Verified by Visa: bad for security, worse for business

As far as phishing schemes go they don’t come better than Verified by Visa. Fortunately it isn’t actually a scam. However it so closely resembles the perfect online con that this detail makes little practical difference. What’s more it’s turning customers away from merchants who employ the system.

If you use a credit card online you’ve probably come across Verified by Visa (or the Mastercard equivalent, SecureCode.) The systems add an extra password step to online transactions that the companies claim improves security. Unfortunately the user experience is nothing short of tragic and the implementation is counterproductive in the fight against phishing scams.

Last night I watched a friend burn through three Visa credit cards trying to book Eurostar tickets for a short break to France. Each time, the Eurostar website forwarded him and his card details to a page at, where he was asked to enter a password he’d previously registered. The site gave him two tries before blocking his card. This happened three times with three different cards. No tickets got bought.

Next, another of our group tried to buy concert tickets, again with a Visa card. Not being sure of her password she hit the “forgotten password” link and filled out the forms to reset it. She then submitted her transaction but was told that there was an authentication problem and she needed to call her bank. Again, no tickets got bought.

Verified by Visa took away about £250 worth of business from various merchants last night. However that’s not the scary part. The way card holders are required to enroll with the system beggars belief.

The first time you shop online at a merchant that supports Verified with your Visa card you are redirected to either a pop-up or an iframe that asks you to register for the system. It collects your name, credit card details, some “secret questions” and a password. It does all this from a domain that is neither the merchants’, your banks nor Visa’s (in fact there seem to be many variations on the domain name of the iframe or pop-up). The system then authorises the transaction and redirects you back to the merchant’s site. For subsequent transactions only the password is required.

How is this different in process or appearance from an email or website, claiming to be from or part of your bank, that takes you off to a third-party domain, asks for your credit card details, and then emails them to a drop-box from where a professional criminal cleans out your account?

Visa have invested heavily in securing their credit system against phishing attacks so I cannot understand why they modelled the Verified by Visa enrollment process on one. They used to be able to say to card-holders, “don’t ever give your passwords or card details to third parties” but now they have to qualify the message with “unless it’s got a Visa logo on it and it sounds something like (or, or was it Whatever.)” That qualification makes it harder for them to get the anti-phishing message across; makes it more difficult for non-technical users to keep their accounts secure; and, with the increasing practice of embedding the offending password dialogue in an iframe, makes it more difficult to distinguish between legitimate and fraudulent requests for your details and passwords. When was the last time you hit View -> Source and checked for iframes?

What baffles me most is that snail mail works perfectly well as a secure channel for sending out authentication credentials. Why can’t Visa make the banks post out passwords to cardholders (with some literature detailing what the system does and the domain names involved) rather than dreaming up this suspicious-looking online registration system and presenting it to users without warning or explanation? Then they could mandate that the passwords be of high quality and customers could be confident that the system was legitimate. After all, that’s what they do with the PIN numbers for those very same cards, so it’s not like it would be any more effort.

After a suggestion by an online friend I’m tempted to start a list naming and shaming merchants who employ Verified by Visa. I know they’re being leaned on by the credit card companies to adopt the technology, however it would be a more effective method of pushing back than boycotting banks, which people are unlikely to want to do in large numbers. Of course with so few credit card companies to choose from, a boycott of Visa wouldn’t attract sufficient interest to make an impact, even if that’s what I really feel like doing.

Have you got a story of Verified-by-Visa-induced woe to add to the collection? Or perhaps your experience has been positive? Do you have a suggestion for the name-and-shame list? Add them in the comments!

38 thoughts on “Verified by Visa: bad for security, worse for business

  1. whenever i use verified by visa i reset my password. Its a never ending loop. becuase i reset my password last time in a hurry because i wanted to buy something i didn’t remember it. Because you can’t reuse a password, you can’t use something memorable, so you end up using “tuesday1123” and i’m not going to remember that in 3 months time.
    the scary bit for me is that to reset my password it asks for card start and end date, CVN and birthday. all of that is available to the person who stole my wallet with my credit card and my driving license. not at all secure !

    • Totally this. Fucking shambles and that just causing friction filled transactions. Sooner bitcoin becomes more widely used the better.

