Net Shoppers Bullied Into "Verified By Visa" Program

bluefoxlucid writes "According to The Register, several banks are forcing users to opt-in to the Verified by Visa optional service by locking their cards if and when they encounter a Verified by Visa participating site and fail to opt-in. Register reader Steve says, 'This seems like a strange way to implement a voluntary system. On most of the retailers' websites there is no clue that you are about to be challenged by Verified by Visa until you attempt to complete the transaction. This means that you trigger the "fraud protection" unintentionally. And when you have located a retailer who doesn't require Verified by Visa to complete a purchase, you can't because your account is on hold.' Further, '[I]n some cases resetting the password is all too easy. Fraudsters know this and go after these credentials which, once obtained, make it harder for consumers to deny responsibility for a fraudulent transaction. Phishing scams posing as Verified by Visa sites have sprung up targeting these login credentials.'"

Out on a limb

[negRo_slim (636783)]

I'm going to go out on a limb and say that for most people transactions should be limited to those that can be completed via a physical exchange of payment for goods and services. Ya know I hop on newegg to get a part here and there, but when I have a choice I keep my money in my community even if it costs an extra $10-20USD for a part... I'm just saying.

Re:Out on a limb

[PC and Sony Fanboy (1248258)]

So, do eat local produce? Like the 100 mile diet? Do your clothes say 'Made in China'?

Purchasing locally only works if you live in an accessible area. Even when you buy local, it doesn't mean that you're actually supporting local business (like shopping at your local wal-mart doesn't really help your local economy that much).

Also, people in small communities often don't have the option to buy local? Or, What if the local stores are run by douchebags? Should we be foreced to spend our money to support them?

I'll keep buying online, unless I need something more than just a low price. When I need more than low prices (like, support) then I'll buy local.

I also like shopping while naked - which is easy to do online ... but not so easy IRL.

Re:Out on a limb

[Stanistani (808333)]

People not even willing to make one small change in their habits make me sick.

Fortunately, you buy your antacids locally, so his buying habits directly benefit your community. The system works!

Re:Out on a limb

[PC and Sony Fanboy (1248258)]

I think you're missed something.

1. Wal-mart doesn't bring money into your community, it pays minimum wage and the money goes to the shareholders. A purchase at wal-mart is a geographically local purchase ... but not an economic one.
2. You may be from Oregon, but I'm from small town Ontario (canada). Your local food shopping may work in your geographical area, but it doesn't generalize to the entire world population.
3. Our government doesn't subsidize our produce nearly as much as your does - so local food isn't an option, unless you eat wheat and corn year round.
4. If I buy something locally, and a better product is available from somewhere else, at a better price, then I'm being 'screwed' locally, so why should I support someone who takes advantage of me, local or not?

Buying locally only works if you're buying from locally owned/operated business. If you're buying 'local' from a multi-national chain, then you're not really buying local, you're just lying to yourself. The suggestion that we can buy local is only benificial if you buy from people who live in your town, and they also buy locally - otherwise, there is no point, since the local purchase doesn't stay local.

Yes because low price is king! Your community is 2nd!

This is true when my community isn't competitive because they don't have to be. When someone takes advantage of my situation, I'm less loyal to them. When someone charges me much more for a product because they CAN, not because they're being competitive, then I'm going to shop elsewhere, somewhere fair and reasonable. And why would I discriminate against another community, simply because of geographical distance (for example: Why should I deny the japanese my money when I can buy a perfectly good american car?).

Why? It all comes down to value. You can spend your money locally, but I'm only going to spend it locally when there is more value (which depends on the type of purchase) in shopping locally. Price is not king. But I'm not in a position to give excess money away for nothing. If you are in such a position, I'm happy for you.

Re:

[roguetrick (1147853)]

I do have one objection, while I hate Wal-mart for other reasons they actually pay good wages for the work(I've worked for them out of desperation for temporary work and got 9.90 an hour starting and well above minimum wage.)

Regardless, railing against trade is just silly and misinformed, there's a reason we've been doing it for so damn long, and in general it is mutually benefiting.

