VISA: All Your Password Are Belong to Us

R. A. Hettinga rah at
Mon Dec 3 09:19:34 EST 2001

December 3, 2001

Visa Starts Password Service to Fight Online Fraud


Something seems backward about the way that credit card companies have used
the Internet. If you want to see your balance or pay your bill online, you
will need to log on to the credit card company's site with a password. But
to spend money on other sites, all you need is the card number itself, the
same one available to anyone who finds a stray receipt or picks the wallet
from your pocket.

Of course, the cardholder is not liable if someone goes on a cybershopping
spree with a purloined number. But disentangling the fraud is a problem.
And the banks and merchants have to absorb the loss.

Visa is trying to change that, albeit very slowly. Starting today, it will
invite cardholders to link their cards to a password. People using those
cards at online stores set up to handle the new system, called Verified by
Visa, will be asked for the password as they check out. MasterCard is
working on a slightly more complex approach to verifying cardholders'
identities; it plans to introduce the changes next year.

At first, both of these systems will be optional for cardholders, online
stores and the various banks that issue the cards. Visa predicts that only
6 percent of its cards will have passwords in the first year.

That means that 94 percent of cards will still be an open invitation to
crooks. And even those cards that do have passwords can still be used at
sites - including (news/quote) - that do not want to ask for the
passwords. Indeed, Visa's software does not even work on Macintosh
computers, so a Mac-using card thief would not be deterred by the system.

Visa argues that it is taking the first steps in a long process to make
online buying more secure. It says it will write software for the Mac and
find ways to encourage participation. Visa, which is an association owned
by the banks, hints that if the system works as it hopes, it will
ultimately require passwords for online purchases.

"If the market accepts this over the next year, we have levers we can pull
to increase adoption," said James McCarthy, a senior vice president at
Visa's eVisa business unit.

So far, even some of the biggest Visa banks are not so sure they want to
force any cardholder to obtain a password who does not want one.

"The last thing we want to do is curtail any purchase activity from someone
because they don't want to take the time to sign up for the system," said
Hugh Bleemer, executive vice president for e-business at First USA, the
largest Visa card issuer.

First USA, which will be among the first to let cardholders sign up for
Verified by Visa, says it is not so much concerned about fraud itself as
simply the fear of fraud felt by some of its cardholders.

"When we look at research and talk to our customers, we know there is a
group that would like us to provide an added level of security," Mr.
Bleemer said.

For the banks, moving shopping online can have a big effect. In stores,
only 30 percent of dollars spent are with general- purpose credit cards. On
the Internet, that share is 90 percent.

Fraud, meanwhile, is hardly a major problem for the credit card issuers.
Visa says that just 7 cents for every $100 in card purchases is lost to
fraud, half the rate of 10 years ago. But 25 cents for every $100 in online
purchases is fraud. The online fraud rate has been stable in recent years,
but the overall number has grown, as e-commerce now represents just under 4
percent of Visa card purchases.

"If we don't get to the root causes of this, the losses will continue to
grow," Mr. McCarthy said.

One reason the banks have not been so concerned about fraud losses is that
under credit card rules, online stores - and other mail order merchants -
must cover the costs of any charge that the consumer says was unauthorized.
(In a store, where the customer signs a charge slip, the bank issuing the
card is liable for fraud.)

Moreover, in 2003, Visa expects to change these rules so that merchants
that accept Verified by Visa will not be liable for unauthorized charges.

That promise is not enough to get, the largest online store, to
participate in Verified by Visa.

"From our standpoint, the amount of friction that Verified by Visa
introduces for the customer outweighs the benefit from reducing fraud,"
said Mark Britto, Amazon's director of corporate development. "It would
turn one-click ordering into four- point, three-click ordering," he said,
referring to the online store's trademark method of fast checkout.

Dell Computer (news/quote), by contrast, signed on to be among the first
merchants to participate in the Verified by Visa program, but mainly to
reduce the number of people who call to order computers because they are
afraid to enter their card numbers on the Web.

"We're not greatly concerned about fraud levels," said Sam Decker, Dell's
senior manager for consumer e-business. "We want to give customers more
confidence in buying online."

Visa argues its security system is more efficient than a previous effort,
developed in 1996 by a consortium of credit card companies, that proved too
complex. Consumers do not need to use any new software, and merchants
simply need to open a new window on shoppers' Web browsers in which they
can send their password to the bank that issued their card.

"Visa's architecture is simple but quite elegant," said Stephen Ryan, a
vice president of Arcot Systems, a company that makes software used by
banks and merchants to participate in the program.

MasterCard's approach, called secure payment authorization, requires the
user to download a small program, a method it says is more secure than
passwords alone.

American Express (news/quote) says that it does not see a compelling reason
to press for a new user identification system as it is comfortable with its
fraud losses. But the company said it might move to a new password system
if the industry agreed on a standard.

"With any new authentication program, you need to have a critical mass of
cardholders who can use them and merchants that accept them," said David
Bonalle, the American Express vice president in charge of advanced payments
enterprise development. "As long as Visa and MasterCard don't agree, we're
not going to make any progress."

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list