Why "Verified By Visa" System Is Insecure 243
angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."
Welcome to 3 years ago (Score:5, Informative)
I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.
3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.
Only problem is, it's crap.
Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.
If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.
Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.
Re:Welcome to 3 years ago (Score:5, Insightful)
Exactly.
By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.
Pseudo-security => All Pain, No Gain.
Re:Welcome to 3 years ago (Score:5, Interesting)
My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.
Re: (Score:2)
I wish we did. I've seen a few devices in the past year that were Chip and PIN (one was at a nearby CVS... can't remember the rest).
Still not sure how it's more secure than a normal magstripe. I guess you can't clone a chip so easily as a magstripe... but that's why I consider my plastic only slightly more "lose-able" than cash, and still keep it safe
Re: (Score:3, Informative)
You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high.
Really?
You'd better tell the people whose chip cards have been cloned. [thisismoney.co.uk]
Re: (Score:2)
Yeah, chip cards have been hacked for years in satellite TV systems. Much harder than a magstripe, harder enough so that there's easier ways to steal someone's money, but still possible.
Re: (Score:2)
That article mentions the cloning of the magstripes and the capture of pin numbers, but it doesn't explicitly mention the cloning of the chip. Cloning magstripes is almost trivial. Capturing pins isn't too hard. But cloning a chip should be very difficult without destroying the card and having long term access to the card. Even then it should be very difficult. Are there any demonstrated examples of criminals cloning credit card chips (or extrac
Re: (Score:3, Interesting)
But cloning a chip should be very difficult without destroying the card and having long term access to the card. Even then it should be very difficult. Are there any demonstrated examples of criminals cloning credit card chips (or extracting the private cryptographic key)?
I did look a bit further after posting.
It would seem that the chips aren't cloned in their entirety - however it is possible to create a fake card which is good enough to fool some machines in some circumstances.
There may be be proof of concept demonstrations done by researchers, particularly on satellite cards, but has it been found in the wild for credit cards? And has it been verified, not just a crooked card holder falsely claiming his card was stolen?
Of course cloning the magstripe shouldn't do any good without the chip.
There are some instances of magswipe readers being attached to cash machines. The data isn't much good in the UK (it identifies that the card has a chip, and most if not all UK cash machines read the chip) but it is enough to create a fake card with just the magnetic strip and using it in a country
Re: (Score:3, Interesting)
The machines that would take a cloned card are probably the ones that will work with only the magstripe. That would protect the card holder somewhat against fraudulent charges, especially if the charge was in another country. You still might have a hard time getting your money back if your pin was used though.
Re: (Score:2)
As I understand it these places are called East Europe, Asia, Africa, North America, South America and Weatherspoons.
Re: (Score:2)
You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high.
Really?
You'd better tell the people whose chip cards have been cloned. [thisismoney.co.uk]
And Google turns up rather a lot of reported incidents of chips and their readers being compromised on a grand scale. Here are just the first three I found:
http://www.telegraph.co.uk/news/uknews/2963534/Three-fraudsters-jailed-for-elaborate-petrol-station-credit-card-scam.html [telegraph.co.uk]
http://www.northamptonchron.co.uk/news/Cards-compromised-in-petrol-station.4870282.jp [northamptonchron.co.uk]
http://forums.moneysavingexpert.com/showthread.html?t=1025761 [moneysavingexpert.com]
Re: (Score:2)
Chips are harder, but still hardly difficult to clone. In general, time and access is inversely linked to security. Chips have both working against them, just like mag strips, but a very dynamic pin greatly reduces both. So far, the cost-benefit analysis seems to speak for chips, but that's only because the fraud so far has been small time with small costs. The second chips (in their current form) become much more wide spread, you can bet the bigger players will get involved.
Checks (US) have always been
Re: (Score:2)
unsurprisingly, because the stakes are so high.
Yeah, just like how my online banking doesn't use an authenticator but my WoW account does.