Re:Out on a limb

[PC and Sony Fanboy (1248258)]

Yes, as the wal-mart puts other businesses out of business, those people who used to own a hardware shop now work in the hardware section.

Re:

[DrgnDancer (137700)]

Well, assuming you're really buying locally (as in, buying locally grown, locally made products) it's reducing the carbon footprint of the purchase astronomically. Even buying from a "local" big box store helps this to some extent. Walmart and Best Buy ship their products very efficiently compared to the "Mail one box to your house" method used for online purchases. Think about it:

1) Grown/make a item yourself- zero gas or oil used in shipment
2) Item grown/made locally- Only fuel needed to get it from lo

Re:Out on a limb

[operagost (62405)]

Well, assuming you're really buying locally (as in, buying locally grown, locally made products) it's reducing the carbon footprint of the purchase astronomically.

Unfortunately, all the food is still made of carbon. If only we were silicon-based life forms!

Re:Out on a limb

[jafiwam (310805)]

I buy all my hookers and blow locally.

Re:

[thetoadwarrior (1268702)]

But do you know the blow is made locally and that your hookers are imports?

Re:Out on a limb

[negRo_slim (636783)]

I buy all my hookers and blow locally.

I doubt the blow is produced locally, unless you meant to say methamphetamine? Either way I applaud you for helping to support your local Escalade driving youths!

Re:Out on a limb

[Otter (3800)]

He lives in Colombia, you ethnocentric clod!

Re:

[uberjack (1311219)]

I buy all my hookers and blow locally.

I doubt the blow is produced locally, unless you meant to say methamphetamine? Either way I applaud you for helping to support your local Escalade driving youths!

I live in Merced (CA), and I can say with pride that all our meth is made locally!

Re:Out on a limb

[sm62704 (957197)]

"Blow" is the powdered form of cocaine. Most of the drug addicted hookers smoke crack cocaine, not powdered coke. Although some of the ones I know are heroin junkies, some are alcoholics, and some aren't addicted to anything except money (those are my favorites).

I pay 'em in cash, let 'em buy their own damned dope!

Re:Out on a limb

[fahrbot-bot (874524)]

I buy all my hookers and blow locally.

They accept Visa? It really is everywhere you want to be! I'm guessing that for everything else you use Mastercard.

Re:Out on a limb

[Lumpy (12016)]

Geat idea for you rich guys. When I buy a $19.95 cable off newegg, I can't afford to pay $45.00 for it locally.

When I become rich like you, I'll buy locally, until then, I'll stay a price whore.

Re:Out on a limb

[rthille (8526)]

Heh, the way people get rich is to be price whores, or just not buy shit that doesn't _make_ money (stocks, properties, tools) at all. If someone is paying $45 for a cable, they probably didn't become rich, the were born that way.

VbV doesn't seem to work the same with newegg

[by Anonymous Coward]

I notice my newegg transactions redirect through a verified by visa page at the end of the checkout transaction.

I was never asked to opt in or provide a password or any other additional information or join anything.

Not sure where the problem is on this side of the pond.

Frankly, I'm cool with any additional security measures as long as I'm not forced into signing up special. And I assume all my personal info is already known by both newegg and visa.

Re:VbV doesn't seem to work the same with newegg

[internewt (640704)]

This isn't about real security..... VbV, and similar systems is about protecting the finacial institutions from the costs of fraud, by shifting the liability to the customer. It is about the security of banks' future profits.

As I understand it, with Verified by Visa you create a password for your card. When you use your card, the vendor's site sends you to a Visa/your bank controlled domain to check the password (in an iframe, so you can't actually see the domain, no easily check the certificate). The idea is that only the card holder knows the password, and part of the agreement when signing up to VbV will be a promise that you will not disclose the password, and any transaction that uses the password will be assumed to have been approved by the card holder. Of course, the agreement is long and written in legalese, so the banks know most customers will not read it, and if they did they probably wouldn't understand it.

Well, fuck that. This is just the banks being greedy... obviously the merchant fees aren't enough to keep the shareholders happy so "costs" have to be cut in other ways. So by wriggling out of some more responsibility for fraud (like has been done with the chip and pin system), the banks can make even more money.

