Showing posts with label verified by visa. Show all posts
Showing posts with label verified by visa. Show all posts

28 March 2009

Phished by Visa

This is utterly scandalous:

Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders - by training them to expect a process in which there’s absolutely no way to know whether you are being phished or not. Even more astonishing is that this seen as a benefit!

...

Craziness. But it gets better - obviously not everyone is pre-enrolled in this stupid scheme, so they also allow for enrolment using the same inline scheme. Now the phishers have the opportunity to also get information that will allow them to identify themselves to the bank as you. Yes, Visa have provided a very nicely tailored and packaged identity theft scheme. But, best of all, rather like Chip and PIN, they push all blame for their failures on to the customer

I've instinctively hated these "Verified by Visa" ever since they came out, and tried not to use them. The fact that they are not just inherently insecure, but encouraging merchants to use this in the most insecure way possible, is astonishing even for an industry as rank and rotten as banking.

The one consolation has to be that Verified by Visa is so demonstrably insecure that it should be easy to challenge in court any attempts to make customers pay for the banks' own stupidity.

Follow me on Twitter @glynmoody

24 October 2008

Verified by Visa - As Valueless

I, too, have noticed the insidious spread of Verified by Visa (VbyV), and thought it looked well dodgy, but I couldn't quite put my finger on it. Here's the problem:

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

The easiest way will be for a compromised site to push you to a false login and obtain your magic password. You won't be able to prove it, of course, and so the danger is that you will end up the bill for fraud.

This is a disaster waiting to happen, and lots of people are going to get burned if we don't manage to get some sense into the banks soon. The only way to do that is to get the story out - please pass it on.... (Via Kim Cameron's Identity Weblog.)