The 'Verified by Visa' credit-card check has come under criticism from Cambridge University researchers, who said it is training online shoppers to adopt risky security habits.
The feature, which is used to authenticate online financial transactions, confuses users by not displaying security cues, security engineering researchers Ross Anderson and Steven Murdoch said in a paper published on Tuesday.
"The technical design of Verified by Visa trains people in appallingly bad security habits," Anderson told ZDNet UK. "It gives the wrong signals."
The protocol underlying Verified by Visa, as well competitor MasterCard's SecureCode service, is 3-D Secure (3DS). The protocol is implemented as an iframe pop-up box, said Anderson. The pop-up does not display any commonly used markers, such as a colour-coded browser bar or 'https' in the URL, that demonstrate the box has been secured using the Transport Layer Security (TLS) protocol.
Because of this, online buyers have no visual verification that the box is a valid part of the credit-card transaction. If they enter their password when asked without knowing for certain it is protected, that is a bad security habit, the paper's authors argue.
The password-activation process for 3DS is also a weak spot, according to the researchers. Shoppers are asked to set up a password the first time they try to use a 3DS-enabled card for an online transaction. The process used for this is known as activation during shopping, or ADS. However, the ADS form presented to the buyer may use only weak authenticators, such as date of birth, in the process, said the researchers. Dates of birth are readily available online.
By training people to enter personal details into a form they may not fully trust, the 3DS system lays the groundwork for criminals to ask for more sensitive information, such as banking details, in a fake form, the researchers argue. A spoofed version of the form has been used in phishing attacks, they added.
Visa Europe on Wednesday rejected the researchers' criticisms. "Visa does not wholly agree with the premise and conclusions set out in the new paper by Cambridge researchers, which describes theoretical scenarios in which they believe Verified by Visa could be compromised," the credit-card company said. "Verified by Visa is one layer of security that makes fraud more difficult by helping to prove that a genuine cardholder is taking part in the transactions."
In isolation, the security feature cannot solve the problem of online fraud, Visa noted. However, as part of a verification system with several layers of security, Verified by Visa limits opportunities for fraudulent transactions, it said.
In addition, card-not-present fraud has fallen, according to figures from Financial Fraud Action UK. Visa attributed this fall to the implementation of online security procedures such as Verified by Visa.
Talkback
I've used this and I feel I'm actually more at risk because of this, its just another case of having to transfer more personal detail's across the net after I've already sighed into a secure online service, having already being verified by that online retailer.
The first I ever heard of this service was when one day it was thrust upon me without option, after hitting a buy button after having signed into and gone through the checkout phase of a online store, no warning's no heads up just poof! you have to use me! to buy something.
To be honest the home page for verified by visa looks like a joke a like a tin pot outfit operation, having looked at it you feel like this is a joke right?!
Not all stores have adopted this either its being out there for some time now, and that says a great deal about how they feel about it, its intrusive, abrupt, and scares customers away its just crap.
Now visa expect people to believe online fraudulent cases are dropping significantly because of there crap vbv service?! I sincerely doubt that, seems to be Cambridge snagged a nerve eh, truth hurts.
I agree with the article and the comment before mine.
As far as I can see it would be trivially easy to produce a 100% perfect imitation vbv frame and phish for vbv passwords.
Useless.
every time I buy something on-line and I come to this website I click on "forgotten password". I then get asked for
my name (as printed on the card)
the expiry of the card (as printed on the card)
my date of birth (as printed on 3 other bits of plastic in my wallet).
Anyone stealing my wallet can buy as much as they like.
Visa say that they encourage the banks to ask other information, and its just my bank that only seems to ask for DOB.
secure as a wet tea bag
You mentioned this i forgot about that, same here they extract all the juicy stuff in one go, if you forgot ya password. :( its like trying to progress on a treadmill.
i have to reset the password every time i use it due to a vicious circle
1) can't remember the password. I've tried Password01 but its not that
2) reset password - "password 02"
3) 'password has already been used, please use another'
4) ok, reset password to "password100"
acepted and i can make the purchase.
however next time... what was my password? password01? password02? password03? reset please.
every time i have to reset the password it gets more and more obscure (password20001) and i have less chance of remembering it.
Did not realize that it hung onto previously used passwords, just when you think it couldn't get any worse. :/
How many web commerce sites using "Verified by VISA" work with iPhone and iPad? Having failed yet again to complete a purchase transaction caused by "Verified by VISA" not accepting the 3rd security digit. Today I called my UK Card provider's helpline. After being handed through several operators support staff admitted that "Verified by VISA" was "unreliable" on iPhone and iPad and recommended using a desktop PC at home and taking my laptop on business travel instead of iPad so I can reliably book a flight with VISA card!
Some more observations by an extremely frustrated user in Canada (apparently every country has a different set of "issues"):
The web interfaces are exceedingly poorly designed and lead to significant frustration if the password is mis-typed. The user is sent to a pop-up containing three security questions. Should any of the answers not match the ones on record with Verified by Visa, the only option is to call the VbV phone number. But the number is displayed (in N.America) as 1-888-611-VISA(2500) ... where the final 4 digits are nothing to do with the phone number at all but apparently are an internal web page error code! In common usage of course, these numbers are actual phone digits, for users who do not care to search the numeric keypad for the mnemonic letters "VISA". Once this problem is sorted out, the number leads to an extended series of automated responses that do not include any reference to VbV problems.
If one manages eventually to talk to a customer service agent they reset the password, and you have to choose another - only then does one discover that VbV records a password history (see above) and so it is impossible at that point to reset it to anything memorizable.
VbV does have a website for changing profiles. This includes the password and the initial prompt phrase that is designed to prevent fraud and/or phishing (again, see above). However, it appears that THERE IS NO WAY FOR A USER TO CHANGE OR EVEN VIEW THE SECURITY QUESTIONS!! (and I was told by a Visa customer service rep that it is a widespread complaint, not surprisingly). One of the other most frustrating aspects of the website is that there is no way to synchronize with one's online Visa banking profile - where the password and single security question rules are quite different and not nearly as onerous. One has to ask, too, why THREE questions, and what possible security is there in keeping a password history?
By the way, I found that the password cache contains at most 5 entries, so you can re-enter your original password if you're persistent.