Verified by Visa is training people to get phished

Filed in: General Add comments

NERD TIME, so feel free to ignore this.

I just placed an order for a brand new netbook to replace my current desktop (I’ll probably just use this netbook as a desktop machine, but I digress).

After a long and arduous decision process I hit submit on the shopping cart and ordered the thing. Or, rather, I had thought I ordered it. Between me and my laptop was the least legit looking XHTML floating window I had ever seen:

verified_by_visa_opt_in
Verified by Visa “opt-in”

This was a little floating window coming from the merchant site. It SAID it was from “www.SecureSuite.net” and it SAID it was secure.  Of course, I had no way to verify that because (1) it was just a floating HTML window created by JavaScript and (2) the actual page I was on was located on the merchant’s website.

There is NO way to verify that this is being issued from my bank.  Absolutely NONE.

I did manage to figure out – by opening firebug – that the JavaScript code was indeed coming from www.SecureSuite.net.  Though that didn’t help at all: who the heck is SecureSuite?  I’d never heard of it, and the “Suite” instead of “Site” made me think instantly of a phising site.

Add on top of this: I didn’t think my card had “Verified by Visa” nor had I ever been prompted to use it.

So it says — not in this part of the screenshot, but above it — that enrollment is optional.  Indeed it is, unless you want to use the card to purchase something.  THEN it’s required.

I canceled the purchase, fairly sure it was a legit request, but not entirely convinced and also a little annoyed on principle.  This dialog is essentially forcing people, in order to use their card, to enter their SSN on a questionable website over a questionably secure connection.  All requested by a site that you’ve never heard of.  Just because they used your bank’s logo.

Brilliant, Chase.  Brilliant, Visa.  Way to train your users, you dumb idiots of stupidity.

12 Responses to “Verified by Visa is training people to get phished”

  1. LINDA CROWELL Says:
    June 6th, 2009 at 6:12 pm

    I just got the same thing and like an idiot I filled it in because my Mac wouldn’t let me buy without filling it. I called my Visa and they seemed confused but told me that it was PROBABLY okay?
    Very strange.

  2. Julie Says:
    June 10th, 2009 at 12:30 am

    It does this everytime I was to purchase anything. You can sign up to Verified Visa on your online banking site, so instead of the form above you get to personalize your own greeting message and a just need to fill in a password.

    On the other hand, how it’s supposed to increase security is BEYOND ME.

    Also may I add, even after I signed up, it has NEVER worked. I used to click the *No Thanks button, now it doesn’t come up anymore.

    Thanks a blo*dy lot Visa.

  3. Paul Says:
    November 11th, 2009 at 6:16 am

    And when you do finally cave and realise this is going to be something we just have to live with if you want to continue to use the net in the immediate future, you’ll notice that the form doesn’t have a username box.

    They make one up for you! A different one for each visa card you have – which for me is 3!

    Really annoying!

  4. Pete Fairhurst Says:
    November 11th, 2009 at 6:48 am

    For corporations that waste (likely) billions on fraud recovery every year, it’s astonishing – nae outright despicable – the apparently pathetic amounts of money they’re willing to invest in online customer mechanisms like Verified by Visa.

    It’s an abysmal system, truly abysmal. When it’s not appearing as a floating overlay or JavaScript include/injection [sic], the Verified by Visa system often appears as an equally-anonymous IFRAME on merchant websites.

    Beyond this, the interface itself is probably one of the most amateurish and unfriendly pieces of UI for something this mainstream that I’ve come across in years. Ugly, cramped, perishingly small fonts, jammed up against equally small text boxes, surrounded by confusing, overly wordy “instructions”.

    And can you *ever* remember your password from one instance to the next..? No, me neither.

  5. Dan Fairs Says:
    November 11th, 2009 at 7:15 am

    Absolutely agree. Plus, of course, the password is trivially easy to reset. Relying on a date of birth as ’secret’ is laughable these days.

    Time to write to Visa, I think.

  6. Chris Says:
    November 11th, 2009 at 7:19 am

    Moreover, if you use NoScript in Firefox, it really screws up. I hate it too.

  7. Alexander Limi (limi) 's status on Wednesday, 11-Nov-09 15:26:03 UTC - Identi.ca Says:
    November 11th, 2009 at 7:26 am

    [...] http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/ a few seconds ago from web [...]

  8. Paul D. Waite Says:
    November 11th, 2009 at 8:43 am

    It’s getting pretty popular in the UK too: Tesco and a couple of other sites are using it.

    Thankfully Amazon doesn’t yet. I’m using PayPal wherever it’s offered now.

  9. Dave Says:
    November 12th, 2009 at 3:05 pm

    Hi

    Good article. I did a blog post similar to this a few weeks back but focusing more so on their forgot password functionality.

    I was already enrolled for 3D Secure but when prompted for my 3D secure password I selected the ‘forgot password’ option. Then I was prompted to enter some information to verify my identity. All of this information except for my date of birth was available on my card. Finding someone’s date of birth is not difficult with the popularity of social networking sites.

    I was able to change my password and make my purchase. Not very secure in my view!! You can find the complete blog post here –

    http://www.webpayments.ie/blog/fundamental-flaw-with-3d-secure.html

    Dave

  10. Richard Says:
    November 16th, 2009 at 2:45 am

    Nice post. I too have blogged about this offensive dialog box:

    http://www.richardskingdom.net/verified-by-visa-bad-for-security-worse-for-business

    It beggars belief that Visa and Mastercard, the latter under their “SecureCode” brand, have adopted a technology that behaves just like the phishing attacks about which they constantly warn us.

    Verified by Visa would have more credibility if credit card companies were required to post the passwords to account-holders. This wouldn’t be difficult – it’s what they do with PINs, after all.

  11. G Says:
    December 2nd, 2009 at 4:40 pm

    If you fill out the first box with false information you get a second box asking you to set a password. But this second box has a “cancel” button that allows you to cancel the whole “Verified by Visa” thing and then your order goes through. I hope.

  12. Rene Says:
    December 21st, 2009 at 1:26 am

    Use Visa allot. Today I came across Verified by Visa first time while buying tickets for a party. Tried twice with no success. All very fishy.
    Switched over to another way of payment for this transaction.

Leave a Reply