I recommend that anyone who gets presented with verified by visa to not sign up at all, and to stop using it immediately if you have signed up to it. Get a new card, or a new bank to avoid it in the future.

NoScript on my install of FF has the VbV domains marked as untrusted, and I think I have set up blunt adblock filters to stop anything at all being loaded to do with VbV. Generally, surfing without javascript seems to stop VbV from working in the first place though.

Of course, some banks are now pressuring people to sign up to VbV, by using tactics of annoyance (disabling cards and shouting "fraud prevention"), which will work on most people....

Re:Financial institutions aren't liable anyway

[icknay (96963)]

You said it! VbV may be imperfect but compared to the zillions of stories about identify theft etc. at least it's a technical attempt to improve the situation. Bruce Schneier has said that the key step to improving credit card payment is looping the transaction security through the banks (Visa) not the merchant, and that's what this looks like.

I for one would pay more for a card that came with a secureID card or used my cell phone or something else for savvy consumer to confirm transactions. Even though I'm not liable for fraud ultimately, the idea of the fraud just annoys the crap out of me and I'm game to pay to make it harder for the fraudster.

Optional abuse

[gilbertopb (1286258)]

I was a costumer in my country, from a major nation bank who used these kind of "optional" verification service. If you don't accept the web service don't work to you. In this case, their site installed a java plugin and because this ALL my web urls was sent to the bank main server (!!!) to check if I was entering an "insecure site". I sent this info to the federal police and the Central Bank, and claimed as being a ilegal sniff processes and they (the bank) sent a group of lawyers to my house trying to force me to sign a paper where I must agree to won't use the site (the unique way to not install the plugin again) or migrating to Firefox with all kind of firewall (at my own effort) setings to lock the back IPs... When I read this kind of service happening, I just wander what kind of CEO that company has.

Opt-In != Required (or at least it shouldn't be)

[CodeBuster (516420)]

How can it be "opt-in" if you basically cannot use your card if you don't?

Re:Opt-In != Required (or at least it shouldn't be

[gstoddart (321705)]

How can it be "opt-in" if you basically cannot use your card if you don't?

Well, I guess you can opt to use your card with their authentication to shop on-line, or you can opt for a different method of payment.

Sadly, that's probably how they see it.

Cheers

Re:Opt-In != Required (or at least it shouldn't be

[CodeBuster (516420)]

According to TFA that won't work. You don't know if a particular retailer is using the "verified by visa" program before you are already in the process of making your purchase. You get redirected (or ambushed) into a separate off-site page where you are asked to enter a password which locks your card for fraud if you get it wrong (or possibly even if you just refuse to enter the password, but the details on what causes a lock are a bit sketchy which makes the whole situation even worse). If your card gets locked in this way then you cannot use it any other merchant online or offline until you go to the bank website and unlock it. It has been pointed out by others that, due to the offsite redirect and request for a separate password, this makes a perfect target for phisers who can trick an unsuspecting user into entering their password which the phisers then use to reset the password to something else (effectively locking the legitimate customer out of their account). The fact that phising was and is an ongoing problem, even with regular HTTPs sites that do not do extra re-directs, suggests that these additional steps will only confuse most of the customers and provide even more chances for the phisers out there to ply their trade.

Not only that

[by Anonymous Coward]

But this Verified by Visa malarkey also encourages poor design and security choices by customers and merchants:

- Merchants must embed the Verified by Visa site inside their own checkout page (there must be some kind of xss hole there somewhere).
- The Verified by Visa redirect page requires javascript.
- Verified by Visa forces a customer to login to their web-bank; "elevating" a simple shopping session into a high-security web-bank login session.

What if the customer is using another PC (for those with web-bank logins tied to their home PC)?

What if the customer doesn't have their web-bank tokens / one time pad sheet with them?

In my opinion, the Verified by Visa scheme is overly simplistic and makes unwarranted assumptions about the customer and merchant which aren't appropriate in a "web 2.0" world.

I came across this as well...

