Comments on: Verified by Visa is training people to get phished http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/ jim reardon (from joliet / shorewood, illinois, and former microsoft intern guy) Mon, 12 Sep 2011 02:53:30 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Paul Jones http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-22706 Paul Jones Mon, 12 Sep 2011 02:53:30 +0000 http://eviljim.com/?p=427#comment-22706 My wife is the primary card holder in the family and I'm the lowly "authorized user". A long time ago, I got that stupid "Verified by Visa" prompt. Somehow, I decided it was legit and so I tried to authorize with it, but it rejected me. Oh! It wanted my wife's information... silly me. So, I entered her information and I was given a password. A couple of years later, my wife was on a site -- for the first time ever -- trying to use her card where that stupid Verified by Visa prompt appeared. She had no idea what the password was. She did not trust it at all. She had never seen it. I had never told her about it. Had I not been there, she would have been stuck. Perhaps she could have easily gotten around it by indicating that she forgot her password, but how useless can this be? Verified by Visa is nothing but an annoyance and absolutely not security. My wife is the primary card holder in the family and I’m the lowly “authorized user”. A long time ago, I got that stupid “Verified by Visa” prompt. Somehow, I decided it was legit and so I tried to authorize with it, but it rejected me. Oh! It wanted my wife’s information… silly me. So, I entered her information and I was given a password. A couple of years later, my wife was on a site — for the first time ever — trying to use her card where that stupid Verified by Visa prompt appeared. She had no idea what the password was. She did not trust it at all. She had never seen it. I had never told her about it. Had I not been there, she would have been stuck. Perhaps she could have easily gotten around it by indicating that she forgot her password, but how useless can this be? Verified by Visa is nothing but an annoyance and absolutely not security.

]]> By: fml http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-19477 fml Tue, 29 Mar 2011 09:58:33 +0000 http://eviljim.com/?p=427#comment-19477 same thing.... wtf same thing…. wtf

]]> By: Henry Hertz Hobbit http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-15273 Henry Hertz Hobbit Fri, 30 Jul 2010 21:36:24 +0000 http://eviljim.com/?p=427#comment-15273 Addendum: I should have said you will have no password if you don't record or store it some place. I did, but how many people will fail to save their password which is created in an ad-hoc situation? I still contend it is something that the name used (they use your first name + last name + number) shows about as much creativity as mud. The entire process needs to be controlled from your banking institution. The online retailer should just say that you need to do that and THEN come back and finish the transaction. Every browser has tabs so you can easily do this or if not can start another window. Auto created user names lead to all kinds of problems. That is an addition to the way this is done (at the retailer) which is wrong. There are many web sites that are now compromised by pretenders doing this so beware that you get the real one. My PAC filter will have the updated rules on 2010-08-02 and I was able to move the "visa.com" rule back to ".visa.com" for more security. That will prevent thousands of unknown Visa look-alikes. VISA, ARE YOU LISTENING? Make all of your "visa.com" in your own web pages "www.visa.com" instead. Thanks. Addendum:
I should have said you will have no password if you don’t record or store it some place. I did, but how many people will fail to save their password which is created in an ad-hoc situation? I still contend it is something that the name used (they use your first name + last name + number) shows about as much creativity as mud. The entire process needs to be controlled from your banking institution. The online retailer should just say that you need to do that and THEN come back and finish the transaction. Every browser has tabs so you can easily do this or if not can start another window. Auto created user names lead to all kinds of problems. That is an addition to the way this is done (at the retailer) which is wrong. There are many web sites that are now compromised by pretenders doing this so beware that you get the real one. My PAC filter will have the updated rules on 2010-08-02 and I was able to move the “visa.com” rule back to “.visa.com” for more security. That will prevent thousands of unknown Visa look-alikes. VISA, ARE YOU LISTENING? Make all of your “visa.com” in your own web pages “www.visa.com” instead. Thanks.

]]> By: Henry Hertz Hobbit http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-15265 Henry Hertz Hobbit Fri, 30 Jul 2010 07:36:50 +0000 http://eviljim.com/?p=427#comment-15265 I have to modify my filters to accomodate this. The filters are available here: http://www.HostsFile.org/pac.html http://www.SecureMecca.com/pac.html What gets me is that it gave me a user name I didn't want and a phone number for my bank (I called - it is them so at least it is legitimate) but now I have an ad-hoc user name they created with no password, no way to change that, and no way to make a purchase! It says you need to login to your bank to set the stuff up. I did and there is nothing there. Either they need to have you set it up with your bank with a user name of your choice and a way to enter a password or they should scrap the whole fiasco. Does anybody know what it is for MasterCard? I heard they had something similar. But I had to modify my PAC filter rule from this which prevented access to bogusvisa.com: GoodDomains[i++] = ".visa.com"; to this which allows it: GoodDomains[i++] = "visa.com" just because of this thing that is supposed to make you safer (they actually use just plain old "visa.com"). This rule used to prevent the bogusvisa.com: BadHostParts[i++] = "visa\.com"; It still prevents unknown phishers like visa.com.gobbledygook.co.uk, but the fact that Visa doesn't always call subdomain.visa.com or www.visa.com but instead uses just plain visa.com opens up a pattern for abuse. I think this needs to be sent to the scrap heap. I don't mind a different user name and password from the bank and different ones for each card but the information should be creatable (sic) at each of your bank sites and not hid some place in their menus. I never found the place to do it at my bank so I am going to have to go in and see them in person tomorrow. You should also have complete control of the process BEFORE you hit it at a purchase check-out. That opens up so many chances for abuse that you cannot believe it. I have to modify my filters to accomodate this. The filters are available here:

http://www.HostsFile.org/pac.html
http://www.SecureMecca.com/pac.html

What gets me is that it gave me a user name I didn’t want and a phone number for my bank (I called – it is them so at least it is legitimate) but now I have an ad-hoc user name they created with no password, no way to change that, and no way to make a purchase! It says you need to login to your bank to set the stuff up. I did and there is nothing there. Either they need to have you set it up with your bank with a user name of your choice and a way to enter a password or they should scrap the whole fiasco.

