Net Shoppers Bullied Into "Verified By Visa" Program 302
bluefoxlucid writes "According to The Register, several banks are forcing users to opt-in to the Verified by Visa optional service by locking their cards if and when they encounter a Verified by Visa participating site and fail to opt-in. Register reader Steve says, 'This seems like a strange way to implement a voluntary system. On most of the retailers' websites there is no clue that you are about to be challenged by Verified by Visa until you attempt to complete the transaction. This means that you trigger the "fraud protection" unintentionally. And when you have located a retailer who doesn't require Verified by Visa to complete a purchase, you can't because your account is on hold.' Further, '[I]n some cases resetting the password is all too easy. Fraudsters know this and go after these credentials which, once obtained, make it harder for consumers to deny responsibility for a fraudulent transaction. Phishing scams posing as Verified by Visa sites have sprung up targeting these login credentials.'"
Not only that (Score:4, Informative)
But this Verified by Visa malarkey also encourages poor design and security choices by customers and merchants:
- Merchants must embed the Verified by Visa site inside their own checkout page (there must be some kind of xss hole there somewhere).
- The Verified by Visa redirect page requires javascript.
- Verified by Visa forces a customer to login to their web-bank; "elevating" a simple shopping session into a high-security web-bank login session.
What if the customer is using another PC (for those with web-bank logins tied to their home PC)?
What if the customer doesn't have their web-bank tokens / one time pad sheet with them?
In my opinion, the Verified by Visa scheme is overly simplistic and makes unwarranted assumptions about the customer and merchant which aren't appropriate in a "web 2.0" world.
Merchants instantly lose chargebacks if they don't (Score:5, Informative)
It sucks, but it's very understandable from the merchant side. It only needs to happen a couple times with big $$$ buyers for a small shop to be badly hurt.
Re:I've always cancelled past this.. (Score:4, Informative)
Re:Out on a limb (Score:5, Informative)
Geat idea for you rich guys. When I buy a $19.95 cable off newegg, I can't afford to pay $45.00 for it locally.
When I become rich like you, I'll buy locally, until then, I'll stay a price whore.
No way to verify (Score:5, Informative)
One of the reasons I've avoided Verified by Visa is that the way they implement the "authentication" page it's impossible for the customer to tell whether they're entering their password into the Visa site or some random black-hat site. And I have a simple rule: I don't enter my account's password into any form that's not on a page clearly and verifiably served by my bank's Web server.
Of course, if I'm buying on a Web site, I'm most likely using my Amex card which doesn't have this issue. If the merchant doesn't take Amex, I'll go to one that does.
Re:Out on a limb (Score:4, Informative)
"Blow" is the powdered form of cocaine. Most of the drug addicted hookers smoke crack cocaine, not powdered coke. Although some of the ones I know are heroin junkies, some are alcoholics, and some aren't addicted to anything except money (those are my favorites).
I pay 'em in cash, let 'em buy their own damned dope!
Re:This is probably a good thing, cardholders... (Score:4, Informative)
I think all of my cards have switched to Mastercard now
MasterCard has an equivalent system called SecureCode. I haven't encountered it yet, though I checked and the bank with which I have my MasterCard does support it.
Re:Out on a limb (Score:4, Informative)
Heh, the way people get rich is to be price whores, or just not buy shit that doesn't _make_ money (stocks, properties, tools) at all. If someone is paying $45 for a cable, they probably didn't become rich, the were born that way.
Verified by Visa Backdoor (Score:5, Informative)
I am a religious user of disposable credit card numbers. [findarticles.com] The numbers are user-generated using a little flash-applet that I requires a login and password. They are linked, at the bank's end, to my 'real' credit card account be it visa or mastercard.
I have never signed up for verified by visa, but I have found that every time I use a disposable number linked to my visa account that it automagically passes the verified by visa tests - I'll see the verified by visa web page come up, and without any other actions on my part, it says that I passed or was verified or whatever and my transaction goes through just fine.
Discover Card (Score:3, Informative)
Just my 2 cents
Re:This is probably a good thing, cardholders... (Score:4, Informative)
MasterCard have the equivalent of Verified by visa, I'm not sure what it's called now but you interface with both systems in the same way (3DSecure is the generic name). I guess the US is a year behind the UK in this; last summer Mastercard forced all "cardholder not present" transactions done by Maestro (a UK debit card) through this system. As both a merchant and a developer I was less than pleased. As you point out the implementation is horrific. The UK banks actually use (or used at least, I haven't checked recently) a third party to provide the external verification pages and these are hosted on a shared server (at secureserver.co.uk I think) that also has the likes of maspieshop.secureserver.co.uk on it (at least that's what you used to get when you visited the IP that this resolved to). Reinforcing the appearance that this was some kind of scam was the poor html and appalling design. Needless to say Maestro payments pretty much dried up to nothing and we had a great time fielding phone calls from customers that hadn't been informed by their banks what was happening (pretty much all of them).
This was forced through by mastercard completely ignoring the protests of the clearing banks, payment gateways and merchants, presumably from some political motive, and it simply hasn't been thought through at all: you can change the password just by entering the card number and cv2, which if you've stolen the card details, you of course have.