Re: (Score:3, Informative)
Re:Welcome to 3 years ago (Score:4, Informative)
Also:
1. Always carry more than one card (one each of Visa and MC for example).
2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.
Some countries disallow 1's or 0's in a PIN?? (Score:2)
3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
Seriously?!?
Re: (Score:2)
6. Make sure your credit card has a pin number on it. In some countries this is universal, in others it's not used at all.
Re:Welcome to 3 years ago (Score:5, Funny)
Plane ticket: $350
Hotel room for 5 nights: $500
Rental car for 6 days: $200
Broadway show tickets for two: $300
Finding out your VISA card doesn't work but your Master Card does: priceless.
Bank fucked up (Score:3, Funny)
Chip cards have been in use for a very long time in France. They all have mag stripes, mainly because that's what most ATM use anyway, but also for use abroad. The mag stripe contains information as to whether the card also has a chip, so that even when an authorisation (the terminal phoning the acquirer) is not required, it can decide to deny the transaction preemptively if the card is supposed to have a pin and the terminal is supposed to be able to read it.
In that I case I guess the bank is just being in
Re: (Score:2)
Re: (Score:2)
In Brazil too. But we do have the magnetic stripes for the cases where a chip can't be read.
Re: (Score:2)
Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.
The UK cards have the stripe as well, though apparently this isn't necessarily true in mainland Europe.
Re: (Score:2)
Re: (Score:3, Informative)
Frankly, I was treated like some kind of crinimal subversive for presenting a credit card that didn't have a CHIP on it. I was told by some retailers (a Mobile phone co) that they could not except my card as ALL card HAD to be Chip & PIN. It took a bit of experimenting with other retailers for them to work out that if you inserted a non C&P card in
Re: (Score:2, Insightful)
Your problems are all related to the desire to stop fraud. You're not a subversive - you're just a little unusual. If you use a mag swipe and the card turns out to be stolen, the store loses out. So, unsurprisingly, some stores would rather not serve you. With chip and pin, they'll not lose out if the card turns out to be stolen/fraudulently used. Ditto the post code - they wanted it so they could check it against the postcode the card is registered against. In the perfect world the store staff would
Re: (Score:2)
Re:Welcome to 3 years ago (Score:4, Informative)
Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
The magnetic strip was actually what saved the banks' collective asses in Germany recently when the chips on their cash cards turned out to have a serious Y2k10 problem... so maybe the stripes DO work in the UK when the chip is fried?
(Then again what kind of security is that if I can just damage/destroy the chip and the card'll work anyway?)
np: Barbara Morgenstern - Deine Geschichte (BM)
Re: (Score:2)
No, they aren't the same company at all. They're two separate associations run by their member banks. Some banks may be a member of both, but probably not all.
Re:Welcome to 3 years ago (Score:4, Insightful)
As a customer, the worst part is when the merchant doesn't bother to tell you "oh hey we're going to redirect you to this other site now" and first anti-XSS blocks the page transfer, then the page fails to work anyway thanks to noscript blocking the JS.
Even after I added all the appropriate whitelists, when I buy from a site that uses it, all it does is flash the logo up on the screen then take me back to the merchant's site where I finish the transaction.
Re: (Score:2)
Sometimes it's called risk avoidance, sometimes risk sharing, sometimes risk transfer.
It isn't sharing believe me. Wherever possible, processors and issuers will try to palm the risk off on the merchant, or the customer.
While fraud prevention is a massive issue, there is no sure method to detect it. And online merchants suffer both more fraud and more penalties. They often pay higher fees to cover the inevitable fraud expenses.
Even address verification is not enough. I'm not signing up for this, it mean
Re: (Score:2)
As a buyer, I refuse to do business with any company that I haven't visited directly that doesn't take PayPal. I am not giving my credit card or bank account number directly to any establishment. While PayPal may get dinged for freezing money on sellers accounts, I'd say most of the freezes are put on scammy accounts rather than trustable accounts.
