"Verified by VISA" looks phishy

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Dec 5 06:14:44 EST 2006

Alan Barrett <apb at cequrux.com> writes:

>The bankserv.co.za web site claimed to be part of a system called "Verified
>by VISA", and asked me for the PIN that I use for ATM transactions with my
>credit card.

"Verified by VISA" was something that Visa came up with after being burned by
SET.  Instead of Visa having to go through the pain of coming up with and
deploying a secure system, they outsourced it.  The idea is that third-party
payment processors come up with whatever Rube Goldberg security scheme they
like, produce enough paperwork to overwhelm Visa's auditors, and then it gets
the "Verified by Visa" stamp of approval (and no, I'm not kidding about that

>I phoned my bank, and talked to somebody who could not understand the
>problem: "See the lock icon?  That means its secure."

Yep, that's about the level of some of the "Verified by Visa" stuff I've seen.

(I'm sure they're not all that bad, but the few I've seen have been security
by handwaving and excessive production of paperwork.  The scary thing is that
there are probably quite good ones that didn't make the cut because they
couldn't produce enough paperwork).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list