As far as phishing schemes go they don’t come better than Verified by Visa. Fortunately it isn’t actually a scam. However it so closely resembles the perfect online con that this detail makes little practical difference. What’s more it’s turning customers away from merchants who employ the system.
If you use a credit card online you’ve probably come across Verified by Visa (or the Mastercard equivalent, SecureCode.) The systems add an extra password step to online transactions that the companies claim improves security. Unfortunately the user experience is nothing short of tragic and the implementation is counterproductive in the fight against phishing scams.
Last night I watched a friend burn through three Visa credit cards trying to book Eurostar tickets for a short break to France. Each time, the Eurostar website forwarded him and his card details to a page at 3dsecure.com, where he was asked to enter a password he’d previously registered. The site gave him two tries before blocking his card. This happened three times with three different cards. No tickets got bought.
Next, another of our group tried to buy concert tickets, again with a Visa card. Not being sure of her password she hit the “forgotten password” link and filled out the forms to reset it. She then submitted her transaction but was told that there was an authentication problem and she needed to call her bank. Again, no tickets got bought.
Verified by Visa took away about £250 worth of business from various merchants last night. However that’s not the scary part. The way card holders are required to enroll with the system beggars belief.
The first time you shop online at a merchant that supports Verified with your Visa card you are redirected to either a pop-up or an iframe that asks you to register for the system. It collects your name, credit card details, some “secret questions” and a password. It does all this from a domain that is neither the merchants’, your banks nor Visa’s (in fact there seem to be many variations on the domain name of the iframe or pop-up). The system then authorises the transaction and redirects you back to the merchant’s site. For subsequent transactions only the password is required.
How is this different in process or appearance from an email or website, claiming to be from or part of your bank, that takes you off to a third-party domain, asks for your credit card details, and then emails them to a drop-box from where a professional criminal cleans out your account?
Visa have invested heavily in securing their credit system against phishing attacks so I cannot understand why they modelled the Verified by Visa enrollment process on one. They used to be able to say to card-holders, “don’t ever give your passwords or card details to third parties” but now they have to qualify the message with “unless it’s got a Visa logo on it and it sounds something like 3Dsecure.com (or .co.uk, or was it 3-Dsecure.com. Whatever.)” That qualification makes it harder for them to get the anti-phishing message across; makes it more difficult for non-technical users to keep their accounts secure; and, with the increasing practice of embedding the offending password dialogue in an iframe, makes it more difficult to distinguish between legitimate and fraudulent requests for your details and passwords. When was the last time you hit View -> Source and checked for iframes?
What baffles me most is that snail mail works perfectly well as a secure channel for sending out authentication credentials. Why can’t Visa make the banks post out passwords to cardholders (with some literature detailing what the system does and the domain names involved) rather than dreaming up this suspicious-looking online registration system and presenting it to users without warning or explanation? Then they could mandate that the passwords be of high quality and customers could be confident that the system was legitimate. After all, that’s what they do with the PIN numbers for those very same cards, so it’s not like it would be any more effort.
After a suggestion by an online friend I’m tempted to start a list naming and shaming merchants who employ Verified by Visa. I know they’re being leaned on by the credit card companies to adopt the technology, however it would be a more effective method of pushing back than boycotting banks, which people are unlikely to want to do in large numbers. Of course with so few credit card companies to choose from, a boycott of Visa wouldn’t attract sufficient interest to make an impact, even if that’s what I really feel like doing.
Have you got a story of Verified-by-Visa-induced woe to add to the collection? Or perhaps your experience has been positive? Do you have a suggestion for the name-and-shame list? Add them in the comments!