Forgot your password?
typodupeerror
Security The Almighty Buck

Net Shoppers Bullied Into "Verified By Visa" Program 302

Posted by kdawson
from the not-exactly-optional dept.
bluefoxlucid writes "According to The Register, several banks are forcing users to opt-in to the Verified by Visa optional service by locking their cards if and when they encounter a Verified by Visa participating site and fail to opt-in. Register reader Steve says, 'This seems like a strange way to implement a voluntary system. On most of the retailers' websites there is no clue that you are about to be challenged by Verified by Visa until you attempt to complete the transaction. This means that you trigger the "fraud protection" unintentionally. And when you have located a retailer who doesn't require Verified by Visa to complete a purchase, you can't because your account is on hold.' Further, '[I]n some cases resetting the password is all too easy. Fraudsters know this and go after these credentials which, once obtained, make it harder for consumers to deny responsibility for a fraudulent transaction. Phishing scams posing as Verified by Visa sites have sprung up targeting these login credentials.'"
This discussion has been archived. No new comments can be posted.

Net Shoppers Bullied Into "Verified By Visa" Program

Comments Filter:
  • by Anonymous Coward

    Also, I like the fact my card is clear!

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Also, I like the fact my card is clear!

      Great, and as a business owner I despise you. AMEX holds money for 2 weeks before paying me. So does Discover.

      That's why I don't take either one, publicly.

  • by negRo_slim (636783) <mils_oRgen@hotmail.com> on Friday August 08, 2008 @01:19PM (#24528149)
    I'm going to go out on a limb and say that for most people transactions should be limited to those that can be completed via a physical exchange of payment for goods and services. Ya know I hop on newegg to get a part here and there, but when I have a choice I keep my money in my community even if it costs an extra $10-20USD for a part... I'm just saying.
    • Re:Out on a limb (Score:5, Insightful)

      by PC and Sony Fanboy (1248258) on Friday August 08, 2008 @01:25PM (#24528237) Journal
      So, do eat local produce? Like the 100 mile diet? Do your clothes say 'Made in China'?

      Purchasing locally only works if you live in an accessible area. Even when you buy local, it doesn't mean that you're actually supporting local business (like shopping at your local wal-mart doesn't really help your local economy that much).

      Also, people in small communities often don't have the option to buy local? Or, What if the local stores are run by douchebags? Should we be foreced to spend our money to support them?

      I'll keep buying online, unless I need something more than just a low price. When I need more than low prices (like, support) then I'll buy local.

      I also like shopping while naked - which is easy to do online ... but not so easy IRL.
    • by jafiwam (310805) on Friday August 08, 2008 @01:31PM (#24528355) Homepage Journal

      I buy all my hookers and blow locally.

    • Re:Out on a limb (Score:5, Informative)

      by Lumpy (12016) on Friday August 08, 2008 @01:42PM (#24528567) Homepage

      Geat idea for you rich guys. When I buy a $19.95 cable off newegg, I can't afford to pay $45.00 for it locally.

      When I become rich like you, I'll buy locally, until then, I'll stay a price whore.

  • by Anonymous Coward on Friday August 08, 2008 @01:21PM (#24528173)

    I notice my newegg transactions redirect through a verified by visa page at the end of the checkout transaction.

    I was never asked to opt in or provide a password or any other additional information or join anything.

    Not sure where the problem is on this side of the pond.

    Frankly, I'm cool with any additional security measures as long as I'm not forced into signing up special. And I assume all my personal info is already known by both newegg and visa.

    • by internewt (640704) on Friday August 08, 2008 @03:31PM (#24530481) Journal

      This isn't about real security..... VbV, and similar systems is about protecting the finacial institutions from the costs of fraud, by shifting the liability to the customer. It is about the security of banks' future profits.

      As I understand it, with Verified by Visa you create a password for your card. When you use your card, the vendor's site sends you to a Visa/your bank controlled domain to check the password (in an iframe, so you can't actually see the domain, no easily check the certificate). The idea is that only the card holder knows the password, and part of the agreement when signing up to VbV will be a promise that you will not disclose the password, and any transaction that uses the password will be assumed to have been approved by the card holder. Of course, the agreement is long and written in legalese, so the banks know most customers will not read it, and if they did they probably wouldn't understand it.