Don't assume that mastercard is any better than visa: they are a two member cartel. Anyway, given that maestro payments collapsed to about 20% of their prior level, I hope that mastercard got what they deserved.
Re:This is probably a good thing, cardholders... (Score:4, Informative)
Sorry, but the above is not true at all. Merchants that use VBV or SecureCode know that one of the main benefits is that the card scheme accepts liability for fraud.
Proof here: http://usa.visa.com/merchants/risk_management/vbv.html [visa.com]
Re:No way to verify (Score:3, Informative)
IME, the implementation is a train wreck. I have a Visa card through Bank of America, and the first time I ran into the "Verified" prompt, I was positive it was a scam:
Re:VbV doesn't seem to work the same with newegg (Score:5, Informative)
This isn't about real security..... VbV, and similar systems is about protecting the finacial institutions from the costs of fraud, by shifting the liability to the customer. It is about the security of banks' future profits.
As I understand it, with Verified by Visa you create a password for your card. When you use your card, the vendor's site sends you to a Visa/your bank controlled domain to check the password (in an iframe, so you can't actually see the domain, no easily check the certificate). The idea is that only the card holder knows the password, and part of the agreement when signing up to VbV will be a promise that you will not disclose the password, and any transaction that uses the password will be assumed to have been approved by the card holder. Of course, the agreement is long and written in legalese, so the banks know most customers will not read it, and if they did they probably wouldn't understand it.
Well, fuck that. This is just the banks being greedy... obviously the merchant fees aren't enough to keep the shareholders happy so "costs" have to be cut in other ways. So by wriggling out of some more responsibility for fraud (like has been done with the chip and pin system), the banks can make even more money.
I recommend that anyone who gets presented with verified by visa to not sign up at all, and to stop using it immediately if you have signed up to it. Get a new card, or a new bank to avoid it in the future.
NoScript on my install of FF has the VbV domains marked as untrusted, and I think I have set up blunt adblock filters to stop anything at all being loaded to do with VbV. Generally, surfing without javascript seems to stop VbV from working in the first place though.
Of course, some banks are now pressuring people to sign up to VbV, by using tactics of annoyance (disabling cards and shouting "fraud prevention"), which will work on most people....
Re:sounds like change to Mastercard (Score:3, Informative)
Just a note: Frequently, using Visa Debit cards does not give you the same transactional protection as using a "real" credit card.
Re:Opt-In != Required (or at least it shouldn't be (Score:5, Informative)
Bad from the retailer's persepctive too (Score:5, Informative)
I work for a large online business, and recently had to re-design parts of our checkout process to accommodate the "Versified by Visa" and "MasterCard SecureCode" systems. The whole thing is confusing and error-prone. Several parts of the "guidelines" (for which read "commands") from Visa and MasterCard are plainly crafted by people who've never had to sell anything on-line in their lives. Pop-up windows, erosions of brand equity, sudden re-orientations, confusing distractions - all right at the crucial point of purchase (in our case for average orders worth several hundreds of dollars). And all that is ignoring the fact that the consumer has to remember YET ANOTHER PIN NUMBER.
Needless to say, we are only going to implement it when we are forced to at gunpoint. Yes, there are theoretical advantages in decreased charge-backs, but if that takes place against lower conversion, we might have to bring the lawyers in.
Personally, I see these schemes as a symptom of the actions of robotic "security analysts" - morons who see customers as "actors" in use cases. Where the only response to attack is to "increase security" by piling more responsibility on people who already have more than enough passwords, convoluted signups and "for your protection" bullshit to cope with. Is it a coincidence that we're seeing more fraud while such "security measures" increase?
How about Visa and MasterCard get off their corpulent, gaseous arses and actually DO SOMETHING about credit card fraud that doesn't simply pass the buck?
Re:This is probably a good thing, cardholders... (Score:4, Informative)
I called the customer service number on the back of my card, and waited to talk to a human about this "Verified by Visa" program. My bank (Wells Fargo) could not tell me anything about the VbV program, or even that it exists. This just stupified me. It clearly has the Visa Logo on the front of the card, The Wells Fargo logo on the front of the card, and Wells Fargo cannot tell me that the VbV program isn't even an attempt at fraud.
I suggested that the customer service representative notify their supervisor that their customer service reps need more education on the services that they are offering, and hung up.
I then closed my web browser, called the merchant on the phone, and placed my order that way. Toll-Free, 24 Hours.
The Internet. Who needs it?
Financial institutions aren't liable anyway (Score:3, Informative)
The financial institutions don't have liability anyway, liability currently lays with the merchants (and is very costly for them).
In the long run decreasing fraud costs for merchants should benefit consumers as ultimately the cost of covering that fraud is passed on to legitimate customers.
Better buyer authentication is good for everyone. VBV isn't perfect but it's better than nothing.
I think the best plan would be for people to have an "online" card with a very low limit but I'm not sure how feasible that is.
Re:Financial institutions aren't liable anyway (Score:3, Informative)