competitive offerings. Different banks are taking a different approach to introducing and rolling out the technology, banking association APACS told us. That's in contrast to Chip and PIN, where it was clear up front that the technology would become compulsory with PIN codes replacing signatures as the main way of authorising purchases via plastic cards on the high street.

Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme. But unlike robust authentication techniques, hackers don't have a hardware token generating one-time passwords to worry about - it's just more of the same. And since card details + CVV number is no longer considered as secure enough then it's hard to see how card details + CVV number + VbyV login is any more robust.

An anonymous commenter to our original stories agrees:

Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.

Reg Reader Stef backs up these concerns.

They [banks] consider the Verified by Visa to be invulnerable, so any claims that you have been ripped off will fall on deaf ears.

Visa declined to respond to our requests for stats on what percentage of banks have made Verified by Visa compulsory for cardholders, or details of figures on take-up of the technology by merchants. But it did provide a statement summarising the perceived benefits of the technology.

Visa does always recommend best practice when shopping online, such as Verified by Visa, and that cardholders are vigilant when using their card whether it be in traditional or online retailers. Verified by Visa is easy and quick for consumers to sign up to, and we believe most consumers and merchants welcome extra security measures designed to prevent fraud.

According to the latest statistics from banking association APACS late last month, more than 25 million UK-issued credit and debit cards are registered with either Verified by Visa or MasterCard SecureCode, a seven-fold increase over the last two years. Merchants that have signed up for the programme account for one third of the volume of UK e-commerce transactions.

Those unconvinced by arguments are having a harder job making purchases online. Steve, our original source, had problems with MDNA and Egg. Other readers have subsequently reported problems with several other banks that have introduced the scheme as compulsory including Smile, Alliance and Leicester Nationwide (as confirmed here) and First Direct.

Links from the securesuite.co.uk payment processing service website provide a fuller list of users of the technology.

Comments of one anonymous respondent to our original story are typical of those opposed to the scheme...

There is no doubt that banks are trying to shift away responsibility from themselves to the consumer, all the while claiming that it's for your protection. After all, VbyV and SecureCode mean that YOU are the one holding the credentials, not them. It's Chip-and-Pin for e-Tailers. And we all know how secure Chip-and-Pin is, especially when administered by APACS.

Reg reader Lee Harvey Osmond, who has practical experience in applying the technology, is also critical.

What I know about Verified by Visa (aka 3DSecure, and probably some other names too) comes from having read the manual to support it in a webstore. It appears to me to be a move to a three-factor authentication scheme, where the third factor adds no strength because it is likely to be stolen or leaked or compromised by all the same means a black hat would use to get at the first two. Since the shopper's 'secret' will have been presented, under the terms and conditions, the shopper has no right to repudiate the transaction. Or put another way, this is a way of shifting credit card fraud losses from the banks to the shoppers, and the shoppers get no benefit from this that I can see.

Reg poster Peter Mount explained the merchants have a choice whether or not to allow transactions without additional security checks regardless of how banks have applied the technology.

Having implemented 3DSecure for work, part of the API allows the merchant to decide if they want to continue the transaction if the customer has opted out of being verified. When we get the response back, it tells us if it succeeded, failed or they are not enrolled.

Simply put, if the customer has verified by Visa then the liability is on the bank, but if they are not enrolled and have opted out, the merchant may decide not to accept the liability for that transaction, and decline it themselves.

Some online merchants, such as Reg commenter RoboPope, are opposed to the mandatory introduction of the technology.

From a traders perspective its a nightmare, it costs us sales and the iframe setup is fraught with potential security issues.

we are fighting it but it is definitely not optional.

Fraud victim John Loader is among the minority of correspondents who reckon Verified by Visa and similar scheme will help prevent fraud.

Having been ripped off 3 times by on-line fraud I applaud the verified by Visa process - in fact I pestered my bank to introduce it. Anything that makes it safer to buy online must be a bonus. And site owners want it to protect themselves as they have had to carry the cost of fraud and hence had to reflect that cost in their prices.

I haven't seen any adverse security issues with the scheme anywhere. Why the resistance?

However, one anonymous correspondent claims to have become a victim of fraud after responding to a request to enroll onto MasterCard's SecureCode scheme. It seems likely that our source was either duped by a phishing scam or redirected to a fake site by some other form of hacker trickery, such as poisoned DNS caches or Trojan contamination.

I have been "directed" to Securecode once in making a standing purchase on-line at a site I knew well. I duly entered the required details. Two hours later HSBC were ringing me up asking if I was using my card to withdraw cash in Thailand.

Do I think this is a secure method? I rang them up and canceled my Securecode and password entry.

UK security firm GrIDsure is working on a more secure alternative to 3DSecure, its chairman Jonathan Craymer reports.

One of the main problems with 3D-Secure seems to be that there's only a fixed password used, albeit sometimes displayed incrementally (3rd, 5th and 78th letter for instance). We have been working on a 3D-Secure Plus system, using one-time codes created by our GrIDsure technology.

The user sets up a new-style 'secret' held on a remote database in place of a password. This 'secret' consists of a number of squares chosen on a grid. At authentication time, the grid fills up with random numbers, and the user simply has to 'read off' the random numbers in his/her chosen squares to create a new, one-time code. Far more secure, easier to use (no fixed string or recall, so far harder to phish - though phishing will never be completely defeated). However one other major benefit is that the same challenge-response could also reside on the card's chip - meaning that ONE system could serve in all purchasing scenarios, and Chip & PIN would no longer be necessary. The user would do a 3D-Secure Plus authentication over the counter (from the chip) and would use the remote database for online or phone/mail order.

Loius blames Visa and Mastercard - rather than banks - for pushing the introduction of the technology.

The reason VbV is being increasingly foisted upon the public in a mandatory way is because the banks have targets to meet which they're forced to comply with.

It's not necessarily something the banks want to implement, and doesn't necessarily offer them any benefits, but Visa and Mastercard have decided what they want to do, and the banks have to jump...

Smaller merchants are able to get away with not implementing VbV because they fall under the banks transaction-volume radar. Larger merchants with larger transaction volumes will be pressured into implementing VbV.

As time passes, no doubt all merchants will be cajoled into implementing VbV as the banks' targets are increased.

James Pickett compares Verified by Visa to Microsoft's anti-piracy technology.

Sounds like the banks' version of WGA, i.e. ostensibly of benefit to you (dear valued customer) to really only of benefit to them, so they can wriggle out of claims for fraud. Which isn't possible now, of course.

Both Microsoft's Windows Genuine Advantage and schemes for more secure online transactions, such as Verified by Visa, are touted as offering benefits for legitimate punters. The merits of both are debatable - meanwhile, they are becoming harder to avoid. ®