      Well, fuck that. This is just the banks being greedy... obviously the merchant fees aren't enough to keep the shareholders happy so "costs" have to be cut in other ways. So by wriggling out of some more responsibility for fraud (like has been done with the chip and pin system), the banks can make even more money.

      I recommend that anyone who gets presented with verified by visa to not sign up at all, and to stop using it immediately if you have signed up to it. Get a new card, or a new bank to avoid it in the future.

      NoScript on my install of FF has the VbV domains marked as untrusted, and I think I have set up blunt adblock filters to stop anything at all being loaded to do with VbV. Generally, surfing without javascript seems to stop VbV from working in the first place though.

      Of course, some banks are now pressuring people to sign up to VbV, by using tactics of annoyance (disabling cards and shouting "fraud prevention"), which will work on most people....

      • Re: (Score:3, Insightful)

        by jez9999 (618189)

        NoScript on my install of FF has the VbV domains marked as untrusted, and I think I have set up blunt adblock filters to stop anything at all being loaded to do with VbV. Generally, surfing without javascript seems to stop VbV from working in the first place though.

        Don't you think you're overreacting a bit? VbV might shift some liability to the customer, but it isn't just some BS the banks made up; it really does increase security if you pick a secure password and don't give it out.

      • VbV, and similar systems is about protecting the finacial institutions from the costs of fraud, by shifting the liability to the customer. It is about the security of banks' future profits.

        The financial institutions don't have liability anyway, liability currently lays with the merchants (and is very costly for them).

        In the long run decreasing fraud costs for merchants should benefit consumers as ultimately the cost of covering that fraud is passed on to legitimate customers.

        Better buyer authentication is g

        • by icknay (96963) on Friday August 08, 2008 @09:49PM (#24534215)

          You said it! VbV may be imperfect but compared to the zillions of stories about identify theft etc. at least it's a technical attempt to improve the situation. Bruce Schneier has said that the key step to improving credit card payment is looping the transaction security through the banks (Visa) not the merchant, and that's what this looks like.

          I for one would pay more for a card that came with a secureID card or used my cell phone or something else for savvy consumer to confirm transactions. Even though I'm not liable for fraud ultimately, the idea of the fraud just annoys the crap out of me and I'm game to pay to make it harder for the fraudster.

  • Optional abuse (Score:4, Interesting)

    by gilbertopb (1286258) on Friday August 08, 2008 @01:22PM (#24528199) Homepage
    I was a costumer in my country, from a major nation bank who used these kind of "optional" verification service. If you don't accept the web service don't work to you. In this case, their site installed a java plugin and because this ALL my web urls was sent to the bank main server (!!!) to check if I was entering an "insecure site". I sent this info to the federal police and the Central Bank, and claimed as being a ilegal sniff processes and they (the bank) sent a group of lawyers to my house trying to force me to sign a paper where I must agree to won't use the site (the unique way to not install the plugin again) or migrating to Firefox with all kind of firewall (at my own effort) setings to lock the back IPs... When I read this kind of service happening, I just wander what kind of CEO that company has.
  • .. and not had a problem so far.
  • by CodeBuster (516420) on Friday August 08, 2008 @01:24PM (#24528233)
    How can it be "opt-in" if you basically cannot use your card if you don't?
    • How can it be "opt-in" if you basically cannot use your card if you don't?

      Well, I guess you can opt to use your card with their authentication to shop on-line, or you can opt for a different method of payment.

      Sadly, that's probably how they see it.