As a purchaser - it's PayPal or the Highway. It's not worth the risk to have to evaluate every single company for honesty. (And my neighbor works for PayPal, so i
No surprise (Score:5, Insightful)
The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.
Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).
In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.
In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.
Re:Welcome to 3 years ago (Score:4, Interesting)
There's a very easy solution to this problem. I'm sure they have similar system elsewhere but Interac (debit card) in Canada allows you to pay online. I use it for shopping at ncix.com for example.
You setup an account with the merchant.
You do your shopping... add to card... go to checkout... they give you a bill.
You then log into your online bank separately! and from your bank account you transfer money to the merchants account.
The merchant never sees your password and phishing is near impossible because you have to logon to your bank account separately. It's a bit inconvenient, but it's a much more secure system. You don't even have to trust the merchant as they never see your password info. They just wait for the money.
There's no other way to really do it. even if the showed a URL in the Verified by Visa scheme, you would still need to check it... a shady merchant could fake it...
About the only other way would be to have some trusted authorities built into the browser (like we do with certificates). The site can request the browser to 'bring up secure payment for visa'... and it handles it with a non-webpage login/payment system.
Re: (Score:3, Insightful)
I am a long time credit card user (don't believe in cash). I ran into this a few months back with Walmart online. It actually looked like a scam. And you are right about the security aspect, just an offloading of (increased) risk. It pops out of no where and the new page's instructions clearly said it was optional and I can hit cancel. BUT, there was no cancel button, I even looked in the source code. So I closed the browser.
This was considered _fraudulent_activity_ and locked my card for a while (aut
Re: (Score:2)
It's called MasterCard SecureCode, and it's been around for ages.
I switched credit cards (Score:2)
for all sites that I visited that tried to make me jump through the dumb VbV hoops, I switched to American Express..
I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.
A.
Re: (Score:3, Insightful)
I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.
No kidding. What is worse is that every time I have been shown the verification page isn't wasn't even hosted at something obviously legitimate like verify.visa.com, but rather the domain was some other corporation related to Visa (can't remember the name right now).
Re: (Score:2, Insightful)
In the UK, the server's domain name is securesuite.co.uk. How is the average user going to be aware that the domain is legit? Furthermore, most merchants seem to use iframes (seen some popups too) so you can't even see the domain unless you right-click->properties. Pretty stupid.
I'd rather use (Score:5, Insightful)
Single-use CC numbers. But my Visa (issued by my Credit Union) doesn't have one, and AMEX doesn't do them any more.
Recomendations? (Score:2)
My credit card (Visa issued by my bank) doesn't have it either. I've been thinking about getting a second card that does have it solely for online use, but have been turned-off by the issuers I've seen with that feature. Is there anyone here that can recommend a credit card issuer that supports single-use numbers?
My requirements:
* No monthly/yearly fees
* Standard grace period
* Sane fraud protection (call me if you see something suspicion, but don't freeze my card)
* Can be paid using standard electronic tran
Re: (Score:3, Informative)
Discover passes all these, except for being Discover. I'm able to use mine for 99% of purchases.
http://www.discovercard.com/customer-service/security/create-soan.html [discovercard.com]
Re: (Score:2)
Interesting. When my parents had Discover it had maintenance fees, but supposedly made up for it with their cash-back rewards program. However, they could never find enough stores that actually took the card to earn enough cash back to cover the maintenance fees, so the eventually canceled it.
If they've changed that I may look into it.
Re: (Score:2)
Re: (Score:2)
Discover passes all these, except for being Discover.
Gotta disagree with you there. I had a Discover card since I started college (around 15 years ago) and finally ended up getting rid of it this past year, due to their failure on this point:
Not only did they freeze my card when something suspicious popped up (and never actually ended up being a problem, BTW), but they never bothered to actually call me and inform me that they had frozen it. Every time it happened (and
Re: (Score:2)
The only issue I've ever had (in over 6 years with the card) was when my wife and I were out shopping separately and we both bought multiple hundred dollar items. I just got an automated call a couple hours later that spoke the 2 merchants, let me press a button to confirm and that was it. But I guess I couldn't tell you if they froze it at some point within that time.