Does anybody know what it is for MasterCard? I heard they had something similar. But I had to modify my PAC filter rule from this which prevented access to bogusvisa.com:

GoodDomains[i++] = “.visa.com”;

to this which allows it:

GoodDomains[i++] = “visa.com”

just because of this thing that is supposed to make you safer (they actually use just plain old “visa.com”). This rule used to prevent the bogusvisa.com:

BadHostParts[i++] = “visa\.com”;

It still prevents unknown phishers like visa.com.gobbledygook.co.uk, but the fact that Visa doesn’t always call subdomain.visa.com or http://www.visa.com but instead uses just plain visa.com opens up a pattern for abuse.

I think this needs to be sent to the scrap heap. I don’t mind a different user name and password from the bank and different ones for each card but the information should be creatable (sic) at each of your bank sites and not hid some place in their menus. I never found the place to do it at my bank so I am going to have to go in and see them in person tomorrow. You should also have complete control of the process BEFORE you hit it at a purchase check-out. That opens up so many chances for abuse that you cannot believe it.

]]> By: Rene http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-12292 Rene Mon, 21 Dec 2009 09:26:31 +0000 http://eviljim.com/?p=427#comment-12292 Use Visa allot. Today I came across Verified by Visa first time while buying tickets for a party. Tried twice with no success. All very fishy. Switched over to another way of payment for this transaction. Use Visa allot. Today I came across Verified by Visa first time while buying tickets for a party. Tried twice with no success. All very fishy.
Switched over to another way of payment for this transaction.

]]> By: G http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-12270 G Thu, 03 Dec 2009 00:40:52 +0000 http://eviljim.com/?p=427#comment-12270 If you fill out the first box with false information you get a second box asking you to set a password. But this second box has a "cancel" button that allows you to cancel the whole "Verified by Visa" thing and then your order goes through. I hope. If you fill out the first box with false information you get a second box asking you to set a password. But this second box has a “cancel” button that allows you to cancel the whole “Verified by Visa” thing and then your order goes through. I hope.

]]> By: Richard http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-12238 Richard Mon, 16 Nov 2009 10:45:24 +0000 http://eviljim.com/?p=427#comment-12238 Nice post. I too have blogged about this offensive dialog box: http://www.richardskingdom.net/verified-by-visa-bad-for-security-worse-for-business It beggars belief that Visa and Mastercard, the latter under their "SecureCode" brand, have adopted a technology that behaves just like the phishing attacks about which they constantly warn us. Verified by Visa would have more credibility if credit card companies were required to post the passwords to account-holders. This wouldn't be difficult - it's what they do with PINs, after all. Nice post. I too have blogged about this offensive dialog box:

http://www.richardskingdom.net/verified-by-visa-bad-for-security-worse-for-business

It beggars belief that Visa and Mastercard, the latter under their “SecureCode” brand, have adopted a technology that behaves just like the phishing attacks about which they constantly warn us.

Verified by Visa would have more credibility if credit card companies were required to post the passwords to account-holders. This wouldn’t be difficult – it’s what they do with PINs, after all.

]]> By: Dave http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-12103 Dave Thu, 12 Nov 2009 23:05:52 +0000 http://eviljim.com/?p=427#comment-12103 Hi Good article. I did a blog post similar to this a few weeks back but focusing more so on their forgot password functionality. I was already enrolled for 3D Secure but when prompted for my 3D secure password I selected the 'forgot password' option. Then I was prompted to enter some information to verify my identity. All of this information except for my date of birth was available on my card. Finding someone's date of birth is not difficult with the popularity of social networking sites. I was able to change my password and make my purchase. Not very secure in my view!! You can find the complete blog post here - http://www.webpayments.ie/blog/fundamental-flaw-with-3d-secure.html Dave Hi

Good article. I did a blog post similar to this a few weeks back but focusing more so on their forgot password functionality.

I was already enrolled for 3D Secure but when prompted for my 3D secure password I selected the ‘forgot password’ option. Then I was prompted to enter some information to verify my identity. All of this information except for my date of birth was available on my card. Finding someone’s date of birth is not difficult with the popularity of social networking sites.

I was able to change my password and make my purchase. Not very secure in my view!! You can find the complete blog post here –

http://www.webpayments.ie/blog/fundamental-flaw-with-3d-secure.html

Dave

]]> By: Paul D. Waite http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-12012 Paul D. Waite Wed, 11 Nov 2009 16:43:21 +0000 http://eviljim.com/?p=427#comment-12012 It’s getting pretty popular in the UK too: Tesco and a couple of other sites are using it. Thankfully Amazon doesn’t yet. I’m using PayPal wherever it’s offered now. It’s getting pretty popular in the UK too: Tesco and a couple of other sites are using it.

Thankfully Amazon doesn’t yet. I’m using PayPal wherever it’s offered now.

]]> By: Alexander Limi (limi) 's status on Wednesday, 11-Nov-09 15:26:03 UTC - Identi.ca http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/comment-page-1/#comment-12011 Alexander Limi (limi) 's status on Wednesday, 11-Nov-09 15:26:03 UTC - Identi.ca Wed, 11 Nov 2009 15:26:07 +0000 http://eviljim.com/?p=427#comment-12011 [...] http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/ a few seconds ago from web [...] [...] http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/ a few seconds ago from web [...]

]]>