  2. I agree 3D Secure is painfully bad.
    It’s being pushed on retailers by Visa/Mastercard as a way to remove the risk of chargebacks. For 3DS transactions any chargebacks are the responsibility of the bank, not the retailer. For smaller retailers this is irresistible as it might make the difference between making a profit and going out of business.

    I’m not sure naming and shaming these retailers would do much good. The retailer will either not change, and suffer (but Visa won’t notice). Or they’ll change, and get hit with chargebacks, but Visa won’t care as they’re small-fry.

    Now if you can find some bigger retailers to boycott that might be more effective as that would also hit Visa’s bottom line. The problem there is that the biggest retailers (amazon, PayPal, and the like) already reject 3DS because they have enough weight with the banks to say ‘screw you AND your chargebacks’

  3. I do not like your icons for posting comments. Not accessible.

    Agree with your post though – but think the venom needs to be pushed at the CC companies, not the little guy that is already paying through the nose to accept CC payments.

  4. @Tim – yikes, that’s not good :(

    @Nik – Excellent point. I feel like we need to complain else none of the supply chain players will understand that their customers are tearing their hair out. However we should be careful to target our protests where they will have the greatest chance of achieving change. Any ideas?

    @huh? Point taken about the comments box – thanks for the feedback. I’m currently looking at making some changes to the way comments work here. Watch this space!

    Also @huh? Do you think we can make enough noise for CC companies to take our objections into consideration? I think we need to recruit some vendors to the cause too since they’re the ones through whom business flows to Visa et al.

  5. I am convinced the VbV was created to STOP bank card security. It is NUTS. I have personally not purchased SEVERAL big ticket items because of VbV. I have NEVER seen a worse implementation of technology in my life. IT SEEMS like a con, then when you get stopped you have no choice but to call some stranger and give them a TON of personal information OVER the phone system (public for sure) only to get it unblocked so you can go thru a frustration onling transaction all over again. WHO is the MORON that invented VbV because it is c r a p. I am NOT going to purchase online anymore … in fact I believe that VbV was created to continue the ruining of the American economy. Maybe it should be call BUShWARE.

  6. Dell is the latest company to lose my business because of Verify By Visa … They lost out on a PC sale.

    What a great way to destroy an economy and frustrate MILLIONS of people … great job Verify by Visa … whoever you are.

  7. Having avoided using my credit card online for a very long time I had no choice this week, I got slapped with the Verified by Visa form but I just couldn’t pick a password I thought secure that met their requirements because they specify a (far too short) maximum length.
    Why? it can’t be the amount of space it will take up in storage since they will obviously be applying a cryptographic hash function to the password, won’t they? please god tell me they are so the outputs will be the same length even if I pick a twenty character password and you pick a thirty-five character one. Even wanting to do input checking doesn’t need there to be such a ridiculously short upper bound.
    I hit the fuck off button, I suspect I won’t be able to do that for much longer.

  8. Absolutely couldn’t agree more!

    Every christmas present I’ve bought this month I’ve been presented with an iframe with a HSBC and VISA logo on.
    I keep hitting the “no thanks” button but it still keeps asking me

    I’ve worked with 3d Secure in my job as a web development manager and I know how it all works with unsecured javascript posts and iframes. It is absolutely shocking how bad it is for card security

    The day the website insists I sign up for “verified by visa” I will simply stop shopping online

  9. Chase Bank is one of the biggest banks in America. Do a quick Google search for “Chase Verified by Visa”. The link goes to an https site hosted under securesuite (dot) net, which just so happens to be a fraudulent fishing site.

    To make matters worse, securesuite (dot) net used to be controlled by Chase, and used to be used by their Verified by Visa implementation.

    You can see the old link for yourself on the link on:

    This is all shockingly awful. It’s kind of sad, too, to see that whoever controls securesuite (dot) net is using a VeriSign certificate to do so. You’d think VeriSign might make sure it’s not handing out SSL certificates to known criminals.

    You also might think Chase would care to do a little more SEO policing of “Chase Verified by Visa”. I tried calling Visa about this and they refer all calls about Verified by Visa to Chase. I tried calling Chase, and they said Visa controls Verified by Visa, and that they can’t do anything about it.

    What really roils me, though, is that it’s impossible to make purchases on some websites (such as Delta Airlines’ website) without going through the Verified by Visa charade.