      Cheers

      • by CodeBuster (516420) on Friday August 08, 2008 @04:37PM (#24531531)
        According to TFA that won't work. You don't know if a particular retailer is using the "verified by visa" program before you are already in the process of making your purchase. You get redirected (or ambushed) into a separate off-site page where you are asked to enter a password which locks your card for fraud if you get it wrong (or possibly even if you just refuse to enter the password, but the details on what causes a lock are a bit sketchy which makes the whole situation even worse). If your card gets locked in this way then you cannot use it any other merchant online or offline until you go to the bank website and unlock it. It has been pointed out by others that, due to the offsite redirect and request for a separate password, this makes a perfect target for phisers who can trick an unsuspecting user into entering their password which the phisers then use to reset the password to something else (effectively locking the legitimate customer out of their account). The fact that phising was and is an ongoing problem, even with regular HTTPs sites that do not do extra re-directs, suggests that these additional steps will only confuse most of the customers and provide even more chances for the phisers out there to ply their trade.
  • Not only that (Score:4, Informative)

    by Anonymous Coward on Friday August 08, 2008 @01:28PM (#24528299)

    But this Verified by Visa malarkey also encourages poor design and security choices by customers and merchants:

    - Merchants must embed the Verified by Visa site inside their own checkout page (there must be some kind of xss hole there somewhere).
    - The Verified by Visa redirect page requires javascript.
    - Verified by Visa forces a customer to login to their web-bank; "elevating" a simple shopping session into a high-security web-bank login session.

    What if the customer is using another PC (for those with web-bank logins tied to their home PC)?

    What if the customer doesn't have their web-bank tokens / one time pad sheet with them?

    In my opinion, the Verified by Visa scheme is overly simplistic and makes unwarranted assumptions about the customer and merchant which aren't appropriate in a "web 2.0" world.

  • by Taibhsear (1286214) on Friday August 08, 2008 @01:33PM (#24528393)

    but slightly different. My bank never informed me that they were implementing it or of what this program even was so I never signed up for it online. Sometimes I could cancel the order and it would go through anyways (good to see the software is working properly, lol). But after a while that stopped working. Several sites wouldn't let me purchase anything unless I did sign up for it. So I either had to go to some shoddy shady website to buy what I needed (if the option even existed) and end up possibly paying more, or sign up for this, yet another, "layer of protection" for my account. By the time I'm middle aged my account will be so wrapped up in layers it'll look like a Michelin Man Mummy.

  • by Coopjust (872796) on Friday August 08, 2008 @01:35PM (#24528445)
    If a merchant doesn't use the Verified by Visa program when a bank offers it (Target Visas, for instance, do not use the program), and they get a chargeback, the merchant instantly loses and is charged the transaction cost + $35.

    It sucks, but it's very understandable from the merchant side. It only needs to happen a couple times with big $$$ buyers for a small shop to be badly hurt.
    • by Splab (574204)

      Why why WHY!!!!! do you guys accept this kind of treatment?

      In Denmark, if something is charged to your account and its fraudulent or something is amiss with the transaction, the bank is the one carrying the charge, not the customer or company.

      If it turns out you are screwing around with them you are of course going to jail, but at least we assume that something really did go wrong.

      • by Shakrai (717556) *

        In Denmark, if something is charged to your account and its fraudulent or something is amiss with the transaction, the bank is the one carrying the charge, not the customer or company.

        So what you are basically saying is that in Denmark the bank charges higher fees to make up for the loss instead of the merchant charging higher fees?

        Sounds like the consumer is still paying in the end.....

        • by argent (18001)

          So what you are basically saying is that in Denmark the bank charges higher fees to make up for the loss instead of the merchant charging higher fees?

          The issue isn't the cost of the protection, it's the implementation.

      • by Darinbob (1142669)

        You see, banks are big, small shops are small. In the game of rock-paper-scissors, the banks win.

  • Does Skype do this? (Score:5, Interesting)

    by ardle (523599) on Friday August 08, 2008 @01:37PM (#24528479)
    A few months ago, I tried to buy credit on the Skype website and was unable to bypass the "Verified by Visa" bit as I had in the past (it wasn't easy to do it then, either - I think it involved hitting the "back" and quickly copying a link before I was redirected to VBV again).
    I haven't been back since.
    • by orielbean (936271)
      I know that NewEgg uses it with my local credit union. Very irritating when using NoScript in firefox...
  • by Anonymous Coward

    It didn't work with my old bank and Safari or Firefox(and the netbank was not too good either).
    So when a bank contacted me about changing to them, I asked at the meeting if they supported one of those browsers under OS X which they did(and their sites stated it also).
    Must suck to have a great site that works with all types of OS and browsers only to have people rejected because their bank sucks. :)

    • Maybe they implemented it wrong because I use Safari and FF on Windows and FF on Linux and never had a problem with Verified by Visa.
      • by Vancorps (746090)

        It's a problem if you run noscript, when you go to allow the site to run the script you can't refresh and it screws everything up. So basically you have to know that your merchant uses Verified by Visa and enable it globally before you click the final checkout.