[Taibhsear (1286214)]

but slightly different. My bank never informed me that they were implementing it or of what this program even was so I never signed up for it online. Sometimes I could cancel the order and it would go through anyways (good to see the software is working properly, lol). But after a while that stopped working. Several sites wouldn't let me purchase anything unless I did sign up for it. So I either had to go to some shoddy shady website to buy what I needed (if the option even existed) and end up possibly paying more, or sign up for this, yet another, "layer of protection" for my account. By the time I'm middle aged my account will be so wrapped up in layers it'll look like a Michelin Man Mummy.

Merchants instantly lose chargebacks if they don't

[Coopjust (872796)]

If a merchant doesn't use the Verified by Visa program when a bank offers it (Target Visas, for instance, do not use the program), and they get a chargeback, the merchant instantly loses and is charged the transaction cost + $35.

It sucks, but it's very understandable from the merchant side. It only needs to happen a couple times with big $$$ buyers for a small shop to be badly hurt.

Does Skype do this?

[ardle (523599)]

A few months ago, I tried to buy credit on the Skype website and was unable to bypass the "Verified by Visa" bit as I had in the past (it wasn't easy to do it then, either - I think it involved hitting the "back" and quickly copying a link before I was redirected to VBV again).
I haven't been back since.

Verified not to work

[Fear13ss (917494)]

HAHA, Verified by Visa, such a joke... I have verified by visa on one of my accounts. I also like the thought of protecting myself where I can. So my browsing preference is Firefox + cookie whitelist + NoScript. That combination is enough to fully bypass Verified by Visa. A few months back I put in an order at NewEgg where I was challenged by the Verified by Visa system (which was not white listed for cookies or scripts) upon making the white list change to NoScript, the window refreshed and amazingly I had successfully completed the Verified by Visa Challenge (by allowing scripting on the page). Order went through without a hitch. Another satisfied customer (of NewEgg), if I was paying for Verified by Visa, I'd demand my money back.

Re:Verified not to work

[unger (42254)]

So my browsing preference is Firefox + cookie whitelist + NoScript. That combination is enough to fully bypass Verified by Visa. A few months back I put in an order at NewEgg where I was challenged by the Verified by Visa system (which was not white listed for cookies or scripts) upon making the white list change to NoScript, the window refreshed and amazingly I had successfully completed the Verified by Visa Challenge (by allowing scripting on the page). Order went through without a hitch. Another satisfied customer (of NewEgg)

iirc, Verified by VISA at newegg is optional. i wonder if this "trick" would work at a merchant where Verified by VISA is compulsory? did you happen to test this work-around at such a merchant's website?

how a merchant integrates the Verified by VISA system into their website may also affect whether or not the system can be bypassed.

No way to verify

[Todd Knarr (15451)]

One of the reasons I've avoided Verified by Visa is that the way they implement the "authentication" page it's impossible for the customer to tell whether they're entering their password into the Visa site or some random black-hat site. And I have a simple rule: I don't enter my account's password into any form that's not on a page clearly and verifiably served by my bank's Web server.

Of course, if I'm buying on a Web site, I'm most likely using my Amex card which doesn't have this issue. If the merchant doesn't take Amex, I'll go to one that does.

Re:

[zephiros (214088)]

IME, the implementation is a train wreck. I have a Visa card through Bank of America, and the first time I ran into the "Verified" prompt, I was positive it was a scam:

• The form is in an iframe, so it's not even immediately obvious whether it's encrypted
• The iframe contents (for BoA) are hosted at bankofamerica.vbv.cyota.com, not, you know bankofamerica.com or visa.com
• The first time it popped up, it prompted me for the last four digits of my social security number, to "activate my account"

Hello Americans, British and European banks laws

[olddotter (638430)]

BITE

Seriously, while we live far from a legal utopia in the US, the little bits I have learned about banking laws and regulations in Europe make we amazed that those folks don't keep all their Euro's and pounds in their mattresses.

It seems that often Europeans have no recourse against banking mistakes. But on the US side of the pond banks would rather take the losses from robbery than but in "unfriendly looking" security that might make customers feel uncomfortable. Hence they also take the loses on Fraud, identity theft, etc.

