Cryptography - Civil Liberties - Economics Cryptography - Civil Liberties - Economics / Items

Merchants and punters cry foul over Verified by Visa • The Register

Get Feed
Merchants and punters cry foul over Verified by Visa • The Register
Description
The Verified by Visa system is becoming harder to avoid, even for those with real doubts about its effectiveness in combating fraud.

Online shoppers who buy goods and service with participating retailers are asked to submit a VbyV or SecureCode password to authorise transactions. These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank.

Punters aren't informed up front that a merchant has signed up to Verified by Visa. Sites used to authenticate a VbyV or SecureCode password routinely deliver a dialogue box using a pop-up window or inline frame, making it difficult to detect whether or not a site is genuine.

The appearance of phishing attacks hunting for Verified by Visa passwords are among the reasons some punters are wary of the technology.

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme. But unlike robust authentication techniques, hackers don't have a hardware token generating one-time passwords to worry about - it's just more of the same. And since card details CVV number is no longer considered as secure enough then it's hard to see how card details CVV number VbyV login is any more robust.
Original URL
http://www.theregister.co.uk/2008/10/23/vbyv_analysis/

Comments

  • Public Comments

    • JDP JDP
      13 months ago


      "Resistance is futile". This business virus has already spread to much of the UK and may be "going around the world" soon. Like many other credit card "agreements", it appears to be heavily tilted in favor of the business / banks and against consumers. It's security is suspect - especially in light of phishing attacks and the way it is implemented making it hard for the consumer to ascertain the validity of sign-up requesting sites. See http://www.computing.co.uk/itweek/news/2214146/industry-lays-secure where -
      Payments experts have rounded on the 3-D Secure identity verification scheme, which was set up to secure online transactions. The system is vulnerable to fraud and non-intuitive, they argue.
      At a recent roundtable event hosted by fraud detection firm CyberSource, experts from banking, e-commerce and academia argued that 3-D Secure – which comprises Verified by Visa and Mastercard SecureCode – is fundamentally insecure.
      Criminals can potentially set up fake 3-D Secure enrolment screens to harvest customer details, warned Mike Levi of Cardiff University. "How can you tell if it is genuine 3-D Secure?" he added.
      Security firm Sophos this week confirmed that phishers are undermining the integrity of the system. It discovered emails claiming to be from MasterCard that are being mass-mailed out to entice consumers to click on a link in order to sign up to SecureCode. The link then takes them to a false registration page where card and other details are harvested for future use by the phishers.

      Should the US get a president and Congress more beholding to citizens that large special interests (like Visa and MasterCard), quashing mandatory use of this insecure system should be something added to and passed in a Consumer Credit Card Fairness act!

      And beware that many sites don't allow any "opt out", which means that closing the sign up requesting site may sometimes result in the credit card issuer "punishing" you with card cancellation on the supposition that someone was trying to use the credit card fraudulently. See http://www.theregister.co.uk/2008/08/07/verified_by_visa_compulsion/ where -
      "In each case my card provider has stopped my card. Apparently declining their invitation to enrol is a sign of fraudulent activity. I look like a fraudster who has been scared off by VbyV instead of like a customer who chooses not to enrol."
      Politics, Public Policy, Technology Trends, World News, Must Read: Important Items of Broad Interest, Information Security, The Skeptic, Presidential Election 2008, Competitive Intelligence & Technology Assessment, Electronic Everything!, The Way Things Are, Cryptography - Civil Liberties - Economics, Debunking Bunker, Privacy, Twine News, Information Data Security, InfoSec Twine, Computer and Telecommunications Networking, Technology Law, Security and Intelligence, Cyberlaw, President Barack Obama, Mauro Magnani's FINANCIAL TWINE
    Add a Comment
Report This
Forgot your password?