Comments on: Verified by Visa is training people to get phished

By: Henry Hertz Hobbit

Henry Hertz Hobbit — Fri, 30 Jul 2010 21:36:24 +0000

Addendum:
I should have said you will have no password if you don’t record or store it some place. I did, but how many people will fail to save their password which is created in an ad-hoc situation? I still contend it is something that the name used (they use your first name + last name + number) shows about as much creativity as mud. The entire process needs to be controlled from your banking institution. The online retailer should just say that you need to do that and THEN come back and finish the transaction. Every browser has tabs so you can easily do this or if not can start another window. Auto created user names lead to all kinds of problems. That is an addition to the way this is done (at the retailer) which is wrong. There are many web sites that are now compromised by pretenders doing this so beware that you get the real one. My PAC filter will have the updated rules on 2010-08-02 and I was able to move the “visa.com” rule back to “.visa.com” for more security. That will prevent thousands of unknown Visa look-alikes. VISA, ARE YOU LISTENING? Make all of your “visa.com” in your own web pages “www.visa.com” instead. Thanks.

By: Henry Hertz Hobbit

Henry Hertz Hobbit — Fri, 30 Jul 2010 07:36:50 +0000

I have to modify my filters to accomodate this. The filters are available here:

http://www.HostsFile.org/pac.html
http://www.SecureMecca.com/pac.html

What gets me is that it gave me a user name I didn’t want and a phone number for my bank (I called – it is them so at least it is legitimate) but now I have an ad-hoc user name they created with no password, no way to change that, and no way to make a purchase! It says you need to login to your bank to set the stuff up. I did and there is nothing there. Either they need to have you set it up with your bank with a user name of your choice and a way to enter a password or they should scrap the whole fiasco.

Does anybody know what it is for MasterCard? I heard they had something similar. But I had to modify my PAC filter rule from this which prevented access to bogusvisa.com:

GoodDomains[i++] = “.visa.com”;

to this which allows it:

GoodDomains[i++] = “visa.com”

just because of this thing that is supposed to make you safer (they actually use just plain old “visa.com”). This rule used to prevent the bogusvisa.com:

BadHostParts[i++] = “visa\.com”;

It still prevents unknown phishers like visa.com.gobbledygook.co.uk, but the fact that Visa doesn’t always call subdomain.visa.com or http://www.visa.com but instead uses just plain visa.com opens up a pattern for abuse.

I think this needs to be sent to the scrap heap. I don’t mind a different user name and password from the bank and different ones for each card but the information should be creatable (sic) at each of your bank sites and not hid some place in their menus. I never found the place to do it at my bank so I am going to have to go in and see them in person tomorrow. You should also have complete control of the process BEFORE you hit it at a purchase check-out. That opens up so many chances for abuse that you cannot believe it.

By: Rene

Rene — Mon, 21 Dec 2009 09:26:31 +0000

Use Visa allot. Today I came across Verified by Visa first time while buying tickets for a party. Tried twice with no success. All very fishy.
Switched over to another way of payment for this transaction.

By: G

Thu, 03 Dec 2009 00:40:52 +0000

If you fill out the first box with false information you get a second box asking you to set a password. But this second box has a “cancel” button that allows you to cancel the whole “Verified by Visa” thing and then your order goes through. I hope.

By: Richard

Richard — Mon, 16 Nov 2009 10:45:24 +0000

Nice post. I too have blogged about this offensive dialog box:

http://www.richardskingdom.net/verified-by-visa-bad-for-security-worse-for-business

It beggars belief that Visa and Mastercard, the latter under their “SecureCode” brand, have adopted a technology that behaves just like the phishing attacks about which they constantly warn us.

Verified by Visa would have more credibility if credit card companies were required to post the passwords to account-holders. This wouldn’t be difficult – it’s what they do with PINs, after all.

By: Dave

Dave — Thu, 12 Nov 2009 23:05:52 +0000

Good article. I did a blog post similar to this a few weeks back but focusing more so on their forgot password functionality.

I was already enrolled for 3D Secure but when prompted for my 3D secure password I selected the ‘forgot password’ option. Then I was prompted to enter some information to verify my identity. All of this information except for my date of birth was available on my card. Finding someone’s date of birth is not difficult with the popularity of social networking sites.

I was able to change my password and make my purchase. Not very secure in my view!! You can find the complete blog post here –

http://www.webpayments.ie/blog/fundamental-flaw-with-3d-secure.html

Dave

By: Paul D. Waite

Paul D. Waite — Wed, 11 Nov 2009 16:43:21 +0000

It’s getting pretty popular in the UK too: Tesco and a couple of other sites are using it.

Thankfully Amazon doesn’t yet. I’m using PayPal wherever it’s offered now.

By: Alexander Limi (limi) 's status on Wednesday, 11-Nov-09 15:26:03 UTC - Identi.ca

Alexander Limi (limi) 's status on Wednesday, 11-Nov-09 15:26:03 UTC - Identi.ca — Wed, 11 Nov 2009 15:26:07 +0000

[...] http://eviljim.com/archives/2009/05/verified-by-visa-is-training-people-to-get-phished/ a few seconds ago from web [...]

By: Chris

Chris — Wed, 11 Nov 2009 15:19:45 +0000

Moreover, if you use NoScript in Firefox, it really screws up. I hate it too.

By: Dan Fairs

Dan Fairs — Wed, 11 Nov 2009 15:15:25 +0000

Absolutely agree. Plus, of course, the password is trivially easy to reset. Relying on a date of birth as ‘secret’ is laughable these days.

Time to write to Visa, I think.

By: Pete Fairhurst

Pete Fairhurst — Wed, 11 Nov 2009 14:48:25 +0000

For corporations that waste (likely) billions on fraud recovery every year, it’s astonishing – nae outright despicable – the apparently pathetic amounts of money they’re willing to invest in online customer mechanisms like Verified by Visa.

It’s an abysmal system, truly abysmal. When it’s not appearing as a floating overlay or JavaScript include/injection [sic], the Verified by Visa system often appears as an equally-anonymous IFRAME on merchant websites.

Beyond this, the interface itself is probably one of the most amateurish and unfriendly pieces of UI for something this mainstream that I’ve come across in years. Ugly, cramped, perishingly small fonts, jammed up against equally small text boxes, surrounded by confusing, overly wordy “instructions”.

And can you *ever* remember your password from one instance to the next..? No, me neither.

By: Paul

Paul — Wed, 11 Nov 2009 14:16:33 +0000

And when you do finally cave and realise this is going to be something we just have to live with if you want to continue to use the net in the immediate future, you’ll notice that the form doesn’t have a username box.

They make one up for you! A different one for each visa card you have – which for me is 3!

Really annoying!

By: Julie

Julie — Wed, 10 Jun 2009 08:30:12 +0000

It does this everytime I was to purchase anything. You can sign up to Verified Visa on your online banking site, so instead of the form above you get to personalize your own greeting message and a just need to fill in a password.

On the other hand, how it’s supposed to increase security is BEYOND ME.

Also may I add, even after I signed up, it has NEVER worked. I used to click the *No Thanks button, now it doesn’t come up anymore.

Thanks a blo*dy lot Visa.

By: LINDA CROWELL

LINDA CROWELL — Sun, 07 Jun 2009 02:12:44 +0000

I just got the same thing and like an idiot I filled it in because my Mac wouldn’t let me buy without filling it. I called my Visa and they seemed confused but told me that it was PROBABLY okay?
Very strange.