And you wondered why your credit card charged 22% interest.

Verified by Visa Backdoor

[Jah-Wren Ryel (80510)]

I am a religious user of disposable credit card numbers. [findarticles.com] The numbers are user-generated using a little flash-applet that I requires a login and password. They are linked, at the bank's end, to my 'real' credit card account be it visa or mastercard.

I have never signed up for verified by visa, but I have found that every time I use a disposable number linked to my visa account that it automagically passes the verified by visa tests - I'll see the verified by visa web page come up, and without any other actions on my part, it says that I passed or was verified or whatever and my transaction goes through just fine.

Re:Verified by Visa Backdoor

[osmodion (716658)]

I used to use disposable credit card numbers all the time. Occasionally I would give a friend without a credit card a one time use number so he could buy something online. By accident, he used the same number twice, after it was supposed to be invalid. The charge went through without a problem. These disposable numbers aren't nearly as safe as the banks make them out to be.

A positive

[sjonke (457707)]

When I bought that iPhone App, Verified by Visa outright verified that it was *I* who was rich, and not some spineless imposter.

Discover Card

[McFly69 (603543)]

That is another reason why I use my Discover Card on NewEgg. I shop there all the time and never saw/heard of this until this article. Best of all, my Discover Card gives me 1% cash back and I can double my cash/points with giftcards from their website. As a result, I can buy more crap on NewEgg with my points from Discover Card WITHOUT this mumbo-jumbo stuff.

Just my 2 cents :)

Bad from the retailer's persepctive too

[gilgongo (57446)]

I work for a large online business, and recently had to re-design parts of our checkout process to accommodate the "Versified by Visa" and "MasterCard SecureCode" systems. The whole thing is confusing and error-prone. Several parts of the "guidelines" (for which read "commands") from Visa and MasterCard are plainly crafted by people who've never had to sell anything on-line in their lives. Pop-up windows, erosions of brand equity, sudden re-orientations, confusing distractions - all right at the crucial point of purchase (in our case for average orders worth several hundreds of dollars). And all that is ignoring the fact that the consumer has to remember YET ANOTHER PIN NUMBER.

Needless to say, we are only going to implement it when we are forced to at gunpoint. Yes, there are theoretical advantages in decreased charge-backs, but if that takes place against lower conversion, we might have to bring the lawyers in.

Personally, I see these schemes as a symptom of the actions of robotic "security analysts" - morons who see customers as "actors" in use cases. Where the only response to attack is to "increase security" by piling more responsibility on people who already have more than enough passwords, convoluted signups and "for your protection" bullshit to cope with. Is it a coincidence that we're seeing more fraud while such "security measures" increase?

How about Visa and MasterCard get off their corpulent, gaseous arses and actually DO SOMETHING about credit card fraud that doesn't simply pass the buck?

Re:sounds like change to Mastercard

[gstoddart (321705)]

If Visa is going to behave badly, dump them.

Driving your customers to the competitor: Priceless. :-P

Cheers

Re:sounds like change to Mastercard

[Thelasko (1196535)]

If Visa is going to behave badly, dump them.

From TFA:

"We like to support anything that aims to cut plastic fraud but Verified by Visa is flawed. MasterCard SecureCode works in much the same way and is no better," Goodwill added.

Visa and Mastercard are a cartel. [cnn.com] If one screws over the customer, so does the other.

Re:I've always cancelled past this..

[Dr. Manhattan (29720)]

Not at TigerDirect, at least not with my bank. There was no way to opt out, period - and I looked very carefully.

Re:

[iknowcss (937215)]

There isn't a good way for them to coordinate as their beloved 4chan is currently down. Never gonna run around and hurt you.

Re:This is probably a good thing, cardholders...

[Anonymous Brave Guy (457657)]

I'm not so sure.

I think all of my cards have switched to Mastercard now, but at least one of them was a Visa credit card until fairly recently. I came across this "Verified by Visa" thing out of the blue one day, having had no prior warning from either my card company or the merchant that I should expect it.

