Merchants and punters cry foul over Verified by Visa

There is no doubt that banks are trying to shift away responsibility from themselves to the consumer, all the while claiming that it's for your protection. After all, VbyV and SecureCode mean that YOU are the one holding the credentials, not them. It's Chip-and-Pin for e-Tailers. And we all know how secure Chip-and-Pin is, especially when administered by APACS.

Reg reader Lee Harvey Osmond, who has practical experience in applying the technology, is also critical.

What I know about Verified by Visa (aka 3DSecure, and probably some other names too) comes from having read the manual to support it in a webstore. It appears to me to be a move to a three-factor authentication scheme, where the third factor adds no strength because it is likely to be stolen or leaked or compromised by all the same means a black hat would use to get at the first two. Since the shopper's 'secret' will have been presented, under the terms and conditions, the shopper has no right to repudiate the transaction. Or put another way, this is a way of shifting credit card fraud losses from the banks to the shoppers, and the shoppers get no benefit from this that I can see.

Reg poster Peter Mount explained the merchants have a choice whether or not to allow transactions without additional security checks regardless of how banks have applied the technology.

Having implemented 3DSecure for work, part of the API allows the merchant to decide if they want to continue the transaction if the customer has opted out of being verified. When we get the response back, it tells us if it succeeded, failed or they are not enrolled.

Simply put, if the customer has verified by Visa then the liability is on the bank, but if they are not enrolled and have opted out, the merchant may decide not to accept the liability for that transaction, and decline it themselves.

Some online merchants, such as Reg commenter RoboPope, are opposed to the mandatory introduction of the technology.

From a traders perspective its a nightmare, it costs us sales and the iframe setup is fraught with potential security issues.

we are fighting it but it is definitely not optional.

Fraud victim John Loader is among the minority of correspondents who reckon Verified by Visa and similar scheme will help prevent fraud.

Having been ripped off 3 times by on-line fraud I applaud the verified by Visa process - in fact I pestered my bank to introduce it. Anything that makes it safer to buy online must be a bonus. And site owners want it to protect themselves as they have had to carry the cost of fraud and hence had to reflect that cost in their prices.

I haven't seen any adverse security issues with the scheme anywhere. Why the resistance?

However, one anonymous correspondent claims to have become a victim of fraud after responding to a request to enroll onto MasterCard's SecureCode scheme. It seems likely that our source was either duped by a phishing scam or redirected to a fake site by some other form of hacker trickery, such as poisoned DNS caches or Trojan contamination.

I have been "directed" to Securecode once in making a standing purchase on-line at a site I knew well. I duly entered the required details. Two hours later HSBC were ringing me up asking if I was using my card to withdraw cash in Thailand.

Do I think this is a secure method? I rang them up and canceled my Securecode and password entry.

UK security firm GrIDsure is working on a more secure alternative to 3DSecure, its chairman Jonathan Craymer reports.

One of the main problems with 3D-Secure seems to be that there's only a fixed password used, albeit sometimes displayed incrementally (3rd, 5th and 78th letter for instance). We have been working on a 3D-Secure Plus system, using one-time codes created by our GrIDsure technology.

The user sets up a new-style 'secret' held on a remote database in place of a password. This 'secret' consists of a number of squares chosen on a grid. At authentication time, the grid fills up with random numbers, and the user simply has to 'read off' the random numbers in his/her chosen squares to create a new, one-time code. Far more secure, easier to use (no fixed string or recall, so far harder to phish - though phishing will never be completely defeated). However one other major benefit is that the same challenge-response could also reside on the card's chip - meaning that ONE system could serve in all purchasing scenarios, and Chip & PIN would no longer be necessary. The user would do a 3D-Secure Plus authentication over the counter (from the chip) and would use the remote database for online or phone/mail order.

Loius blames Visa and Mastercard - rather than banks - for pushing the introduction of the technology.

The reason VbV is being increasingly foisted upon the public in a mandatory way is because the banks have targets to meet which they're forced to comply with.

It's not necessarily something the banks want to implement, and doesn't necessarily offer them any benefits, but Visa and Mastercard have decided what they want to do, and the banks have to jump...

Smaller merchants are able to get away with not implementing VbV because they fall under the banks transaction-volume radar. Larger merchants with larger transaction volumes will be pressured into implementing VbV.

As time passes, no doubt all merchants will be cajoled into implementing VbV as the banks' targets are increased.

James Pickett compares Verified by Visa to Microsoft's anti-piracy technology.

Sounds like the banks' version of WGA, i.e. ostensibly of benefit to you (dear valued customer) to really only of benefit to them, so they can wriggle out of claims for fraud. Which isn't possible now, of course.

Both Microsoft's Windows Genuine Advantage and schemes for more secure online transactions, such as Verified by Visa, are touted as offering benefits for legitimate punters. The merits of both are debatable - meanwhile, they are becoming harder to avoid. ®