Verified by Visa is training people to get phished

NERD TIME, so feel free to ignore this.

I just placed an order for a brand new netbook to replace my current desktop (I’ll probably just use this netbook as a desktop machine, but I digress).

After a long and arduous decision process I hit submit on the shopping cart and ordered the thing. Or, rather, I had thought I ordered it. Between me and my laptop was the least legit looking XHTML floating window I had ever seen:

verified_by_visa_opt_in
Verified by Visa “opt-in”

This was a little floating window coming from the merchant site. It SAID it was from “www.SecureSuite.net” and it SAID it was secure.  Of course, I had no way to verify that because (1) it was just a floating HTML window created by JavaScript and (2) the actual page I was on was located on the merchant’s website.

There is NO way to verify that this is being issued from my bank.  Absolutely NONE.

I did manage to figure out – by opening firebug – that the JavaScript code was indeed coming from www.SecureSuite.net.  Though that didn’t help at all: who the heck is SecureSuite?  I’d never heard of it, and the “Suite” instead of “Site” made me think instantly of a phising site.

Add on top of this: I didn’t think my card had “Verified by Visa” nor had I ever been prompted to use it.

So it says — not in this part of the screenshot, but above it — that enrollment is optional.  Indeed it is, unless you want to use the card to purchase something.  THEN it’s required.

I canceled the purchase, fairly sure it was a legit request, but not entirely convinced and also a little annoyed on principle.  This dialog is essentially forcing people, in order to use their card, to enter their SSN on a questionable website over a questionably secure connection.  All requested by a site that you’ve never heard of.  Just because they used your bank’s logo.

Brilliant, Chase.  Brilliant, Visa.  Way to train your users, you dumb idiots of stupidity.

17 Responses to Verified by Visa is training people to get phished

  1. I just got the same thing and like an idiot I filled it in because my Mac wouldn’t let me buy without filling it. I called my Visa and they seemed confused but told me that it was PROBABLY okay?
    Very strange.

  2. Julie says:

    It does this everytime I was to purchase anything. You can sign up to Verified Visa on your online banking site, so instead of the form above you get to personalize your own greeting message and a just need to fill in a password.

    On the other hand, how it’s supposed to increase security is BEYOND ME.

    Also may I add, even after I signed up, it has NEVER worked. I used to click the *No Thanks button, now it doesn’t come up anymore.

    Thanks a blo*dy lot Visa.

  3. Paul says:

    And when you do finally cave and realise this is going to be something we just have to live with if you want to continue to use the net in the immediate future, you’ll notice that the form doesn’t have a username box.

    They make one up for you! A different one for each visa card you have – which for me is 3!

    Really annoying!

  4. For corporations that waste (likely) billions on fraud recovery every year, it’s astonishing – nae outright despicable – the apparently pathetic amounts of money they’re willing to invest in online customer mechanisms like Verified by Visa.

    It’s an abysmal system, truly abysmal. When it’s not appearing as a floating overlay or JavaScript include/injection [sic], the Verified by Visa system often appears as an equally-anonymous IFRAME on merchant websites.

    Beyond this, the interface itself is probably one of the most amateurish and unfriendly pieces of UI for something this mainstream that I’ve come across in years. Ugly, cramped, perishingly small fonts, jammed up against equally small text boxes, surrounded by confusing, overly wordy “instructions”.

    And can you *ever* remember your password from one instance to the next..? No, me neither.

  5. Dan Fairs says:

    Absolutely agree. Plus, of course, the password is trivially easy to reset. Relying on a date of birth as ‘secret’ is laughable these days.

    Time to write to Visa, I think.

  6. Chris says:

    Moreover, if you use NoScript in Firefox, it really screws up. I hate it too.

  7. It’s getting pretty popular in the UK too: Tesco and a couple of other sites are using it.

    Thankfully Amazon doesn’t yet. I’m using PayPal wherever it’s offered now.

  8. Dave says:

    Hi

    Good article. I did a blog post similar to this a few weeks back but focusing more so on their forgot password functionality.

    I was already enrolled for 3D Secure but when prompted for my 3D secure password I selected the ‘forgot password’ option. Then I was prompted to enter some information to verify my identity. All of this information except for my date of birth was available on my card. Finding someone’s date of birth is not difficult with the popularity of social networking sites.

