24 October 2008

Verified by Visa - As Valueless

I, too, have noticed the insidious spread of Verified by Visa (VbyV), and thought it looked well dodgy, but I couldn't quite put my finger on it. Here's the problem:

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

The easiest way will be for a compromised site to push you to a false login and obtain your magic password. You won't be able to prove it, of course, and so the danger is that you will end up the bill for fraud.

This is a disaster waiting to happen, and lots of people are going to get burned if we don't manage to get some sense into the banks soon. The only way to do that is to get the story out - please pass it on.... (Via Kim Cameron's Identity Weblog.)

No comments: