"Verified by VISA" looks phishy

Jon Barber jon.barber at acm.org
Tue Dec 5 04:04:02 EST 2006 

Yes, the whole Verified By Visa / Mastercard SecureCode initiative has
been handled very badly by the banks. I work at a very large travel
dotcom based in the UK, in the team that looks after the shopping basket
and payments. We were one of the first sites to add support for 3D
secure (the umbrella term for this) and we have quite a bit of customer
feedback pretty much along the lines of what you say. 

The banks response is, more or less, tough. Furthermore when asked about
promotional campaigns to educate the customers as to what this all means
and not to get spooked the response was again, errrr, why don't you do
it. 

For vendors the stick that the banks wield is fraud & chargebacks - if a
vendor site does not support 3D secure then the vendor is penalised when
credit card fraud occurs. If the vendor does support 3D secure then the
bank will stand the cost of fraud. With current trends for card fraud
this is a very large incentive.

Jon.

On Mon, 4 Dec 2006 16:18:35 +0400, "Alan Barrett" <apb at cequrux.com>
said:
> I tried to renew a domain name registration and pay by credit card,
> and encountered a nasty problem with (some implementations of?) a
> service called "Verified by VISA", which is nominally intended to secure
> Internet credit card transactions.
> 
> The domain name registrar asked what domains I wanted to renew, and
> redirected my browser to a third party credit card payment service.  So
> far so good: the domain name registrar told me "you will be redirected
> to ${PAYMENT_SERVICE}."
> 
> The payment service confirmed the amount to be paid, asked
> for my credit card number and a few other details, and told
> me that I would be redirected to my bank to confirm my PIN
> number.  But I was not redirected to my bank, I was redirected to
> https://${some_string_resembling_the_name_of_my_bank}.bankserv.co.za.
> The bankserv.co.za web site claimed to be part of a system called
> "Verified by VISA", and asked me for the PIN that I use for ATM
> transactions with my credit card.
> 
> The problems with this include:
> 
>   1) Locating the verification web site at a domain name not associated
>      with the bank looks phishy.
> 
>   2) Telling customers not to worry about (1) trains them to be more
>      vulnerable to phishing.
> 
>   3) Providing both the ATM PIN and the card number to the verification
>      web site enables fraud by insiders, is possibly a violation of the
>      cardholder's contractual requirement to keep the PIN secret, and is
>      a violation of the ordinary prudent desire to keep the PIN secret.
> 
>   4) Telling customers not to worry about (3) trains them to take less
>      good care of their PIN.
> 
> I phoned my bank, and talked to somebody who could not understand
> the problem: "See the lock icon?  That means its secure."  I have
> subsequently tried to explain the problem to the bank via email.  I
> asked them to: use the bank's domain name, not bankserv.co.za; use a
> unique PIN instead of re-using the ATM PIN; use one time passwords
> instead of PINs.  I haven't had a response to my suggestions.
> 
> --apb (Alan Barrett)
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list