        Of course once you're done you turn that feature off. I had noscript screw up my Newegg order before. The OS doesn't matter, it's purely FF where I've seen this and strictly because of noscript. Firefox without noscript has no problems with it.

  • I registered for it ages ago and it's not a hassle. In fact I only have one place that I frequent that uses it.

    However if you're given the option to opt out then that should be the case even if they are trying to protect people with verified by visa.
  • Verified not to work (Score:5, Interesting)

    by Fear13ss (917494) on Friday August 08, 2008 @01:44PM (#24528613)
    HAHA, Verified by Visa, such a joke... I have verified by visa on one of my accounts. I also like the thought of protecting myself where I can. So my browsing preference is Firefox + cookie whitelist + NoScript. That combination is enough to fully bypass Verified by Visa. A few months back I put in an order at NewEgg where I was challenged by the Verified by Visa system (which was not white listed for cookies or scripts) upon making the white list change to NoScript, the window refreshed and amazingly I had successfully completed the Verified by Visa Challenge (by allowing scripting on the page). Order went through without a hitch. Another satisfied customer (of NewEgg), if I was paying for Verified by Visa, I'd demand my money back.
    • by unger (42254) on Friday August 08, 2008 @03:03PM (#24530019)

      So my browsing preference is Firefox + cookie whitelist + NoScript. That combination is enough to fully bypass Verified by Visa. A few months back I put in an order at NewEgg where I was challenged by the Verified by Visa system (which was not white listed for cookies or scripts) upon making the white list change to NoScript, the window refreshed and amazingly I had successfully completed the Verified by Visa Challenge (by allowing scripting on the page). Order went through without a hitch. Another satisfied customer (of NewEgg)

      iirc, Verified by VISA at newegg is optional. i wonder if this "trick" would work at a merchant where Verified by VISA is compulsory? did you happen to test this work-around at such a merchant's website?

      how a merchant integrates the Verified by VISA system into their website may also affect whether or not the system can be bypassed.

  • I use a VISA card and have never had a problem with an online merchant refusing a transaction after I declined to use verified by visa... Of course I only use my card when dealing with major retailers, is there some segment of the market the author is dealing with that is paticularly prone to charge backs or something?
  • That'd happen once, and then it'd be time to find a new bank. Or switch to a credit union.

  • No way to verify (Score:5, Informative)

    by Todd Knarr (15451) on Friday August 08, 2008 @01:45PM (#24528643) Homepage

    One of the reasons I've avoided Verified by Visa is that the way they implement the "authentication" page it's impossible for the customer to tell whether they're entering their password into the Visa site or some random black-hat site. And I have a simple rule: I don't enter my account's password into any form that's not on a page clearly and verifiably served by my bank's Web server.

    Of course, if I'm buying on a Web site, I'm most likely using my Amex card which doesn't have this issue. If the merchant doesn't take Amex, I'll go to one that does.

  • by olddotter (638430) on Friday August 08, 2008 @02:08PM (#24529027) Homepage

    BITE

    Seriously, while we live far from a legal utopia in the US, the little bits I have learned about banking laws and regulations in Europe make we amazed that those folks don't keep all their Euro's and pounds in their mattresses.

    It seems that often Europeans have no recourse against banking mistakes. But on the US side of the pond banks would rather take the losses from robbery than but in "unfriendly looking" security that might make customers feel uncomfortable. Hence they also take the loses on Fraud, identity theft, etc.

    And you wondered why your credit card charged 22% interest.