Re: (Score:2, Informative)
http://creditcards.citicards.com/usc/citiforward/single/external/affiliates/Q309/rewards/default.htm?app=UNSOL&app_COL=COLLEGE&sc=46EZA3U9&sc_COL=4CECA3T9&m=90J600000ZW&langId=EN&siteId=CB&B=V&screenID=3124&link=Consumer_15687859&ProspectID=94A073FC70EB478AB75EF008227CD425 [citicards.com]
I have had it for a while now and things have been good. It has virtual account numbers like you wanted that you can set either a time limit, spending l
Re: (Score:2)
Re: (Score:3, Informative)
MBNA'a (now owned by BofA) ShopSafe.
Re: (Score:2)
I'm not smart enough to figure out how many credit card numbers exist - except that I know that it's not 10^16 because many numbers are invalid. For anyone who wants to figure this out, credit cards need a merchant code and an account code. I think the account code can be pretty arbitrary, but there are only a dozen or so merchant codes. And the whole thing needs a checksum.
Are there enough credit cards to let everyone use single-use numbers all the time? Maybe we should get only one alternate card number,
Re:I'd rather use (Score:4, Informative)
Re: (Score:2)
VbV has traded both of them away completely. It never works for me, and there is plenty of evidence that it encourages users to give away security information to sites they cant verify. (See above)
I suspect they keep changing their mind about whether the first character in the password is numbered 0 or 1. either that, or it forgets a lot. It gets worse: if you have more than one card: there is no way for
I just use Paypal (Score:2)
They verified my Visa a long time ago - and its easier to remember my email address and a password than it is to try and find my card to enter the numbers online.
Re: (Score:2, Interesting)
Re:I just use Paypal (Score:4, Informative)
It's all the wrong system anyway (Score:5, Insightful)
The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.
Re: (Score:2)
Yep.
Any system where you enter re-usable authentication credentials is a system that you have just enabled to pretend to be you.
Re: (Score:2)
Re: (Score:2)
so store the private key on the card, it'll still be more secure than a number & pin code. it could be made fairly seamless to the end user.
Re: (Score:2)
I hope Verfied by Visa does catch people with their pants down. Fuck 'em, maybe they'll be more inclined to learn how to use their computer properly after they've been had by some kid in Russia.
Re: (Score:2)
Whether that's your private key, your password, or your stool sample.
Anyone who wants to sample my stool deserves what they get.
Mastercard gives me Virtual Numbers for online use (Score:4, Interesting)
Meanwhile, a few years back I had to implement Verified by Visa, Mastercom, and Paypal solutions for the checkout process for the company I worked for. Paypal was the easiest and the other two were crappy. I'm not sure how they've worked out in the years since, but you don't see me using them currently. Virtual Numbers all the way.
Re: (Score:2)
I had a credit card which could do that once (a Wachovia card administered through some "FIA Card Services"). Then Wachovia decided to end that and administer it themselves (which was mostly just annoying). What other card providers provide this capability?
On a related note: online bank security. WTF?
[citation needed] (Score:2)
The systems suck (Score:2)
That's why I use Paypal (Score:2)
Insecure != Unsecured (Score:5, Funny)
Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.
I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"
Re: (Score:2)
I was going to mod this up, but while true I can't decide between insightful and funny - I kept chucking when I thought of a document going to see a shrink ;)
Re: (Score:2)
And that shrink's name is ZIP.
Re: (Score:3, Interesting)
I would understand "unsecured" to mean "no-one has attempted to secure it". If they've attempted and failed then it's badly secured and insecure.
