"Verified by VISA" looks phishy

Alan Barrett apb at cequrux.com
Mon Dec 4 07:18:35 EST 2006 

I tried to renew a domain name registration and pay by credit card,
and encountered a nasty problem with (some implementations of?) a
service called "Verified by VISA", which is nominally intended to secure
Internet credit card transactions.

The domain name registrar asked what domains I wanted to renew, and
redirected my browser to a third party credit card payment service.  So
far so good: the domain name registrar told me "you will be redirected
to ${PAYMENT_SERVICE}."

The payment service confirmed the amount to be paid, asked
for my credit card number and a few other details, and told
me that I would be redirected to my bank to confirm my PIN
number.  But I was not redirected to my bank, I was redirected to
https://${some_string_resembling_the_name_of_my_bank}.bankserv.co.za.
The bankserv.co.za web site claimed to be part of a system called
"Verified by VISA", and asked me for the PIN that I use for ATM
transactions with my credit card.

The problems with this include:

  1) Locating the verification web site at a domain name not associated
     with the bank looks phishy.

  2) Telling customers not to worry about (1) trains them to be more
     vulnerable to phishing.

  3) Providing both the ATM PIN and the card number to the verification
     web site enables fraud by insiders, is possibly a violation of the
     cardholder's contractual requirement to keep the PIN secret, and is
     a violation of the ordinary prudent desire to keep the PIN secret.

  4) Telling customers not to worry about (3) trains them to take less
     good care of their PIN.

I phoned my bank, and talked to somebody who could not understand
the problem: "See the lock icon?  That means its secure."  I have
subsequently tried to explain the problem to the bank via email.  I
asked them to: use the bank's domain name, not bankserv.co.za; use a
unique PIN instead of re-using the ATM PIN; use one time passwords
instead of PINs.  I haven't had a response to my suggestions.

--apb (Alan Barrett)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list