  • by Jah-Wren Ryel (80510) on Friday August 08, 2008 @02:08PM (#24529037)

    I am a religious user of disposable credit card numbers. [findarticles.com] The numbers are user-generated using a little flash-applet that I requires a login and password. They are linked, at the bank's end, to my 'real' credit card account be it visa or mastercard.

    I have never signed up for verified by visa, but I have found that every time I use a disposable number linked to my visa account that it automagically passes the verified by visa tests - I'll see the verified by visa web page come up, and without any other actions on my part, it says that I passed or was verified or whatever and my transaction goes through just fine.

    • by osmodion (716658) on Friday August 08, 2008 @02:17PM (#24529211)
      I used to use disposable credit card numbers all the time. Occasionally I would give a friend without a credit card a one time use number so he could buy something online. By accident, he used the same number twice, after it was supposed to be invalid. The charge went through without a problem. These disposable numbers aren't nearly as safe as the banks make them out to be.
  • "Verified by Visa" screwed up my Visa card a few months ago. My wife was purchasing airline tickets on-line and unexpectedly got to a "Verified by Visa" page during the checkout. This was the first time either of us had ever heard of or seen "Verified by Visa". Since I'm the primary cardholder, but the tickets were in her name, the Verified by Visa page denied my wife access (even though it's a joint account and we each have our own cards with our own names on them). Then our credit card account got loc
  • I was looking at http://www.lbweyewear.com/ [lbweyewear.com] and using a debit card that you could use anywhere on the mastercard system. The site mentioned something about a Secure MasterCard program. So I did what anyone intelligent would to. I went to the mastercard website to look up the damn thing. What is it? Basically another PIN that you have to enter for you to use your card.

    I was hoping/wanting to go to the mastercard site and have them generate me a unique one time card ID for either each individual online trans

  • For a short while I was wondering why Visa didn't use a two-factor authentication model when they made Verified by Visa / 3-D-secure.
    Then I remembered: they care only about their own losses, not their costumers'

  • A positive (Score:3, Funny)

    by sjonke (457707) on Friday August 08, 2008 @02:27PM (#24529379) Journal

    When I bought that iPhone App, Verified by Visa outright verified that it was *I* who was rich, and not some spineless imposter.

  • Discover Card (Score:3, Informative)

    by McFly69 (603543) on Friday August 08, 2008 @02:40PM (#24529639) Homepage
    That is another reason why I use my Discover Card on NewEgg. I shop there all the time and never saw/heard of this until this article. Best of all, my Discover Card gives me 1% cash back and I can double my cash/points with giftcards from their website. As a result, I can buy more crap on NewEgg with my points from Discover Card WITHOUT this mumbo-jumbo stuff.

    Just my 2 cents :)
  • by gilgongo (57446) on Friday August 08, 2008 @05:56PM (#24532319) Homepage Journal

    I work for a large online business, and recently had to re-design parts of our checkout process to accommodate the "Versified by Visa" and "MasterCard SecureCode" systems. The whole thing is confusing and error-prone. Several parts of the "guidelines" (for which read "commands") from Visa and MasterCard are plainly crafted by people who've never had to sell anything on-line in their lives. Pop-up windows, erosions of brand equity, sudden re-orientations, confusing distractions - all right at the crucial point of purchase (in our case for average orders worth several hundreds of dollars). And all that is ignoring the fact that the consumer has to remember YET ANOTHER PIN NUMBER.

    Needless to say, we are only going to implement it when we are forced to at gunpoint. Yes, there are theoretical advantages in decreased charge-backs, but if that takes place against lower conversion, we might have to bring the lawyers in.

    Personally, I see these schemes as a symptom of the actions of robotic "security analysts" - morons who see customers as "actors" in use cases. Where the only response to attack is to "increase security" by piling more responsibility on people who already have more than enough passwords, convoluted signups and "for your protection" bullshit to cope with. Is it a coincidence that we're seeing more fraud while such "security measures" increase?

    How about Visa and MasterCard get off their corpulent, gaseous arses and actually DO SOMETHING about credit card fraud that doesn't simply pass the buck?

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...