Re: (Score:3, Insightful)
But if I lock it with a 50 cent padlock then it's locked, but extremely easy to open.
it kills sales (Score:2, Interesting)
We had it forced on us by our payment provider and it killed sales, we had so many customers asking what their password was and where do they find it. We opted out of it.
Article and "research" bad.. (Score:2)
The researchers, and the article writers, completely fail to understand that 3-D Secure simply defines the interfaces between the three domains in the security model. The actual authentication model used is chosen and implemented by the card issuer. If the card issuer would decide it wants to use passphrase+OTP in a separate window (for URL validation), it could do so. In fact, outside of the US, many do. In Norway, for instance, online payments are usually verified through something akin to a "national ele
What Is The Point Of 6 Digit Password? (Score:4, Informative)
I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.
Re: (Score:2)
You don't even need the password (Score:2, Interesting)
RSA keyfobs in credit cards (Score:5, Insightful)
I would like to see my credit card display a time sync'd rolling number instead of the lame 3 digit code on the back of the card. As I see it, the problem with credit card fraud is not stolen cards, but stolen numbers. If I lose my card, I will know fairly soon and can have the card canceled. However, it may take quite a while to determine my number has been compromised. When shopping online I would like to enter my card number and a second number generated by the card. Cards expire after 2 years, so this should be doable from a battery life point of view. It could even be introduced as an extra fee initially to those who want the extra online shopping security.
Re: (Score:2)
Now there's a good idea. I'd mod you up if I could.
The way I see it, the number one problem with credit cards is that all the verification steps do basically amount to nothing ... everything you need is printed on the card, so what is verified is neither that you have the card nor that you know some secret.
What you propose completely changes that.
By adding a number that changes over time, you foil re-use. Someone can copy the other things on your card, but they will be useless without the card.
Add some sort
Activation During Shopping (Score:5, Interesting)
My GF's great-grandmother passed away in November. She was very close.
Weepy GF gets onto the web site of a regional Canadian carrier that prides itself on its customer service, selects her flight, and begins to fill out the VISA information. After filling out most of the information she clicks "continue" and *bam* up comes VISA's activation during shopping page (ADS) with a giant "I agree" button under inscrutable masses of legal fine print. She is in a fine state of mind for clicking her life away.
This happens right in the middle of the transaction, with no advance warning. Not on the page before she began filling out the details: to complete this transaction with your VISA card, you will be obligated to click "I agree" to the ADS terms of service, which shifts VISA's liability onto your shoulders and plays havoc with established web security practices and altogether makes the world a shittier place.
All of this under the commercial maxim that instant gratification == learned helplessness. Your average user will blindly click anything during gratification interruptus.
As it happens, my red-eyed GF muttered out loud "WTF is this?". It took me about 30s to get past "HF those sleezy MFs". Then I told her to slam down the virtual circuit on her half-completed web page transaction and start the transaction over again using an aging circuit-switched technology far less suited to rights erosion, and also more expensive for the airline to provide. Real human at the other end. What a PITA.
Brilliant lose-lose for everyone involved.
Two of the links I recorded checked this out:
Links More Banking Stupidity: Phished by Visa [links.org]
Verified by Visa: British banks phish their own customers - Boing Boing [boingboing.net]
Redacted portions of an online TOS from a large Canadian bank which has since gone 404.
You agree not to: modify, adapt, sub-license, translate, sell, reverse engineer, decompile or disassemble any portion of the Verified by Visa Website or service or the software used in connection with Verified by Visa.
You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.
Answer me this, Batman:
How is one supposed to notify the bank that you've lost control over the password, when you lose control to a phishing widget embedded in a concealed iFrame?
I wrote that riddle back in November, and I'm no closer now to coming up with the solution. FWIW, this agreement is probably less egregious than the one that came up under ADS, from a different major Canadian bank. Bonus marks for completing this task without first discovering how the service works which violates your TOS.
This whole thing makes me seriously limbic.