    I was able to change my password and make my purchase. Not very secure in my view!! You can find the complete blog post here –

    http://www.webpayments.ie/blog/fundamental-flaw-with-3d-secure.html

    Dave

  9. Richard says:

    Nice post. I too have blogged about this offensive dialog box:

    http://www.richardskingdom.net/verified-by-visa-bad-for-security-worse-for-business

    It beggars belief that Visa and Mastercard, the latter under their “SecureCode” brand, have adopted a technology that behaves just like the phishing attacks about which they constantly warn us.

    Verified by Visa would have more credibility if credit card companies were required to post the passwords to account-holders. This wouldn’t be difficult – it’s what they do with PINs, after all.

  10. G says:

    If you fill out the first box with false information you get a second box asking you to set a password. But this second box has a “cancel” button that allows you to cancel the whole “Verified by Visa” thing and then your order goes through. I hope.

  11. Rene says:

    Use Visa allot. Today I came across Verified by Visa first time while buying tickets for a party. Tried twice with no success. All very fishy.
    Switched over to another way of payment for this transaction.

  12. I have to modify my filters to accomodate this. The filters are available here:

    http://www.HostsFile.org/pac.html
    http://www.SecureMecca.com/pac.html

    What gets me is that it gave me a user name I didn’t want and a phone number for my bank (I called – it is them so at least it is legitimate) but now I have an ad-hoc user name they created with no password, no way to change that, and no way to make a purchase! It says you need to login to your bank to set the stuff up. I did and there is nothing there. Either they need to have you set it up with your bank with a user name of your choice and a way to enter a password or they should scrap the whole fiasco.

    Does anybody know what it is for MasterCard? I heard they had something similar. But I had to modify my PAC filter rule from this which prevented access to bogusvisa.com:

    GoodDomains[i++] = “.visa.com”;

    to this which allows it:

    GoodDomains[i++] = “visa.com”

    just because of this thing that is supposed to make you safer (they actually use just plain old “visa.com”). This rule used to prevent the bogusvisa.com:

    BadHostParts[i++] = “visa\.com”;

    It still prevents unknown phishers like visa.com.gobbledygook.co.uk, but the fact that Visa doesn’t always call subdomain.visa.com or http://www.visa.com but instead uses just plain visa.com opens up a pattern for abuse.

    I think this needs to be sent to the scrap heap. I don’t mind a different user name and password from the bank and different ones for each card but the information should be creatable (sic) at each of your bank sites and not hid some place in their menus. I never found the place to do it at my bank so I am going to have to go in and see them in person tomorrow. You should also have complete control of the process BEFORE you hit it at a purchase check-out. That opens up so many chances for abuse that you cannot believe it.

  13. Addendum:
    I should have said you will have no password if you don’t record or store it some place. I did, but how many people will fail to save their password which is created in an ad-hoc situation? I still contend it is something that the name used (they use your first name + last name + number) shows about as much creativity as mud. The entire process needs to be controlled from your banking institution. The online retailer should just say that you need to do that and THEN come back and finish the transaction. Every browser has tabs so you can easily do this or if not can start another window. Auto created user names lead to all kinds of problems. That is an addition to the way this is done (at the retailer) which is wrong. There are many web sites that are now compromised by pretenders doing this so beware that you get the real one. My PAC filter will have the updated rules on 2010-08-02 and I was able to move the “visa.com” rule back to “.visa.com” for more security. That will prevent thousands of unknown Visa look-alikes. VISA, ARE YOU LISTENING? Make all of your “visa.com” in your own web pages “www.visa.com” instead. Thanks.

  14. fml says:

    same thing…. wtf

  15. Paul Jones says:

    My wife is the primary card holder in the family and I’m the lowly “authorized user”. A long time ago, I got that stupid “Verified by Visa” prompt. Somehow, I decided it was legit and so I tried to authorize with it, but it rejected me. Oh! It wanted my wife’s information… silly me. So, I entered her information and I was given a password. A couple of years later, my wife was on a site — for the first time ever — trying to use her card where that stupid Verified by Visa prompt appeared. She had no idea what the password was. She did not trust it at all. She had never seen it. I had never told her about it. Had I not been there, she would have been stuck. Perhaps she could have easily gotten around it by indicating that she forgot her password, but how useless can this be? Verified by Visa is nothing but an annoyance and absolutely not security.

  16. crass says:

    Personally I like the way it gives a choice of completing to use on this and future purchases, indicating a choice – but no opt out button. A case of now you see it now you dont, or a carrot and a sledge hammer.

    There is no such thing as 100% security. Even 1% insecure means 100% insecure. They seem to think that asking questions is security, it just difficulty.

Leave a Reply

Archives