  10. Had no problem with Verified by Visa until the last two weeks when I have been unable to use elements of my password requested.

    V by V say they have been having problems. I have managed to withdraw my Debit card from the system, not tried Credit card yet but have requested same

  11. Disgusting. Truly. I’ve never seen a more offensive implementation of a security mechanism on an account. I’ve been to a couple sites now that don’t even give an option to opt-out. And I simply can’t bring myself to give in to the system and just hand over my info. So instead, Discover got my money. I can’t possibly see how this was deemed a better way to do this than a simple change to the cardholder’s agreement everyone has to abide by in order to keep their credit card. All they’d have to do is issue out a pamphlet along with an updated agreement, and require people to sign up for an online pincode/password by such and such date in order to continue using their cards. That gets everyone on-board, gives them the proper info they need to be armed with in order to avoid phishing, and does it in a way that feels legitimate and secure to those placing their trust and money into these companies.

  12. This was a good article to read. Today I spent 15 minutes, an hour, & then another 15 minutes on hold to the Visa Verification line trying to get my password changed, after the forgot password thing blocked me out. I read this article & typed this response during the last phase! I only wanted to pay for my 16-25 railcard, & if I stay on hold much longer I’ll probably have racked up another £26 in phone bills! What makes it worse is the boring, looped music & the woman constantly ‘apologising’ for my situation. Even student finance doesn’t take this long. I’ve only used it once or twice before & had no complaints til now…

    Also, it doesn’t actually tell you on the V by V site the number I’m currently calling. I had to be put through via my bank. I have now been on the phone 22 minutes. Not impressed AT ALL.

  13. I’ve just tried to purchase 2 things from different companies but can’t because of the verification password. I know my password and yes I did write it down in an odd place for security. The trouble is that my card was eaten by a faulty ATM so I was given a new one…….I just need to somehow change the dates …..but how?

  14. New Egg just lost $3200.00 in combined sales because of their moronic use of VISA Verify.

    Smooth move New Egg!

  15. Worse. If someone has your card details (perhaps they have hacked previous sales transaction details from an insecure site) and is confronted with the Verify system they just change the password and complete the fraudulent transaction. First you know is when you get an email from the ‘verify’ bank department telling you you changed your password. Fine – if you happen to check your emails in time before they spend thousands. I promise you this is done – I know – been got twice now 15 months apart.
    I can change my password as often as I want but it won’t stop someone going in there and saying they want to change it – as they can do the change as they make the purchase.

  16. I too have a Verified By Visa horror story. I tried to pay a bill online and the very last step is this God-awful VbV. Because I only pay the bill once a month, I don’t remember what my password is and when I click the “forgot password” link, it’s dead and clicking it multiple times to get it to re-open or possibly refresh itself only results in me being blocked from even being able to pay because it tells me there were too many unsuccessful attempts at log in. Same deal with clicking the help button. This is the worst set up ever. Get it together Visa!!

  17. Also, the service claims to be offered through Chase Bank, however when I went to the bank to have them help me figure out how to access my password (since the link wasn’t helpful AT ALL), my banker told me he had never even heard of this service! Which to me makes this seem all the more suspect. I HATE this “service;” it’s no of no service at all to the customer and is only a pain…

  18. ~This has never, ever worked. It always tells me my password is wrong. I have even had my bank on the phone when making a purchase and they watched the payment trying to be made all the time telling me I was entering all the correct data just for the crap, annoying, godamn useless verified by visa system to halt the payment. I end up making a telephone purchase. I can’t remember the name of the company running this system but they need to wake up and smell the rubbish they are shovelling!

  19. verified by visa never worked. Everytime the screen popped up i entered the correct password it did not recognise it and I had to fill out new forms all over again. I complained to verified by visa and he said did not work because of the search engine I had used (i,e. chrome) he cancelled it for me but said if I use my card more than 3 times I will have to use verified by visa. However I found this not to be the case as long as you do not join and just skip it.

  20. My bank (Co-operative) use vbv & it is set up by them at their end. The password needed is the same one which I chose to use for my internet banking with them. I have NEVER, EVER, had any sort of problem with it in any way, shape or form!!!
    My bank says that “other banks” use an unsatisfactory method of implementation of the password for vbv. What these “others” do is wait until you are at the point of sale on whichever website, then decide to ask if you’d like to sign up, there & then. Having to quickly think of a password, something you’ll remember is not easy when just trying to do your shopping.
    But, because with SMILE they set this up automatically & simply ask you to use your existing password, there is no such problem. BTW, I live in UK, is it more of a problem in say USA??