Larry Lessig on laws that choke creativity [ted.com]
And on the other side, among our kids, there's a growing copyright abolitionism, a generation that rejects the very notion of what copyright is supposed to do, rejects copyright and believes that the law is nothing more than an ass to be ignored and to be fought at every opportunity possible. The extremism on one side begets extremism on the other, a fact we should have learned many, many times over, and both extremes in this debate are just wrong.
For the good of society, the law ought not to be an ass, and the VISA company ought to not be pushing the matter like a used car salesman at the helm of an invincible glass castle.
virtual cards (Score:2)
This is why I use a virtual card online (paypal offers them, and some banks do too) - generate a card, use it and then close it. It's also handy for sites that force you to subscribe when you only want a brief access (e.g. I'm only an occasional wow player, so I pay for a month, close the card, don't have to pay for the rest of the time when I don't have time to play).
3DS is also broken from a human factors POV (Score:2)
I am a UI designer with an interest in security-related human factors.
3DS as deployed by MasterCard is also fundamentally insecure because its based on an anti-pattern: trust by proxy without offering any easy way to verify that trust. Visa's implementation is marginally better becuase it echoes a "secret phrase" to you on the screen before you input your pin, thereby allowing you to verify that it's them, and not some random phisher.
The trouble is most people just trust in the application of the anti-patte
Re: (Score:2)
Re:Lol (Score:4, Insightful)
No, because it's in an iFrame it's less secure than having nothing at all. When you're pulling data from two different sites on the same page, it's much easier for a third party to insert their own fields without you knowing.
Re:Lol (Score:5, Insightful)
Re: (Score:2)
SecuCode annoys me. Half the time the page doesn't even load. When all the hot deals were coming out around Christmas, I had to use Paypal to buy everything, because SecuCode was indefinitely down.
Oh yeah - know what password does fit their limitations? bullsh1t
Re: (Score:2, Interesting)
What's to stop a dysfunctional e-store using a mocked-up version of that screen to collect my online PIN?
Re:Lol (Score:5, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2)
My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.
Re:Lol (Score:4, Funny)
My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.
See that! You're more secure already!
And you doubted the value of this valuable security feature...
Re: (Score:2, Redundant)
Here's a little tip that I discovered by accident. On a NewEgg order, if you hit "cancel" on the Verified-by-Visa page, the order still goes through.
Re: (Score:2)
Here's a little tip that I discovered by accident. On a NewEgg order, if you hit "cancel" on the Verified-by-Visa page, the order still goes through.
I have recently build an ecommerce site for someone and noticed that our account on a payment gateway allows us to disable this crap. When disabled, it still displays but the user can skip it or whatever and the purchase still goes through. We have had the account for years. When the client switched it to their account on the same payment processing company the option to disable it was greyed out. It seems it is mandatory for some (maybe newer?) setups but not existing ones.
As a customer it makes no differe
Re: (Score:2)
Well, VbV's security issues are a problem for Visa to solve. It's great for merchants who sell high-priced items (like NewEgg, camera stores, etc). Many smaller merchants who had to go through a whole back-and-forth thing with the customer and credit card company before (for large, expensive orders) can now just use VbV for the same high-priced purchase instead. Higher volume merchants like NewEgg can streamline their credit checks with VbV and even allow shipments to addresses other than the billing add
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
In some of the accountancy newsgroups I frequent, we sometimes get merchants wondering why so many people abandon their purchases when they put 3D Secure on their websites. Anecdotally it seems that about 2/3 of customers will abandon their transaction if they hit the verified by visa page. I certainly do, because it asks me to enter password details into a site called "securesite.co.uk", owned by some very small company called Redstation Limited I've never heard of.
Re: (Score:2)
I did as well
Re: (Score:2)
Exactly. And I think it's funny that you can always cancel out of the VbV thing and it'll still work.
Which I have to do everytime I want to use my Visa card online because it straight doesn't support the VbV thing. It either fails (yet sitll works) or comes up saying my bank doesn't support it. I now do all my shopping with MC.