So I did what any smart person does when a web browser surprisingly pops up a window they've never seen before and asks for their confidential information: I left the site immediately, cancelled that card and reset all my security details, and shopped elsewhere using a different payment method in the meantime. Both Visa and the merchant in question lost out on that one.

Re:This is probably a good thing, cardholders...

[HTH NE1 (675604)]

I think all of my cards have switched to Mastercard now

MasterCard has an equivalent system called SecureCode. I haven't encountered it yet, though I checked and the bank with which I have my MasterCard does support it.

Re:This is probably a good thing, cardholders...

[nicklott (533496)]

MasterCard have the equivalent of Verified by visa, I'm not sure what it's called now but you interface with both systems in the same way (3DSecure is the generic name). I guess the US is a year behind the UK in this; last summer Mastercard forced all "cardholder not present" transactions done by Maestro (a UK debit card) through this system. As both a merchant and a developer I was less than pleased. As you point out the implementation is horrific. The UK banks actually use (or used at least, I haven't checked recently) a third party to provide the external verification pages and these are hosted on a shared server (at secureserver.co.uk I think) that also has the likes of maspieshop.secureserver.co.uk on it (at least that's what you used to get when you visited the IP that this resolved to). Reinforcing the appearance that this was some kind of scam was the poor html and appalling design. Needless to say Maestro payments pretty much dried up to nothing and we had a great time fielding phone calls from customers that hadn't been informed by their banks what was happening (pretty much all of them).

This was forced through by mastercard completely ignoring the protests of the clearing banks, payment gateways and merchants, presumably from some political motive, and it simply hasn't been thought through at all: you can change the password just by entering the card number and cv2, which if you've stolen the card details, you of course have.

Don't assume that mastercard is any better than visa: they are a two member cartel. Anyway, given that maestro payments collapsed to about 20% of their prior level, I hope that mastercard got what they deserved.

Re:This is probably a good thing, cardholders...

[freeze128 (544774)]

I had a similar experience, except I didn't bail on both the issuer and the merchant like you did.

I called the customer service number on the back of my card, and waited to talk to a human about this "Verified by Visa" program. My bank (Wells Fargo) could not tell me anything about the VbV program, or even that it exists. This just stupified me. It clearly has the Visa Logo on the front of the card, The Wells Fargo logo on the front of the card, and Wells Fargo cannot tell me that the VbV program isn't even an attempt at fraud.

I suggested that the customer service representative notify their supervisor that their customer service reps need more education on the services that they are offering, and hung up.

I then closed my web browser, called the merchant on the phone, and placed my order that way. Toll-Free, 24 Hours.

The Internet. Who needs it?

Maybe if they were competent at it.

[argent (18001)]

Verified by Visa, 3D Secure, etc are GOOD for you.

Adding an inherently insecure stage to every transaction... which provides another opportunity for fraudsters using cross site and cross zone attacks to steal your authentication tokens... is good for you?

On what planet?

Re:This is probably a good thing, cardholders...

[MtlDty (711230)]

Sorry, but the above is not true at all. Merchants that use VBV or SecureCode know that one of the main benefits is that the card scheme accepts liability for fraud.
Proof here: http://usa.visa.com/merchants/risk_management/vbv.html [visa.com]

Re:

[gstoddart (321705)]

I've been using verified by visa for some time now, but every time I make a "large" purchase online, EVEN AFTER verifying my visa password, visa still puts a hold on my card and calls a few DAYS later if I don't call them first, asking me to verify my purchases... Tell me how useful that is?

I had that happen to me a few months ago, but at the time I thought it was perfectly reasonable.

I bought a digital SLR on-line (about $1200CDN). They have no history of me shopping on line (I usually don't), and a big p

3dSecure isn't secure for the customer...

[argent (18001)]

ANY system that redirects me to a framed third-party page that I can't verify to provide authentication information is inherently insecure and I will not use it. I've had problems with identity fraud online even without this extra layer of insecurity...

If this means I only buy online with Paypal (which I have funded by an account with a limited balance that I *only* use for Paypal) and one-shot debit cards from the grocery store, I guess I should thank them for making me shop more safely online.