  21. i stumbled across your website when i was trying to figure out what Verified by Visa was – how the heck should i know that is in anyway valid and has any connection whatsoever with my financial institution or Visa (other than that they can copy the Visa logo to slap on their webpage), and frankly why do they need my social security number (U.S.) if i’m setting up a password? In my case (tour purchase) it’s being driven totally by the merchant (who’s getting way too personal with me by asking for my SSN through a third party). I’ve never been put through VbyV by Newegg, Amazon, or other major online retailers, but now for a minibus tour in France? @Kevin is right – this does not feel legitimate or secure at all.

  22. Wow, just got hit the first time I was shopping at newegg, redirected to site what really bothered me was I went to lookup & go to the company’s website and connection timed out, no response. if it wasn’t a fresh install of XP I would have thought it was a phishing or other scam. still not sure.

  23. I wanted to get my wife an annaversary present. The site uses verified by visa. After inputting my password I am sent back to the retailers site a statment that approval was not authorized. I have reregistered my card in the verified by visa site at least a half dozen times now. I’ve worked with verified by visa people and my bank. Tried numerous suggestions as well as some things on my own. Nothing works after 3 days of trying. I did find a similar product by another retailer that uses Paypal and that worked just fine.

  24. I’ve only run into VbV on ticketmaster, and have never successfully been able to buy tickets since. I end up asking a friend to buy them and paying them back. Ridiculous.

  25. Yes, verified by Visa looks exactly like phishing. It sent me to and asked me to enter my details. appears to belong (whois says) to RSA security based in New York with no obvious link to any bank or to Visa. They even triggered a warning about a USA IP number on a domain name. I asked my bank to indemnify me against any fraudulent use of details as a result of the disclosure. They refused. They even said on the phone they did not recommend use of verified by VISA, it was the retailers who set it up not the banks?

  26. My biggest problem is that while trying to pay for a large amount of books, Verified by Visa is asking me for my password even though I’ve set one up. When I try to register I get a message saying that my card is not ‘eligible’
    So far I have yet to purchase the books

  27. After lovefilm stopped games rentals I tried to sign up with blockbuster online which uses vbv it just keeps saying the address does not match even though its exactly the same so I tried boomerang rentals that ended up with the same problem vbv saying details didnt match, but here’s the kicker the credit checks still came off my card which wasn’t to bad with blockbuster it was only 11p but boomerang was £12 each time, burnt through £60! Which I now have to wait a week to get back plus loads of time on the phone because my card was restricted, there was no notification of the transaction went through anyway! What a joke I understand the need for security but the system is a flop and I will never ever even look at boomerangs site ever again, its just beyond belief I can’t use the services because of this stupid vbv

  28. I thought this was something brand new. I was appalled to discover this started in 2009????? Are you powerless to stop this?!? Reading through the early posts I see there was a suggestion to band together & fix this but alas, 4 years later…I’m blocked from buying technical books from favorite authors at a small publishing house because I didn’t get it and locked it up……

  29. I made the mistake by registering my card through the verification system. I now can not use my card online for anything. The verification page to enter my password doesn’t even come up.

  30. Something to take into account is the amount of successful orders that are completed by using the 3dsecure process – this satisfies the merchant that they are dealing with the card holder.

    I have 3 different VISA cards and have never had a problem using any of them and I have never got the passwords mixed up and had my card blocked… Admittedly It was a pain until I got used to it and I find entering that online easier than going to the shops, parking, & standing waiting to be served…

    Problems encountered by the 3dsecure process are often user errors ! if you don’t get the secure box pop up… check your pop up blocker !

    I can only assume people will get used to using this, for instance if your device remembers your card details – a payment cannot be processed unless you enter your password –

    in all honesty – who wouldn’t want to be set up for 3dsecure ! Those who rant about it on here should go to a high street shop and pay by chip and pin…..

  31. I have given up purchasing tickets on ticketmaster because of verified by visa. Buying tickets for high demand concerts is a struggle at the best of times, throw verified by visa into the mix and it becomes close to impossible.

Comments are closed.